Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1141
  • Last Modified:

Unable to user RWW or OWA externally

Hi,
I have SBS 2003 with ISA Server 2004 SP 1. I have two servers ISA Server on one and SBS 2003 on the other.  I am able to access the web server with no problem internally typing in the domain.com/exchange or domain.com/remote. I have published the secure server and have the certificate.   when I try it externally I have a problem.  i am unable to access email or remote web workplace externally,  i get the main page fine if i just type in https://domain.com/remote or https://domain.com/exchange I get the prompt for a certificate and when i click yes or even view and then install, i get page cannot be displayed. I have been trying to figure this out and not sure whant the problem is.  Thanks in advance for you help.

0
Rosen500
Asked:
Rosen500
  • 9
  • 8
  • 6
2 Solutions
 
NJComputerNetworksCommented:
normally you would need an A record on the internet DNs servers to point to your public IP address.  Most people will use something like e-mail or mail or OWA or WWW, etc.

So the url from the outside would be https://owa.domain.com/remote

To test this theory... enter your public IP address for your web server:

https://xx.xx.xx.xx/exchange   <-- does this work?
0
 
Rosen500Author Commented:
I tried the using the ip address and i got error code 403 forbidden.  I have an A record on the internet DNS servers pointing to my public ip address.  what else can I try?
0
 
TheCleanerCommented:
So you get to the page to accept the certificate and then it fails?

Is the certificate a self-signed cert or something from the SBS box (root CA), or is it a 3rd party cert like Verisign?

Did you follow this walkthrough for setting up OWA on ISA with the certificate:  http://www.msfirewall.org/isa2004/2004owapub/2004owapub.htm

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

http://www.petri.co.il/configure_ssl_on_owa.htm

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx

http://www.isaserver.org/tutorials/Using-Commercial-Web-Site-Certificate-Publish-Outlook-Web-Access-Part1.html

0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Rosen500Author Commented:
Yes it fails after I accept the certificate.  The cert is form the SBS box.  I will look over the links you provided and see if I missed a step or did something wrong and reply back

Thanks
0
 
NJComputerNetworksCommented:
oh...did you assign a special port to the SSL?  if you did, your URL would also have to show this:

say you use port 39001

you would connect like this:

https://owa.domain.com:39001/exchange


but ...because your getting the cert, you probably are using the default 443 port...

0
 
Rosen500Author Commented:
Right now I am getting Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
Does this have to do with the cert?
0
 
Rosen500Author Commented:
Oh I meat to say that the above error only happens when I try to access externally.  I can access internally with no problem.
0
 
NJComputerNetworksCommented:
What does this error mean? 500 Internal Server Error – The target principal name is incorrect.

This error occurs when the name in the SSL client request from ISA Server does not match the common name on the Web site certificate. Check that the certificate names follow the guidelines:

• For the certificate on the ISA Server computer, the name must match the name that the external clients specify to reach the site.
 
• For the certificate on the published Web server, the name must match the name that appears on the To tab of the rule.
 
• In the case of the certificate on the Web server in a server publishing scenario, the certificate should have the name that users will use to connect to the server.
 

To troubleshoot, either obtain a new certificatethat matches the required name, or modify the required name to match the certificate’s common name. In addition, make sure that ISA Server can resolve the name to the IP address of the published Web site. If you modify the name on the To tab, one way to ensure that the name can be resolved is to add a Hosts file entry on the ISA Server computer (WINNT\system32\drivers\etc\hosts) to map the name and IP address of the published site.
0
 
NJComputerNetworksCommented:
I receive an error message: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted.

ISA Server must trust the certificate from the published Web server. Ensure that the CA certificate is in the ISA Server Trusted Root Certification Authorities certificate store.

0
 
TheCleanerCommented:
I would follow these links:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owa-walkthrough.mspx

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I receive an error message: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted.

ISA Server must trust the certificate from the published Web server. Ensure that the CA certificate is in the ISA Server Trusted Root Certification Authorities certificate store.

0
 
NJComputerNetworksCommented:
0
 
TheCleanerCommented:
LOL at NJ...nice!
0
 
NJComputerNetworksCommented:
...we are on the same wavelength I guess...lol
0
 
Rosen500Author Commented:
OK, I have been working on this issue. When I look at the certificates I only have one.  Should I have 2?  I am still having the problem.  Not being able to access RWW and Exchange externally.  anymore ideas?
0
 
NJComputerNetworksCommented:
I would recreate your OWA SSL certificate using these instructions: http://www.petri.co.il/configure_ssl_on_owa.htm

And make you Certificate show the FQDN of your OWA server that you clients will attach through the internet:


 On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.


Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.

Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.

You can also change the Bit Length for the encryption key if you want.












I think TheCleaner's link:  http://www.msfirewall.org/isa2004/2004owapub/2004owapub.htm  is a great resource...  verify that you performed these steps...


0
 
Rosen500Author Commented:
Thanks for the help NJ.  I will recreate the cert. So when users use the external link https://mydomain.com/remote and https://mydomain.com/exchange, they will use the same cert right?  I want to make sure I understand this correctly
0
 
NJComputerNetworksCommented:
Yes, I believe this is correct.  But you should create the cert as mydomain.com name..

"And make you Certificate show the FQDN of your OWA server that you clients will attach through the internet:"

For you this would be mydomain.com



Note:  I'll be honest here, I'm not 100% on this.  Maybe someone else can confirm that I giving the proper advice here?  I have not run into this problem before, I am just reading through some of the articles that TheCleaner posted and did some research on the internet.  It seems right to me..but I am not 100% sure.  But, let me say that changing the Certificate can be undone very easily.  Changing certs is a common iis task and there is no risk changing this.
0
 
TheCleanerCommented:
the certificate is based on a FQDN, not a domain name.

you will need something like: owa.mydomain.com

as the certificate.

Then register an A record for owa.mydomain.com with your DNS provider pointing to an external IP you own.

Then with ISA, have it set so that the external IP points to the OWA box.

Then when people type:

https://owa.mydomain.com/exchange

It will work...assuming all was setup correctly.

(note:  advanced ways exist to, like making http://owa.mydomain.com resolve to the above address)



For reference I have a site with an ISA 2004 box, publishing OWA on a single backend Exchange 2003 server.
0
 
Rosen500Author Commented:
Ok. I followed the turorials and recreated the cert.  when I imported the cert on ISA it had a red x and when i click on it, it says that it can not be verified up to a certification authority.  i am thinking this has something to do with me not adding the isa server to the domain.  If I add it to the domain would that fix the problem?  Other than that I made some changes and took off SSL just to see if it would work externally and it worked fine.  I am guessing once I get the certificate issue done then my problem will be solved.  thanks
0
 
NJComputerNetworksCommented:
0
 
TheCleanerCommented:
You need to have ISA "trust" the CA for your domain.

See here:

http://www.petri.co.il/publishing_owa_with_isa2004.htm

Start with:

1.  In case the ISA server is not part of the domain, the first stage should be installing CA-Root certificate of the Enterprise CA on the trusted root certificates on the ISA server.
0
 
Rosen500Author Commented:
Sorry for the delay. It is working perfectly now.  Thanks for all your help.
0
 
TheCleanerCommented:
Not a problem...thanks for the points!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 9
  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now