e_vanheel
asked on
Exchange 2007 coexisting with 2003 and a PIX firewall - Getting OWA and ActiveSync to work
I am deploying an Exchange 2007 server.
I have an existing 2003 Exchange server, a new 2007 Exchange server and a Cisco Pix. The servers use a RGC to exchange email. A spam filter exists on a separate server.
The Internet mail flows in on port 25 and is translated to an internal address (the spam firewall). The spam firewall passes the mail on the Exchange 2007 via port 2525 and if needed to the 2003 clients via the RGC.
On the intranet users that are on the Exchange 2003 and 2007 have full mail functionality including OWA. On the Internet only users whose mailbox is on the 2003 server have Activesync and OWA.
I figure that the issue is with the PIX configuration. I am just missing this and need some help.
The plan is to move the users to 2007 once all testing is done and remove the 2003 exchange server
Current PIX config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 25 xx.xx.xx.147
nat (inside) 0 access-list 100
nat (inside) 25 172.36.10.225 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
I have an existing 2003 Exchange server, a new 2007 Exchange server and a Cisco Pix. The servers use a RGC to exchange email. A spam filter exists on a separate server.
The Internet mail flows in on port 25 and is translated to an internal address (the spam firewall). The spam firewall passes the mail on the Exchange 2007 via port 2525 and if needed to the 2003 clients via the RGC.
On the intranet users that are on the Exchange 2003 and 2007 have full mail functionality including OWA. On the Internet only users whose mailbox is on the 2003 server have Activesync and OWA.
I figure that the issue is with the PIX configuration. I am just missing this and need some help.
The plan is to move the users to 2007 once all testing is done and remove the 2003 exchange server
Current PIX config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 25 xx.xx.xx.147
nat (inside) 0 access-list 100
nat (inside) 25 172.36.10.225 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
ASKER
I don't understand what you mean by published and in front of. The Exchange 2003 server is not a FE/BE setup.
let me rephrase it.
Exchange 2003 (even if it is not FE/BE) cannot be published instead of E12 server, because it won't be able to do redirection to E12.
instead publish the CAS server
Exchange 2003 (even if it is not FE/BE) cannot be published instead of E12 server, because it won't be able to do redirection to E12.
instead publish the CAS server
ASKER
How do I publish the CAS server?
change the access list on the pix to enable WWW and SMTP to ur CAS server:
let us check:>>
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
it seems that 172.36.10.227 is the Exchange 2003 address, so change it to be the CAS server (the cas server is the same as the Mailbox,HUB server if oyu are using single server topology)
let us check:>>
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
it seems that 172.36.10.227 is the Exchange 2003 address, so change it to be the CAS server (the cas server is the same as the Mailbox,HUB server if oyu are using single server topology)
ASKER
I now understand what you mean by publish.
I have changed the pix to remove the static mappings for port 80 and 443 and added static mappings to the 2007 server for those services. I have then "clear xlate" on the pix.
I have had mixed results. I have gotten to where I have been prompted to log in and then have not been successful (400 bad request (I think)). Other times I have not gotten anything at all.
I have to keep undoing what I am trying on the firewall because I can't stop mail flow for very long.
Thanks.
I have changed the pix to remove the static mappings for port 80 and 443 and added static mappings to the 2007 server for those services. I have then "clear xlate" on the pix.
I have had mixed results. I have gotten to where I have been prompted to log in and then have not been successful (400 bad request (I think)). Other times I have not gotten anything at all.
I have to keep undoing what I am trying on the firewall because I can't stop mail flow for very long.
Thanks.
you got those errors when using OWA ot Activesync
ASKER
OWA
Well,
I will need further details,Account is being used for testing resides on E12 or E2003, do you access using /Exchange or using /OWA virtual directory...etc
I will need further details,Account is being used for testing resides on E12 or E2003, do you access using /Exchange or using /OWA virtual directory...etc
ASKER
The Account for testing is on the E2K7 server.
Using the current PIX config. All users on the E2K3 server work, non of the E2K7 users work.
