[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

OWA dns settings.

Ok, we have about 50 users all using OWA internally and externally.  Externally we have an address (webmail.ourdomain.ca) that points to our external IP.  At the moment we go to https://server/exchange internally and https://webmail.ourdomain.ca/exchange.  It'd be nice to be able to route http://webmail.ourdomain.ca to owa internally and externally.  Is that possible?  I'm new to Exchange so take it easy on me.  Thanks.
0
BasilFawlty001
Asked:
BasilFawlty001
  • 17
  • 13
1 Solution
 
SembeeCommented:
You have two queries in one.

First. To loose the /exchange requires a slight reconfiguration of IIS. I have outlined what you need to do on my werb site here:
http://www.amset.info/exchange/default-web.asp

Second. To use the same name both inside and outside uses a system known as split DNS. This is where you have different results in the DNS whether you are inside or outside.
This is not a complicated procedure, but it does require some care. Therefore I shall point you to another resource on my website: http://www.amset.info/netadmin/split-dns.asp

End result.
https://webmail.outdomain.ca with direct to OWA whether inside or out without the users having to change anything.
Technique is also useful when deploying RPC/HTTPS (A new feature of Exchange 2003).

Simon.

0
 
BasilFawlty001Author Commented:
FIrst:  I tried that and I get directed to the non-secure login, ie I'm asked for username and password instead of getting the forms based authentication screen that I see if I type in the full url.
0
 
BasilFawlty001Author Commented:
oops.  wait.  my mistake.  let me finish step two and I'll get back.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
BasilFawlty001Author Commented:
Ok.  I've done both steps.  When I go to https://webmail.ourdomain.ca internally OR externally I get directed to the non-secure login, ie I'm asked for username and password instead of getting the forms based authentication screen that I see if I type in the full url.
0
 
SembeeCommented:
Check the authentication on the IIS manager for the Exchange virtual directories:
/exchange
/exchweb
/public
/exadmin

All should be basic and integrated ONLY.
In addition, /exchweb should also have anonymous access. No others should have anonymous.

Simon.
0
 
BasilFawlty001Author Commented:
Ok ... that's done ... they were all different.  It made no difference though.  Do I need to restart IIS? Where is the page being directed to when I get the non-secure login?
0
 
BasilFawlty001Author Commented:
An addendum to that:  Internally, if I go to https://servername .. it works!  If I go to https:/server ip address, it gives me the 'username & password' login screen.
0
 
SembeeCommented:
How many web sites on this site?
Have you enabled the "require SSL" on any of the Exchange virtual folders? It needs to be disabled on /exadmin.

Which version of Exchange and Windows are we talking about BTW?

Simon.
0
 
BasilFawlty001Author Commented:
Only Exchange is running on this server which is also our DC.  I have not enabled 'require SSL' on anything so far.  I thought I should resolve these dns issues first.  Win2003 Server w/ Exchange 2003 Standard.
0
 
SembeeCommented:
Unless you require SSL, then http://servername will continue to work, except you will not get the forms based authentication.
Going to the IP address alone should cause a certificate prompt to come up - as the name on the certificate doesn't match the name in the web browser. If you aren't getting the certificate prompt then it is trying to connect over http.

Simon.
0
 
BasilFawlty001Author Commented:
We do (or at least will) require ssl.  As I mentioned in the first post, I'd like to be able to have http://webmail.ourdomain.ca go to https://servername/exchange both internally and externally.  Right now if I could just get the internal one to work, that's be great.  Perhaps I should turn on 'require ssl' then, eh?  That needs to be done for all virtual servers except /exadmin?
0
 
SembeeCommented:
Don't you mean https://webmail.ourdomain.ca ?
Either way, as long as the name on the certificate matches, then it should work.

Try taking a step backwards. Have you got it working so that https://webmail.ourdomain.ca/exchange works both internally and externally?

Simon.
0
 
BasilFawlty001Author Commented:
I did mean https, yes.  Sorry.

https://webmail.ourdomain.ca/exchange works both internally and externally.
0
 
SembeeCommented:
As you have the FQDN working both internally and externally, what happens when you make the change to the default web as per my web site link above?
Furthermore, after you have made the change, if it fails, does /exchange variant continue to work?

