Solved

OWA over SSL - Not working outside the LAN

Posted on 2006-11-17
12
1,484 Views
Last Modified: 2007-12-19
Hello,

I have been struggling with this issue for too long and guess I have to admit : I need assistance !  :-P

I need to set-up OWA for remote users to acces their corporate mail.
It works just fine ovet regular HTTP, but after some reading I discovered that this is actualls quite bad (no encryption...)
So I decided to switch to HTTPS, and issued my own certificate as per described here: http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

It is working very fine from inside the network (LAN), both HTTP and HTTPS.
But when tested from outside our FW, only HTTP works.
- When reaching HTTPS URL, IE gives a "Page cannot be displayed"
- When tested with Firefox, it says that the connection attmp has been dropped.

I have a linux box sitting outside our LAN "just in case", so the first thin I did was test the opened port on the FW for my IP:

80/tcp   open  http
135/tcp  open  msrpc
443/tcp  open  https

Looks quite ok for me.

Then I thought it could be a problem with the certificate, so I ran (from outside box) a openssl to see what happens.

openssl s_client -bugs -connect MY.IP.ADD.RESS:443
CONNECTED(00000003)
3827:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

and this is where I stand...

Any hint ?!? Seems to be an SSL problem, and I really am a newbie for that...

Thanks !
0
Comment
Question by:Dunavant
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 100 total points
ID: 17964144
Hi Dunavant,

First, close 135 - that isn't needed at all and is just asking for trouble.

Second, have you enabled FBA at all?

http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm

Hope that helps,

-red
0
 

Author Comment

by:Dunavant
ID: 17964170
Well I actually did not enable FBA.

Is it a prerequisite for using OWA over https ?!?
(Will try that in a minute anyway)
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17964209
I don't know if it is a pre-requisite, but I have no sites running SSL without FBA (SSL is a pre-requisite of FBA)

Confused yet?  I am :)

If you are enabling SSL, you may as well enable FBA - it is a much prettier experience.

Which reminds me, you haven't ticked "Require SSL" on any IIS sites have you?

-red
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 26

Accepted Solution

by:
jar3817 earned 200 total points
ID: 17964581
"So I decided to switch to HTTPS, and issued my own certificate as per described here..."

Get a real certificate from godaddy ($20) or rapidssl ($70) and see if that fixes your problem. You really shouldn't be running a production server with a self-signed cert.
0
 
LVL 22

Assisted Solution

by:kristinaw
kristinaw earned 100 total points
ID: 17964832
no, you don't have to have FBA to use owa over ssl. I would try to get basic owa over https working first, then decide whether or not to turn on FBA. If it's not working now, adding something else to the mix isn't going to help.

I agree with jar, spring for the cert. It will be a lot less trouble in the long run. money well spent.

check the IIS logs on your Exchange server and see if the https attempts are even reaching it.

Kris.
0
 

Author Comment

by:Dunavant
ID: 17965412
Ok, so I tried to install a rapidssl FreeSSL certificate, just to gove it a go.
No changes, still same error...

As far as IIS log are concerned, it seems to me the HTTPS reaches it.
copy past a sample below :

2006-11-17 13:45:25 172.17.6.121 SUBSCRIBE /exchange/ssladmin/Calendar - 443 DUNAVANT\Romain 172.17.6.19 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0

So 443 -> status 200, thus seems ok...

Any idea, I am sinking here...   :(
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 17966206
ok, if you're sure that's your test that came from the outside...

so what does this traffic have to travel through to get back to the client? firewall? what kind?

is there a single exchange server involved here? or is this a FE/BE scenario?

kris.
0
 

Author Comment

by:Dunavant
ID: 17971287
Yop, the traffic goes through a Firewall, a Symantec Security gateway 5000.

Set-Up is like this :

Internet <-> SGS (FW)  <-> Exchange Server

Only one Exchengeserver involved here.

An idea : could it be some kind of IP address being masked / replaced by the FW and thus the certificate failing to be validated from the client machine outside the LAN ?!?
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 17975738
ok, so with a single server you actually will not want FBA at this point, it will just create more complications. You have 'integrated auth' enabled on the Exchange server, right?

have you enabled verbose logging on the device?

kris.
0
 
LVL 14

Assisted Solution

by:Ehab Salem
Ehab Salem earned 100 total points
ID: 17977508
I am using OWA without FBA over https. Are you using IIS? If so check the following:

Open IIS, default website, properties check tcp ports 80 and 443.
Open the properties for Exchange, Exchweb, and exchadmin, go to directory security, make sure that the certificate is there, and that secure com is selected with the correct encryption (128 or without).

Hope that helps.
0
 

Author Comment

by:Dunavant
ID: 17986334
OK, I think I spotted the problem.

I "sniffed" my FW (Symantec Security Gateway 5000), and it seems that after the initial handshake, the IIS server is is assigning a custom port n° (from open range) to the transaction to be effected on.
It is this port that is then blocked, thus making the SSL connection fail.

I don't really want to open the whole connection of my mail sevrer to the wild, so still to figure out:

1) Is there a specific ranged used by IIS for that post-handshake connection ?

2) If not, can I block IIS onto one specific custom port ?!?
0
 

Author Comment

by:Dunavant
ID: 17994378
Ok, I just closed the question as I will open a new one.

I figured out the problem was on the FW and wil focus on that.
Splitted the point according to the help given, let me know if you think I was unfair.

Cheer !
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question