Once I can get the E2K7 server working we are ready to move mailboxes (I don't need the 2003 to work once I can prove that OWA and ActiveSync will work.
I understand that the PIX needs to change but I can not get it to work for the mailboxes on the E2K7 server over the Internet.
on the LAN OWA works great to include going to the correct server. If I goto http://exchange2003/exchange and the mailbox is on the 2007 server, I automatically get redirected to the correct server.
I don't know how I can test ActiveSync until I figure out the PIX config.
Hope that helps.
Using the current PIX config. All users on the E2K3 server work, non of the E2K7 users work.
Once I can get the E2K7 server working we are ready to move mailboxes (I don't need the 2003 to work once I can prove that OWA and ActiveSync will work.
I understand that the PIX needs to change but I can not get it to work for the mailboxes on the E2K7 server over the Internet.
on the LAN OWA works great to include going to the correct server. If I goto http://exchange2003/exchange and the mailbox is on the 2007 server, I automatically get redirected to the correct server.
I don't know how I can test ActiveSync until I figure out the PIX config.
Hope that helps.
I not that PIX guru, but you need further tests with the configuration
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does everything work internally?
The PIX is the least of your worries. I have E2007 deployed behind a PIX and it was just a single port that I had to move (443).
However you need to confirm if all the features work correctly inside first, which rules out any problems with the firewall.
Simon.
The PIX is the least of your worries. I have E2007 deployed behind a PIX and it was just a single port that I had to move (443).
However you need to confirm if all the features work correctly inside first, which rules out any problems with the firewall.
Simon.
ASKER
Everything appears to be working internally. Mail can flow between the 2 servers. Faxes are being received, mail flows between the Internet and all users, OWA works internally for mailboxes on both servers and Active sync works for users on the 2003.
The issue is the OWA outside the firewall and active sync on the 2007 server. My current config allows Active sync and OWA ONLY to users on the 2003 exchange server not the 2007 exchange server.
I don't know if it is possible, I would like to not burn another external address for this to work. I do have one if we need to.
The internal IP is 172.36.10.230 for the 2007 server and if possible I would continue to use .148 for the external.
The end game is to have all users on the 2007 server with 2003 server being decommissioned. If I can get the PIX configured to work on the 2007 server, I can move the 20 people who use OWA and active sync until I can move all others.
Also, I have not put a commercial SSL cert on this server (yet) I should have it by the end of this week - it is using the one that exchange installed. I don't know if this matters for the phones.
Gentlemen, Thanks for your help!
The issue is the OWA outside the firewall and active sync on the 2007 server. My current config allows Active sync and OWA ONLY to users on the 2003 exchange server not the 2007 exchange server.
I don't know if it is possible, I would like to not burn another external address for this to work. I do have one if we need to.
The internal IP is 172.36.10.230 for the 2007 server and if possible I would continue to use .148 for the external.
The end game is to have all users on the 2007 server with 2003 server being decommissioned. If I can get the PIX configured to work on the 2007 server, I can move the 20 people who use OWA and active sync until I can move all others.
Also, I have not put a commercial SSL cert on this server (yet) I should have it by the end of this week - it is using the one that exchange installed. I don't know if this matters for the phones.
Gentlemen, Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried to use an external address with no success.
static (inside,outside) xx.xx.xx.149 172.36.10.230 netmask 255.255.255.255 0 0
access-list mail permit ip any host xx.xx.xx.148 eq 443
clear xlate
And that did not work when I pointed a browser to https://xx.xx.xx.149/exchange
What am I missing?
static (inside,outside) xx.xx.xx.149 172.36.10.230 netmask 255.255.255.255 0 0
access-list mail permit ip any host xx.xx.xx.148 eq 443
clear xlate
And that did not work when I pointed a browser to https://xx.xx.xx.149/exchange
What am I missing?
ASKER
OK...I tried the above code again in the pix. I must have goofed it up before. I have both the access list and static mapping to .148 (not 149) and I added port 80 also to the access list for testing.
I have removed the certificate and the 128 bit requirement (I will put it back Simon) and was able to get a login request. When I clicked login I get: Internet Explorer cannot display the webpage.
