smoga1968
asked on
Users are not able to access OWA from external sites
Our users are not able to access their mail via OWA when connecting from an external site. Internally everything works ok. We have a load balancer and 2 front end servers. We checked the NATing and everything seeems to be ok. When the users connect from an external address, it seems that it is connecting because they see the unsecure (HTTP:// )address changing to a secure one( HTTPS:// )but as soon as it's changing to HTTPS:// the users receive a "page cannot be displayed" message. The SSL 443 port is enabled on the firewall.
alextoft
Yes, it is connecting on port 80, then being redirected to 443. It sounds very much like the port is not correctly forwarded to your owa server. Can you get a connection by using telnet hostname 443 from the outside? If you can, then it's probably an exchange config error. If you can't, have another look at your firewall/router.
Can you connect by typing in the external URL (e.g. instead of http://exchange_server/exchange http://www.domainname.com/exchange) from within your network?
ASKER
I found what the issue is. It was a bad certificate mising a private key on one of the OWA servers.
Here is the Microsoft article about it:
You receive a "Page cannot be displayed" error message when you try to access a site by using HTTPS
View products that this article applies to.
Article ID : 824035
Last Review : November 24, 2005
Revision : 1.1
SYMPTOMS
When you try to access a site that is hosted in Microsoft Internet Information Services (IIS) and that is configured to use Secure Sockets Layer (SSL) by using the HTTPS protocol, you may receive the following error message:
Page cannot be displayed
The following error message is logged in the Web server event logs:
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36869
Date: 12/18/2000
Time: 9:12:46 AM
User: N/A
Computer: <ServerName>
Description: The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
Back to the top
CAUSE
This problem occurs because the Web site has been bound to a certificate that does not have a matching private key. If you try to export this certificate from the Certificates Microsoft Management Console (MMC), you do not have the option to export the private key. When you try to export the certificate, you receive the following warning message:
#You DON'T have a private key that corresponds to this certificate.
To troubleshoot SSL issues, use the new SSL Diagnostics tool. For more information, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en)
Back to the top
RESOLUTION
To resolve the problem, create a new certificate with a private key. To do this, follow these steps:1. Remove the current certificate that does not have a private key. For more information about how to remove the current certificate, click the following article number to view the article in the Microsoft Knowledge Base:
232167 (http://support.microsoft.com/kb/232167/) How to remove a server certificate from an Internet Information Services 5.0 Web site
2. Obtain and install the new certificate with private key. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
290625 (http://support.microsoft.com/kb/290625/) How to configure SSL in a Windows 2000 IIS 5.0 test environment by using Certificate Server 2.0
Here is the Microsoft article about it:
You receive a "Page cannot be displayed" error message when you try to access a site by using HTTPS
View products that this article applies to.
Article ID : 824035
Last Review : November 24, 2005
Revision : 1.1
SYMPTOMS
When you try to access a site that is hosted in Microsoft Internet Information Services (IIS) and that is configured to use Secure Sockets Layer (SSL) by using the HTTPS protocol, you may receive the following error message:
Page cannot be displayed
The following error message is logged in the Web server event logs:
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36869
Date: 12/18/2000
Time: 9:12:46 AM
User: N/A
Computer: <ServerName>
Description: The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
Back to the top
CAUSE
This problem occurs because the Web site has been bound to a certificate that does not have a matching private key. If you try to export this certificate from the Certificates Microsoft Management Console (MMC), you do not have the option to export the private key. When you try to export the certificate, you receive the following warning message:
#You DON'T have a private key that corresponds to this certificate.
To troubleshoot SSL issues, use the new SSL Diagnostics tool. For more information, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en)
Back to the top
RESOLUTION
To resolve the problem, create a new certificate with a private key. To do this, follow these steps:1. Remove the current certificate that does not have a private key. For more information about how to remove the current certificate, click the following article number to view the article in the Microsoft Knowledge Base:
232167 (http://support.microsoft.com/kb/232167/) How to remove a server certificate from an Internet Information Services 5.0 Web site
2. Obtain and install the new certificate with private key. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
290625 (http://support.microsoft.com/kb/290625/) How to configure SSL in a Windows 2000 IIS 5.0 test environment by using Certificate Server 2.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.