Solved

Accessing OWA via Internet unsuccesfull when using SSL through NetGEAR PROSafe Firewall

Posted on 2006-10-25
19
1,327 Views
Last Modified: 2008-01-09
I am testing remote connection methods to my Exchange 2003 Server (not on SP2 yet) and am trying to configure for OWA via SSL. I have built an internal Certificate Server, issued the certificate and everything works fine when I require secure connection when I am inside our network.

Outside is a different story. I though all I had to do was open up port 443 and point it to my internal server but all I get when going to https://mail.website.com/exchange is the generic "page cannot be displayed" error. I then put the server in my DMZ to expose all ports and still ran into the same problem.

The default web site is Windows 2003 Sharepoint. I have run into some additional configuration issues because of this when setting up OWA and WSUS. Need help in resolving the SSL block.
0
Comment
Question by:habanagold
  • 8
  • 6
  • 3
  • +1
19 Comments
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
How did you set up your authentication on the HTTP ?
Try to type :
https://mail.website.com/exchange/username/
Does this work ?
Think is just a matter of authentication on you HTTP.
Open the exchange manager , go to protocols , HTTP and see the "Exchange" properties.
How is the authenthication set up ?
You can see it maybe better in the IIS manager on the "Default Website/Exchange"
Check Directory Security > Authentication Access Control.
You should have "Basic Authentication" , then in the
Default Domain: \
Realm : website.com (if this is your domain)
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
If I disable SSL on the website, I can access http://mail.domain.com/exchange with no problem from anywhere, internally and externally so I know it works. The reason for the SSL is additional security. When I enable the SSL, it works internally but not externally. That's where I get the generic "Page not found error".

With that being said, I went to the settings mentioned. The existing settings had Integrated Windows Authentication and Basic Authentication both checked. In the Default Domain box was listed "MY DOMAIN". In the Realm box, nothing was entered.

I changed the Default Domain to "\" (blackslash w/out quotes), and "MY DOMAIN in the realm box. I stopped and restarted the service from the IIS snap-in and got the same result.

I am not sure how to answer your question on how the authentication is setup.

0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
Have ONLY the "Basic Authentication" selected.
You can also add the Annonymous.

Check again.
And try : http://mail.domain.com/exchange/   ( last / is important sometimes depending on auth type)
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
http://mail.domain.com/exchange/username/ - try also this.
You might also want to enable logging on the http and look in the log files so you can understand exactly why you get the error.
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
Sorry forgot to mention , the domain name must be FQDN , like : mydomain.com
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Have you made the changes to sharepoint to allow it to co-exist with Exchange?
Any reason you aren't on SP2 for Exchange? It has been out for well over a year, is rock solid and there is no reason not to.
Have you got forms based authentication enabled? If not, try turning that on and see if the page will load.

Verify that your authentication settings are correct on the virtual directories in IIS Manager:

/exchange - basic integrated.
/exchweb - anonymous ONLY
/exadmin - basic and integrated
/public - basic and integrated

If you have to make any changes, after closing IIS manager, drop in to a command prompt and type

iisreset

so that the changes are written to the metabase correctly.

Simon.
0
 
LVL 8

Expert Comment

by:nitadmin
Comment Utility
Have you setup NAT on your firewall or Router.

Also does your default website, which you mentioned is your sharepoint site have an SSL Cert too.

If you have SSL certificate on both the default website and the Exchange Website. they you can't use the same port 443 for both sites. You have to change the default port for one of the websites.

Cheers,
NITADMIN
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
I have updated to SP2. No HELP.
I have applied all suggestions and nothing has resolved this.

I think at this point I need to repeat something. SSL does work inside my network. It doesn't sound to me that all of the above suggestions are really taking this into consideration. In fact, I didn't have to make any of the changes recommended in order to use SSL on my interior network. Even with the recommendations applied, OWA still works in the interior network.

The problem still exists where I am attempting to access the OWA portal over the internet with SSL enabled. If I turn off SSL, then I have no problem accessing the web site http://mail.domain.com/exchange. I am greeted with a login screen and immediately taken to the web version of my Outlook client.

When SSL is applied, I know something must be working because if I attempt to access the site with just http:// I receive a message page stating that this site requires https.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 8

Expert Comment

by:nitadmin
Comment Utility
Fix your DNS.

