• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Publish Outlook Web Access to Internet

I recently installed Microsoft Exchange Server and I have Outlook Web Access setup. The problem is I can only use Outlook Web Access from the Lan. If i try to access it from outside the local LAN it doesn't load. I assume this has something to do with the directories not being published properly in IIS? Can anyone help me configure this?
0
filtrationproducts
Asked:
filtrationproducts
  • 10
  • 8
  • 4
  • +1
1 Solution
 
chingmdCommented:
Please make sure you are using HTTPS to connect to OWA.  This question is more about your network configuration rather than your OWA setup.  

Essentially, you need to create a port forward on your firewall/router to point to your internal server where OWA is being hostsed at.

Then you might also need to create DNS entries so external people can find you properly.   Likely your router/firewall IP.

0
 
filtrationproductsAuthor Commented:
I already have the router setup to forward HTTP request to the IIS server and the basic IIS website works OK outside of our LAN. The published website "http://sbs2k3/" works externally. But the address "https://sbs2k3/exchweb/bin/auth/owalogon.asp?url=https://sbs2k3/exchange&reason=0" does not publish externally.

For example go to: mail.filtrationproducts.com. That website is the default website for the IIS web server. If you click the link for "outlook web access" it will not work. (this link works internally though) They are both accessing the same directory/server. But the sub directories for OWA are not available outside of the LAN.
0
 
chingmdCommented:
OK  This is going to depend on your implementation of the firewall, and IIS.  

Typically, the link will be https://mail.filtrationproducts.com/exchange   But this does depend on the configuration of iis.

So forward your firewall port 443 to the sbs2k3 ip internally port 443.  

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
SembeeCommented:
Are you using ISA? The fact that you have mentioned publish would indicate that is happening. Can you confirm if ISA is being used or not?

Simon.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"If you click the link for "outlook web access" it will not work. (this link works internally though)"

Of course it won't work because it is trying to go to http://sbs2k3 which doesn't mean anything on the Internet.  Instead, you need to either have the link go to https://mail.filtrationproducts.com/exchange as chingmd stated, or you can modify the properties of the default.htm page on the default web site to go to "A redirection to a URL" instead of "The designated file".

If you change it to a redirection, then you would enter https://mail.filtrationproducts.com/exchange in the "Redirect to:" box and check both the "The exact URL entered above" and "A permanent redirection for this resource" boxes.

But even going to https://mail.filtrationproducts.com/exchange directly looks as though you may not have opened port 443 on your router correctly.  I also see that your self-signed SSL certificate was created for the wrong FQDN, it has the following information:

CN = local.filtrationproducts.com
CN = companyweb
CN = sbs2k3
CN = localhost
CN = sbs2k3.FPC.local

The top CN should be mail.filtrationproducts.com though... so rerun the Configure Email and Internet Connection Wizard (CEICW -- linked as "Connect to the Internet on the To-Do list in the Server Management Console) and recreate the SSL certificate on the appropriate screen.

A visual how-to for that is here:  http://sbsurl.com/ceicw

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
One problem that may be causing connectivity issues as well is that it seems that you have a wildcard HOST A record in your filtrationproducts.com DNS Zone file.  This would be configured at your DNS Host -- Network Solutions.  

I generally see these by default on Network Solutions DNS Zone Files, because they configure a Wildcard (which is usually just an asterisk (*) HOST A record so that anything.filtrationproducts.com points to your web server of 216.250.182.1.  

You do have a HOST A record configured for mail.filtrationproducts.com pointing to 205.242.223.105 which is correct, but the wildcard entry can sometimes be seen before the mail.filtrationproducts.com entry causing connectivity problems.  Just remove the wildcard entry and it will work better.

Jeff
TechSoEasy
0
 
filtrationproductsAuthor Commented:
I setup the router to forward port 443 to our internal server. I also ran the Connect to the Internet wizard again on the server and setup a certificate for mail.filtrationproducts.com. Now when i go to mail.filtrationproducts.com/exchange from the internet it gives me the window to accept the certificate then it just errors out and never loads the page. When I use mail.filtrationproducts.com/exchange from the LAN it links to the OWA page fine. I dont know what ISA is so I don't know if its loaded or not. But this is just the standard Windows Small Business Server 2003 installation.
0
 
chingmdCommented:
If you load the Manage Your Server applet it may tell you.   It's not defaulted to install, but it can be selected.

I just connected to your server and it present a page for username and password.

What ever you are working on right now, it's looking like it's working now.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
chingmd, there is no "Manage Your Server" applet on a Small Business Server.  

I was not able to get anything when going to https://mail.filtrationproducts.com/exchange.  However, I do see that you correctly modified the SSL Certificate with the CEICW.

