Solved

Exchange 2007 coexisting with 2003 and a PIX firewall - Getting OWA and ActiveSync to work

Posted on 2007-04-04
27
2,973 Views
Last Modified: 2008-07-15
I am deploying an Exchange 2007 server.

I have an existing 2003 Exchange server, a new 2007 Exchange server and a Cisco Pix.  The servers use a RGC to exchange email.  A spam filter exists on a separate server.

The Internet mail flows in on port 25 and is translated to an internal address (the spam firewall).  The spam firewall passes the mail on the Exchange 2007 via port 2525 and if needed to the 2003 clients via the RGC.

On the intranet users that are on the Exchange 2003 and 2007 have full mail functionality including OWA.  On the Internet only users whose mailbox is on the 2003 server have Activesync and OWA.

I figure that the issue is with the PIX configuration.  I am just missing this and need some help.

The plan is to move the users to 2007 once all testing is done and remove the 2003 exchange server


Current PIX config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 25 xx.xx.xx.147
nat (inside) 0 access-list 100
nat (inside) 25 172.36.10.225 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1

0
Comment
Question by:e_vanheel
  • 11
  • 7
  • 3
  • +4
27 Comments
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
I think this is because you published the exchange 2003 server,
Exchange 2003 cannot be in front of exchange 2007 sever instead you might want to put the CAS server in front of the exchange 2003 server, and exchange 2007 CAS server will provide redirection and same OWA 2003 experience to users with mailbox resides on the exchange 2003 server
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
I don't understand what you mean by published and in front of.  The Exchange 2003 server is not a FE/BE setup.  
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
let me rephrase it.
Exchange 2003 (even if it is not FE/BE) cannot be published instead of E12 server, because it won't be able to do redirection to E12.
instead publish the CAS server
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
How do I publish the CAS server?
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
change the access list on the pix to enable WWW and SMTP to ur CAS server:
let us check:>>
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.225 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 www 172.36.10.225 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 https 172.36.10.225 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.227 smtp netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0

it seems that 172.36.10.227 is the Exchange 2003 address, so change it to be the CAS server (the cas server is the same as the Mailbox,HUB server if oyu are using single server topology)
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
I now understand what you mean by publish.

I have changed the pix to remove the static mappings for port 80 and 443 and added static mappings to the 2007 server for those services.  I have then "clear xlate" on the pix.

I have had mixed results.  I have gotten to where I have been prompted to log in and then have not been successful (400 bad request (I think)).  Other times I have not gotten anything at all.

I have to keep undoing what I am trying on the firewall because I can't stop mail flow for very long.

Thanks.
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
you got those errors when using OWA ot Activesync
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
OWA
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
Well,
I will need further details,Account is being used for testing resides on E12 or E2003, do you access using /Exchange or using /OWA virtual directory...etc
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
The Account for testing is on the E2K7 server.

Using the current PIX config.  All users on the E2K3 server work, non of the E2K7 users work.
Once I can get the E2K7 server working we are ready to move mailboxes (I don't need the 2003 to work once I can prove that OWA and ActiveSync will work.

I understand that the PIX needs to change but I can not get it to work for the mailboxes on the E2K7 server over the Internet.

on the LAN OWA works great to include going to the correct server.  If I goto http://exchange2003/exchange and the mailbox is on the 2007 server, I automatically get redirected to the correct server.

I don't know how I can test ActiveSync until I figure out the PIX config.

Hope that helps.
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
I not that PIX guru, but you need further tests with the configuration
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
Comment Utility
if .147 = Exch 2003, then which one is 2007? .148? .149?

>access-list mail permit ip any host xx.xx.xx.148
Bad idea!

busbar also gave some bad advice above on the acls. You have them correct the way they are in your first post.
We just need to know which one it is (2007) to open the appropriate ports to it..
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Does everything work internally?
The PIX is the least of your worries. I have E2007 deployed behind a PIX and it was just a single port that I had to move (443).

However you need to confirm if all the features work correctly inside first, which rules out any problems with the firewall.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
Everything appears to be working internally.  Mail can flow between the 2 servers.  Faxes are being received, mail flows between the Internet and all users, OWA works internally for mailboxes on both servers and Active sync works for users on the 2003.

The issue is the OWA outside the firewall and active sync on the 2007 server.  My current config allows Active sync and OWA ONLY to users on the 2003 exchange server not the 2007 exchange server.

I don't know if it is possible, I would like to not burn another external address for this to work. I do have one if we need to.

The internal IP is 172.36.10.230 for the 2007 server and if possible I would continue to use .148 for the external.