Simon.
0
 
BasilFawlty001Author Commented:
It actually all works, now that ssl the ssl requirement is turned off.  http://webmail.ourdomain.ca works both internally and externally.  So ... what I need now is to redirect http://webmail.ourdomain to https://webmail.ourdomain.
0
 
SembeeCommented:
If you put the certificate back in, then require SSL on just the root - not the sub directories, does it work then?
What does it redirect to? (Do it on the LAN so that a non secure page will load as well).

Simon.
0
 
BasilFawlty001Author Commented:
So I should require SSL on the 'Default Web Site'?  I thought that would propogate it to the Exchange related sites that are sub-directories as well.
0
 
SembeeCommented:
With the change to IIS configuration you have made /exchange the root path. However IIS doesn't know that it is a part of the same web site when the intitial connection is made, so you need to enable SSL at the root level as well.

Simon.
0
 
BasilFawlty001Author Commented:
I think I phrased my last question poorly.  How do I enable SSL at the root level?
0
 
SembeeCommented:
It is done in the same way as the folders - open the Properties of the web site itself (you can tell if it is the web site as there are more tabs than just a folder). Then click on security and edit at the certificate location and check the box.

Simon.
0
 
BasilFawlty001Author Commented:
Ok, that seems to work a bit better (wasn't sure about 128 bit encyption though).  When I go to http: .... it gives an error message (which is good).  If I go to https://webmail.mydomain.ca/exchange it works as planned.  If I go to https://webmail.mydomain.ca though, I get the username and password login first, THEN I get the SSL Forms Login screen.  How do I get it to go straight to the Forms Based login?  I've bumped up the points since this is taking so much of your time.
0
 
SembeeCommented:
Check the authentication on the web site itself.
It needs to be the same as what I indicated above (basic and integrated only).

Simon.
0
 
BasilFawlty001Author Commented:
I checked, and only basic was checked.  I Added integrated, but it asked about Inheritance overrides for ExchWeb and I wasn't sure, so I didn't choose that.  This made no difference.  In fact it got worse.  If I got to https://webmail.mydomain.ca/exchange it works fine, but if I go to https://webmail.mydomain.ca then I get the username login, then the Forms based login, then it loads the left hand pane, but the center pane is stuck on 'loading'.  Don't give up on me!
0
 
SembeeCommented:
After making the changes and skipping the inheritance overides, have you check back to see what is enabled? It is the root that is causing the problem if it works fine when you use /exchange.

Simon.
0
 
BasilFawlty001Author Commented:
Check back where?  If you mean the web site, the changes I made did stick, both basic and integrated boxes are checked.
0
 
BasilFawlty001Author Commented:
I noticed that under directory security the 'default domain' box has different data in it.  Exchange and ExchWeb are blank, Public is \ and Exadmin is defaultdomain (our internal domain name).  Not sure if that matters.
0
 
SembeeCommented:
Yes I did mean to the web site itself.

That default domain information could be key. What does it say on the root of the web site? Does it have your domain listed? You need to replicate the same permissions settings as /exchange on the root of the web site, without affecting the subfolders (both real and virtual).

If I get a chance I may see if I can replicate this. I have a Windows 2003/Exchange 2003 system at home with SSL that I can pull apart. May not be until late tomorrow though... busy couple of days ahead.

Simon.
0
 
BasilFawlty001Author Commented:
It is also blank for the root.  I'll mess with it a bit tonight again.  Should I make it blank for all of them? I guess I can try a few things after hours.  Thanks again so far.
0
 
SembeeCommented:
I don't know if you have tried anything else... I have only just had the chance to try and replicate it.
And I cannot get past the same point that you are at.

Authentication - I have tried it with both Default domain and realm completed and blank. Changing the authentication settings as well doesn't help.

I may have another go tomorrow when my mind is fresh, see if I can find a way round it.

Simon.
0
 
BasilFawlty001Author Commented:
I had a consultant in yesterday.  We just set up another web site and pointed it at the Exchange site.  That seemed to work.  He couldn't figure out why our settings diddn't work.
0
 
ee_ai_constructCommented:
Question answered by asker or dialog deemed valuable.
Closed, 450 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 17
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now