Cheers,
NITADMIN
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
NITADMIN - I should mention your suggestions were the only ones I did not apply because they don't make any sense.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Don't confuse the setting REQUIRE SSL with your ability to use SSL. You can use SSL without having to set the option to require SSL.

You state that SSL works internally?

So if you browse to https://mail.domain.com/exchange (or whatever the name on the certificate is) you get logged in?
What happens if you use a machine that is NOT a member of the domain but inside your firewall? Does that work?
That will show whether the issue is with the server or with the firewall. If a non-domain member can use OWA correctly, then authentication etc is working fine. If the non-domain member fails, but a domain member does not, then the issue is authentication. Remember that OWA will use integrated authentication if it gets the chance, and that can make things appear to be working when they are not.

If everything works internally, then you move outside - again using a non-domain member.
If you browse to the root of the server - https://mail.domain.com - you should get an under construction page by default - without being asked to authenticate. If you don't, then you need to look at your firewall rules and or your DNS to ensure that everything is resolving to the correct IP address.

Simon.
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
habanagold .... you did tried to add the slash "/" after the exchange right ? and also tried https://mail.domain.com/exchange/username/ ?
If you access the ecahcnge inside the domain you are an authenticated user inside the domain , if you access from outside you are not.
So I STILL think it is a problem with the authentication type.
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
Yeah , you could also just place a plain html on the default website and try to access https://mail.domain.com/test.html Will it get displayed ?
If yes then your SSL is ok and we go back to the auth type , if not then some other thing is the problem.
Can you telnet on port 443 from outside ?
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
Q: So if you browse to https://mail.domain.com/exchange (or whatever the name on the certificate is) you get logged in?
A: YES


Q: What happens if you use a machine that is NOT a member of the domain but inside your firewall? Does that work?
A: YES

If I take a non-domain member outside the network, I have the problem I have been talking about all along. My internal DNS servers use forwarders for name resolution. I don't see how I can make any entries in my Forward Lookup Zone that will make any difference.

Also, remember, I stated that I placed the Exchange server with SSL active in my Firewall's DMZ while testing. The same problem occurred so I don't see where a firewall would be the problem.

Any ohter ideas are welcome. Thanks to all so far.
0
 
LVL 13

Expert Comment

by:George Sas
Comment Utility
Can you telnet on port 443 from outside ?
You could also just place a plain html on the default website and try to access https://mail.domain.com/test.html Will it get displayed ?

Maybe this time I get an answer ?
We are just trying to find out if your firewall accepts connections on 443.
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
My Website is a Sharepoint Website so I don't have a problem accessing it outside the network without SSL. When SSL is turned on, then there is the problem. This goes for the Exchange Web portal. Fine outside the network without SSL but not when turned on.

Both sites are accessible inside the network when SSL is turned on. This leads me to suggest this:

I produced my own Certificate from my internal Certificate Server running on W2K SP4. Coud this be the reason why external accessing is not working when SSL is turned on? Would I need to get a certificate from a external, public 3rd party certificate provider in order to have SSL work externally?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
Comment Utility
I will repeat a point above...

Don't confuse the setting REQUIRE SSL with your ability to use SSL. You can use SSL without having to set the option to require SSL.

Therefore you don't have to turn on and turn off SSL to test it. You can just leave the SSL enabled site and test it with http and https. If you turn on the require SSL setting then that can break things.

If you are using your own certificate, then it should still work, but you will get a certificate prompt. If you don't get a certificate prompt then you aren't even connecting to the server.

My instinct is that the firewall is blocking this traffic. Make sure that it isn't using SSL for any internal things - remote admin for example, that the port forwarding is set correctly etc. I don't know the Netgear product range that well personally, but does this model have any kind of VPN, or VPN over SSL? That could be using port 443.

Simon.
0
 
LVL 1

Author Comment

by:habanagold
Comment Utility
Thanks to all who particpated. I have to award the points to Sembee because it was the reference regarding the remote admin for the firewall that was blocking the external SSL access. Even though you can specify the port to use in the NetGEAR FSV114 ProSAFE VPN Firewall, I guess it was still using, blocking or whatever port 443. The default remote admin port for the Firewall is 8080, (like many SOHO's appliances) so I am not sure why this affected the external access of SSL to the site.

At any rate, disabling the remote admin function of the firewall immediately let me with OWA via SSL active.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Import Cert issue 15 40
exchange, mailbox 4 18
setting Target address in user Attribute 5 26
Exchange 2013 ECP log me out 3 17
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now