The end game is to have all users on the 2007 server with 2003 server being decommissioned.  If I can get the PIX configured to work on the 2007 server, I can move the 20 people who use OWA and active sync until I can move all others.

Also, I have not put a commercial SSL cert on this server (yet) I should have it by the end of this week - it is using the one that exchange installed.  I don't know if this matters for the phones.

Gentlemen,  Thanks for your help!

0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
If you don't want to use another IP address then it is going to be one or the other.
You cannot proxy EAS through to Exchange 2003 from Exchange 2007 nor can you go the other way. If you have another IP address then it might pay to use that as a temporary measure to test with, so that you can leave a working solution alone.

Simon.
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
I have tried to use an external address with no success.

static (inside,outside) xx.xx.xx.149 172.36.10.230 netmask 255.255.255.255 0 0
access-list mail permit ip any host xx.xx.xx.148 eq 443
clear xlate

And that did not work when I pointed a browser to https://xx.xx.xx.149/exchange

What am I missing?
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
OK...I tried the above code again in the pix.  I must have goofed it up before. I have both the access list and static mapping to .148 (not 149) and I added port 80 also to the access list for testing.

I have removed the certificate and the 128 bit requirement (I will put it back Simon) and was able to get a login request.  When I clicked login I get: Internet Explorer cannot display the webpage.

Ideas?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Do you mean you get the standard Windows login prompt?
If so, when you login do you use domain\username

Does it work internally?

Simon.
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
New info:

If from IE 7 I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time.  I get a http 400 bad request and the url is http://x.x.x.148/owa/auth/owaauth.dll

If from IE7 I goto http://x.x.x.148\owa - I get a OWA 2007 login page....Does not work most of the time.  Same error as above.

If from Mozilla  I  goto I goto http://x.x.x.148\exchange - I get a windows style login....Does not work most of the time.  I get a problem loading page and the url is the internal FQDN of the Exchange 2007 server.

If from Mozilla I goto http://x.x.x.148\owa - I get a OWA 2007 login page and it works most of the time.

I have been testing over the last 20+ hours with different computers and I have had IE work for a few hours.  I have been using the same computer from different locations and have not been consistent in how, or if, this works.

OWA does work internally %100 of the time and I am using the domain\user to login.

Activesync starting working also, even when the phone was pointed to the 2003 server (this has been working for a long time prior to the introduction of 2007) and the mailbox was on the 2007 server.  It also works if the phone is pointed to the 2007's external (NATed) address.

Thanks for your help!
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
did u tried IE6
0
 
LVL 15

Assisted Solution

by:whoajack
whoajack earned 50 total points
Comment Utility
I also am in the same process that you just went through. How to co-exist the existing EX2003 with EX2007. I am using ISA 2006, and recreated all of the firewall rules using the built-in wizards for publishing Exchange Web clients. I found that while it sometimes did redirect to the proper server, it was best to have two separate URL's for users.

using /exchange for the 2003 mailbox users
using /owa for the 2007 mailbox users

I found that having both applications published through ISA at the same time (not 100%, had to remove duplicate paths such as Microsoft-Server-ActiveSync, etc) from one or the other, is working better than I had expected.

I do wish I could just use one for everything, but guess not.

0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
I guess my post did not go thru.  I have tried IE6 and had the same issue.

We are not using ISA but I have noticed the same thing whoajack mentioned about the url: \exchange for E2k3 and \owa E2K7.  I don't know why it should matter (it should not).

It appears to have stabilized a little but I am still getting delayed messages for anyone on the E2K7 box.
0
 

Expert Comment

by:Teneros
Comment Utility
OK, so I have the OWA deal taken care of, I just either point port 443 to EX2003 or EX2007 to get the different OWA's (servers).  My problem is that when I point port 443 to EX2007, I can't get my WM5 devices to Activesync.  The same CERT that I use for EX2003 obviously is not the same one that will work withEX2007, so my question is:

How does one download the certificate off of a EX2007 server onto the WM5 devices?
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
Teneros....Did you just hijack my question? <grin>

The firewall issue is taken care of.  I just used another live address and did a static maping.

they have moved most users to 2007 and it works fine.
0
 
LVL 15

Expert Comment

by:whoajack
Comment Utility
hahah that's funny. there's a squatter in here!  :-)
0
 

Expert Comment

by:Punqstr
Comment Utility
The reason your having this issue is that inrder to have exchange 2007 proxy back to exchange 2003, you can not have the mailbox roll installed onthe exchange 2007 server.  It works internally becasue internally you can simply get redirected.  
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now