Link to home
Start Free TrialLog in
Avatar of Rosen500
Rosen500

asked on

Unable to user RWW or OWA externally

Hi,
I have SBS 2003 with ISA Server 2004 SP 1. I have two servers ISA Server on one and SBS 2003 on the other.  I am able to access the web server with no problem internally typing in the domain.com/exchange or domain.com/remote. I have published the secure server and have the certificate.   when I try it externally I have a problem.  i am unable to access email or remote web workplace externally,  i get the main page fine if i just type in https://domain.com/remote or https://domain.com/exchange I get the prompt for a certificate and when i click yes or even view and then install, i get page cannot be displayed. I have been trying to figure this out and not sure whant the problem is.  Thanks in advance for you help.

Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

normally you would need an A record on the internet DNs servers to point to your public IP address.  Most people will use something like e-mail or mail or OWA or WWW, etc.

So the url from the outside would be https://owa.domain.com/remote

To test this theory... enter your public IP address for your web server:

https://xx.xx.xx.xx/exchange   <-- does this work?
Avatar of Rosen500
Rosen500

ASKER

I tried the using the ip address and i got error code 403 forbidden.  I have an A record on the internet DNS servers pointing to my public ip address.  what else can I try?
So you get to the page to accept the certificate and then it fails?

Is the certificate a self-signed cert or something from the SBS box (root CA), or is it a 3rd party cert like Verisign?

Did you follow this walkthrough for setting up OWA on ISA with the certificate:  http://www.msfirewall.org/isa2004/2004owapub/2004owapub.htm

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

http://www.petri.co.il/configure_ssl_on_owa.htm

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx

http://www.isaserver.org/tutorials/Using-Commercial-Web-Site-Certificate-Publish-Outlook-Web-Access-Part1.html

Yes it fails after I accept the certificate.  The cert is form the SBS box.  I will look over the links you provided and see if I missed a step or did something wrong and reply back

Thanks
oh...did you assign a special port to the SSL?  if you did, your URL would also have to show this:

say you use port 39001

you would connect like this:

https://owa.domain.com:39001/exchange


but ...because your getting the cert, you probably are using the default 443 port...

Right now I am getting Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
Does this have to do with the cert?
Oh I meat to say that the above error only happens when I try to access externally.  I can access internally with no problem.
What does this error mean? 500 Internal Server Error – The target principal name is incorrect.

This error occurs when the name in the SSL client request from ISA Server does not match the common name on the Web site certificate. Check that the certificate names follow the guidelines:

• For the certificate on the ISA Server computer, the name must match the name that the external clients specify to reach the site.
 
• For the certificate on the published Web server, the name must match the name that appears on the To tab of the rule.
 
• In the case of the certificate on the Web server in a server publishing scenario, the certificate should have the name that users will use to connect to the server.
 

To troubleshoot, either obtain a new certificatethat matches the required name, or modify the required name to match the certificate’s common name. In addition, make sure that ISA Server can resolve the name to the IP address of the published Web site. If you modify the name on the To tab, one way to ensure that the name can be resolved is to add a Hosts file entry on the ISA Server computer (WINNT\system32\drivers\etc\hosts) to map the name and IP address of the published site.
I receive an error message: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted.

ISA Server must trust the certificate from the published Web server. Ensure that the CA certificate is in the ISA Server Trusted Root Certification Authorities certificate store.

I would follow these links:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owa-walkthrough.mspx

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I receive an error message: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted.

ISA Server must trust the certificate from the published Web server. Ensure that the CA certificate is in the ISA Server Trusted Root Certification Authorities certificate store.

LOL at NJ...nice!
...we are on the same wavelength I guess...lol
OK, I have been working on this issue. When I look at the certificates I only have one.  Should I have 2?  I am still having the problem.  Not being able to access RWW and Exchange externally.  anymore ideas?
SOLUTION
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the help NJ.  I will recreate the cert. So when users use the external link https://mydomain.com/remote and https://mydomain.com/exchange, they will use the same cert right?  I want to make sure I understand this correctly
Yes, I believe this is correct.  But you should create the cert as mydomain.com name..

"And make you Certificate show the FQDN of your OWA server that you clients will attach through the internet:"

For you this would be mydomain.com



Note:  I'll be honest here, I'm not 100% on this.  Maybe someone else can confirm that I giving the proper advice here?  I have not run into this problem before, I am just reading through some of the articles that TheCleaner posted and did some research on the internet.  It seems right to me..but I am not 100% sure.  But, let me say that changing the Certificate can be undone very easily.  Changing certs is a common iis task and there is no risk changing this.
the certificate is based on a FQDN, not a domain name.

you will need something like: owa.mydomain.com

as the certificate.

Then register an A record for owa.mydomain.com with your DNS provider pointing to an external IP you own.

Then with ISA, have it set so that the external IP points to the OWA box.

Then when people type:

https://owa.mydomain.com/exchange

It will work...assuming all was setup correctly.

(note:  advanced ways exist to, like making http://owa.mydomain.com resolve to the above address)



For reference I have a site with an ISA 2004 box, publishing OWA on a single backend Exchange 2003 server.
Ok. I followed the turorials and recreated the cert.  when I imported the cert on ISA it had a red x and when i click on it, it says that it can not be verified up to a certification authority.  i am thinking this has something to do with me not adding the isa server to the domain.  If I add it to the domain would that fix the problem?  Other than that I made some changes and took off SSL just to see if it would work externally and it worked fine.  I am guessing once I get the certificate issue done then my problem will be solved.  thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for the delay. It is working perfectly now.  Thanks for all your help.
Not a problem...thanks for the points!