Ideas?
I have removed the certificate and the 128 bit requirement (I will put it back Simon) and was able to get a login request. When I clicked login I get: Internet Explorer cannot display the webpage.
Ideas?
Do you mean you get the standard Windows login prompt?
If so, when you login do you use domain\username
Does it work internally?
Simon.
If so, when you login do you use domain\username
Does it work internally?
Simon.
ASKER
New info:
If from IE 7 I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time. I get a http 400 bad request and the url is http://x.x.x.148/owa/auth/owaauth.dll
If from IE7 I goto http://x.x.x.148\owa - I get a OWA 2007 login page....Does not work most of the time. Same error as above.
If from Mozilla I goto I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time. I get a problem loading page and the url is the internal FQDN of the Exchange 2007 server.
If from Mozilla I goto http://x.x.x.148\owa - I get a OWA 2007 login page and it works most of the time.
I have been testing over the last 20+ hours with different computers and I have had IE work for a few hours. I have been using the same computer from different locations and have not been consistent in how, or if, this works.
OWA does work internally %100 of the time and I am using the domain\user to login.
Activesync starting working also, even when the phone was pointed to the 2003 server (this has been working for a long time prior to the introduction of 2007) and the mailbox was on the 2007 server. It also works if the phone is pointed to the 2007's external (NATed) address.
Thanks for your help!
If from IE 7 I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time. I get a http 400 bad request and the url is http://x.x.x.148/owa/auth/owaauth.dll
If from IE7 I goto http://x.x.x.148\owa - I get a OWA 2007 login page....Does not work most of the time. Same error as above.
If from Mozilla I goto I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time. I get a problem loading page and the url is the internal FQDN of the Exchange 2007 server.
If from Mozilla I goto http://x.x.x.148\owa - I get a OWA 2007 login page and it works most of the time.
I have been testing over the last 20+ hours with different computers and I have had IE work for a few hours. I have been using the same computer from different locations and have not been consistent in how, or if, this works.
OWA does work internally %100 of the time and I am using the domain\user to login.
Activesync starting working also, even when the phone was pointed to the 2003 server (this has been working for a long time prior to the introduction of 2007) and the mailbox was on the 2007 server. It also works if the phone is pointed to the 2007's external (NATed) address.
Thanks for your help!
did u tried IE6
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess my post did not go thru. I have tried IE6 and had the same issue.
We are not using ISA but I have noticed the same thing whoajack mentioned about the url: \exchange for E2k3 and \owa E2K7. I don't know why it should matter (it should not).
It appears to have stabilized a little but I am still getting delayed messages for anyone on the E2K7 box.
We are not using ISA but I have noticed the same thing whoajack mentioned about the url: \exchange for E2k3 and \owa E2K7. I don't know why it should matter (it should not).
It appears to have stabilized a little but I am still getting delayed messages for anyone on the E2K7 box.
OK, so I have the OWA deal taken care of, I just either point port 443 to EX2003 or EX2007 to get the different OWA's (servers). My problem is that when I point port 443 to EX2007, I can't get my WM5 devices to Activesync. The same CERT that I use for EX2003 obviously is not the same one that will work withEX2007, so my question is:
How does one download the certificate off of a EX2007 server onto the WM5 devices?
How does one download the certificate off of a EX2007 server onto the WM5 devices?
ASKER
Teneros....Did you just hijack my question? <grin>
The firewall issue is taken care of. I just used another live address and did a static maping.
they have moved most users to 2007 and it works fine.
The firewall issue is taken care of. I just used another live address and did a static maping.
they have moved most users to 2007 and it works fine.
hahah that's funny. there's a squatter in here! :-)
The reason your having this issue is that inrder to have exchange 2007 proxy back to exchange 2003, you can not have the mailbox roll installed onthe exchange 2007 server. It works internally becasue internally you can simply get redirected.
Exchange 2003 cannot be in front of exchange 2007 sever instead you might want to put the CAS server in front of the exchange 2003 server, and exchange 2007 CAS server will provide redirection and same OWA 2003 experience to users with mailbox resides on the exchange 2003 server