Since you apparently changed everything in the C:\Inetpub\wwwroot directory, I'm wondering if you somehow deleted or removed any important files.

What's confusing here is that you say you can access OWA internally.  Can you please confirm that if you go to http://sbs2k3/exchange on a LAN Workstation that you do indeed get the OWA login screen?  (Not a pop-up credential box).

Jeff
TechSoEasy
0
 
filtrationproductsAuthor Commented:
chingmd - Do you mean the "Server Management" snap in?

Jeff- I just tested it using http://sbs2k3/exchange internally again and it went to the "Microsoft outlook web access" login screen. And if I log in I can view my emails. I restored the old wwwroot directory from before I changed the basic website.

I noticed now when I connect to the basic website "mail.filtrationproducts.com" (default ISS page) I have to enter in my domain user name and password to view the page?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You restored the wwwroot?  Because I now see a web site for filtrationproducts.com there.  (This is assuming that your external IP is 205.242.223.105).

I don't see the ability to get beyond that to https://mail.filtrationproducts.com/exchange.

However, after you made the changes you mentioned above, you should have rerun the CEICW to reset the permissions on the secure web pages.

Jeff
TechSoEasy
0
 
filtrationproductsAuthor Commented:
Ok, I brought my work laptop home yesterday that is a member of the domain I am working with. I was able to access the OWA website from the laptop when I plugged it into my LAN at home. When I tried it from my home desktop... nothing. This has to be a permissions issue because on the laptop the user name and password match the credentials to my work domain. My desktop does not. And yes, that external ip address is mine. I am currently in the process of moving the website to a new location (here) so i have two copies of it online (mail.filtra...com and www.filtra....com.)
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It very well might be a permissions issue... but I wonder why I can't even get the site to resolve unless you've modified something in IIS to restrict permissions.

As I mentioned... if you run the CEICW it will often fix these things... have you done that?

Jeff
TechSoEasy
0
 
filtrationproductsAuthor Commented:
How do I run the CEICW? I don't want to run that internet connection wizard again because the last time I did that it automatically changed all my exchange mailboxes to match the user names instead of the email addresses that I setup manually and I had a chaotic day changing them back and explaining to everyone why the customers and vendors were getting error messages when they replied to our emails.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, you need to fix your recipient policy then because you will need to run the CEICW at various times in the future.  However, to avoid that for now, just select "Do Not Change" for the E-mail section of the wizard.

Jeff
TechSoEasy
0
 
chingmdCommented:
Interesting:

 nmap mail.filtrationproducts.com

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on mail.filtrationproducts.com (205.242.223.105):
(The 1591 ports scanned but not shown below are in state: closed)
Port       State       Service
20/tcp     filtered    ftp-data                
21/tcp     open        ftp                    
22/tcp     open        ssh                    
25/tcp     open        smtp                    
80/tcp     open        http                    
110/tcp    open        pop-3                  
143/tcp    open        imap2                  
443/tcp    filtered    https                  
5901/tcp   open        vnc-1                  
8080/tcp   open        http-proxy              

Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds


It looks like you have some filtering setup on the port.     It may be a network issue at this point.  

When you were working from home, on your work laptop, were you VPN'ing in?  That will go around the external firewall.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Just FYI, the standard ports to have open on an SBS are:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace

Jeff
TechSoEasy
0
 
filtrationproductsAuthor Commented:
The PC I was working on was a member of the domain but I was not working on a VPN.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
On your  BEFSX41 router, do you have port 443 open for TCP on the Port Range Forwarding Screen?  Or do you have it open on the UPnP Forwarding Screen?

If it's on both you can have problems, so I suggest that you make sure it's configured ONLY on the UPnP Forwarding Screen.  Also, make sure your router's firmware is the latest ( 1.52.10 if it's v1, and  1.52.15 if the router is v2).

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sorry, I left out the filtering issue...

This too is on your router.  Please make sure that there aren't any of the "additional filters" enabled,
and "Filter Internet NAT Redirection" is disabled

Jeff
TechSoEasy

0
 
filtrationproductsAuthor Commented:
Port 443 is only open on for TCP on the "UPnP Fowarding" page. It is not enabled on the "Port Range Forwarding" page. The routers firmware version is 1.52.10. Also, All the filters are disabled.
0
 
filtrationproductsAuthor Commented:
I had to use a Microsoft tool to rebuild the outlook web access files on the server. After I ran it the front end began working properly. The files must have been deleted or somethign when I first copied over the website to the IIS root folder.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It seems as though you've decided to configure your server in a way that doesn't take advantage of all that SBS has to offer.  So that made it very difficult to assist you.  Glad that you have it working the way you want though.

Jeff
TechSoEasy
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 10
  • 8
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now