Problem accessing Outlook Web Access


I will first give you some details on my architecture before presenting the problem :
- 4 Server - 2 Domain Controler - 2 Exchanges (Backend + Frontend), all in Windows 2003 SP2
- Both Exchange are in SP2
- Both domain controler and BE Exchange are on the same subnet, FE Exchange server is in a Public DMZ
- BE Exchange server is registered in our DNS Server (I will call this server BE.domain.local)
- FE Exchange is our public domain mail exchanger (I will call this server, and is know in our internal DNS with it own name (FE.domain.local), IP address are the same for and FE.domain.local.

My problem is than i'am not abble to access to my frontend server using OWA.

Now, I will explain different test I did, and what is working fine :
- I can get incoming message, and send message to address
- I can access to OWA from internal computer using http://BE.domain.local/exchange
- I can access from other subnet subnet to OWA using http://BE.domain.local/exchange
- I cannot access to OWA from outside using => I got the certificate and I have the indentification formular, but after authentification I got an http error 500
- I have tested access to http://BE.domain.local/exchange, and it is not working, I got the authentification asking, and then page is not abble to be opened.
- I have tested telnet BE.domain.local 80 => Working fine
- I have tested access http://BE.domain.local/exchange from another computer in the same DMZ than FE Server => Working fine

Then, does anyone have any idea on what is the problem ? And any idea how to resolve it ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jared LukerCommented:
Seems like a firewall problem to me.  If everything works OK on the clean side of the firewall and not on the dirty side then I would guess that something is being blocked/filtered on port 443 between your front end and your back end servers.

That's my guess anyway.
bernloebAuthor Commented:
Not a firewall problem, nothing blocked between FE and BE server, and that's the same for FE <=> DC, i have added rules to our firewall to check if that can involve any firewall problem.

I really don't understand what can be the problem.
Jared LukerCommented:
What are you doing as far as authentication for users.  Maybe the reason it works internally is because it's using authenticated authentication and the external users are failing because authentication is busted some how.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jared LukerCommented:
"using authenticated authentication"

Oops.. I mean Integrated Authentication... :)
The 500 status message indicates that something 'crashed' on the server.  Is there anything written to the FE server's Event Logs (especially the Application log) when you try to use OWA?
bernloebAuthor Commented:

Some other informations now, this is probably a firewall problem finelly ;) after some check :
- I changed the FE's IP Address, to move it inside the same LAN than BE. Then, I tryied https://FE.domain.local/exchange, I got the authentification formular and then, all worked fine.

All worked fine.

I tryied then to access to http://BE.domain.local/exchange from the FE server, and all worked fine.

I put the FE to DMZ again, and then tryied again to access to http://BE.domain.local/exchange => don't worked :/ (and that is now I don't understand why, but I suppose this is the same problem than OWA)

I checked then http://BE_IPAddress/exchange => Worked from FE (Not a DNS problem, name resolution worked fine, but for sure, I don't understand that :/)

And to answer, to the questions :
- I'am using Basing Authentification
- And there is  no error in FE event log

Does anyone have any idea which kind of firewall problem it can be ? (For information, we are using netasq firewall).
Have a look at this, and make sure that the required ports are open between FE and BE:
bernloebAuthor Commented:
Yes, that is not a port problem, There is a rule Any / Any between FE <=> BE and FE <=> DC, then this is not port which are not opened (that's the reason I have some difficulties to understand this problem).
When you try to go to the FE, can you see entries in the BE IIS log files at the same time (as the FE proxies to the BE)?
bernloebAuthor Commented:

Problem is solved. For information about the reason :
- On netasq Firewall there is an add on to control HTTP Traffic, this add on was blocking large HTTP packet between FE and BE.
The server weren't abble to according themself to use smallest packet.

Solution was then a firewall problem, but not a port/rule problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.