Internet clients not able to access OWA

The login screen just keeps reposting.  
LVL 7
jpipkinsAsked:
Who is Participating?
 
EricTVikingConnect With a Mentor Commented:
This is where it gets confusing ;-)

Internally you are hitting the internal NIC of the ISA server which will bypass the web listener on the external NIC. So you won't get FBA internally.

Externally you are hitting the ISA server external NIC which gets picked up by the web listener - this applies FBA for you.

An added complication can be that internet explorer when used internally may have the ISA server down as 'local intranet' which will make it authenticate slightly differently that when used externally.

Regarding authentication it would be worth double checking the authentication methods on the Exchange & OWA virtual dirs in IIS. Make sure OWA uses the same authentication settings as Exchange.

Externally everything is working really - https://mail.domain.com/exchange gets you in so I would go with that.

You can then tweak the settings to get the same URL working internally and your users will have continuity of naming convention. Could almost be a whole new question ;-)
0
 
Nyah247Commented:
Are you using FBA?  Can people access it externally?  Have you added all your internal IP sets to direct access under Configuration > Networks > Internal > (right click) properties > Web browser > "Directly access there servers or domains".  You should also have your internal domains added to the domains tab.
0
 
Nyah247Commented:
Usually when i have seen this the problem is either permission related on the IIS directories on the Exchange server or with the authentication setup going through ISA.  Here are some good references:

Publishing OWA with ISA
http://www.microsoft.com/technet/isa/2004/plan/owapublishing.mspx
http://www.isaserver.org/tutorials/2004owafba.html

Fix OWA
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
jpipkinsAuthor Commented:
yes, using FBA.

I can access the OWA login screen, but it now just goes to a Error Code 64: Host not available.  This morning it would just repost the login screen.

Very simple internal network: single domain, single internal IP set.  Everything is as you suggest.
0
 
Nyah247Commented:
Any errors on Exchange?  Is IIS started on the Exchange box?  What about your AppPools?  Any failed?  If you cannot get to it internally...you should be bypassing for internal...than your problem is probably with OWA.  Might want to take a peek at the ISA logs as well.
0
 
EricTVikingCommented:
Make sure FBA is enabled only on the ISA server and not on the Exchange server.

Also check permissions in IIS for your Exchange, OWA and Public virtual directories - make sure their authentication methods are set to only use basic authentication, and anonymous access is not enabled for them.
0
 
jpipkinsAuthor Commented:
exchange error: MTA service not started(wasn't started by default, so I never set it up to start)

I can log on internally (from the server).

Eric: this is an SBS2003 server, where ISA and Exchange are on the same box.  

I get the login screen, but when i enter my credentials, i get Error Code 64: Host not available.
0
 
EricTVikingCommented:
You can enable FBA in ISA2004 and in Exchange2003 - should be enabled only in ISA2004 - even if both on the same box as in SBS ;-)

It's worth firing up ISA2004 management and starting off a logging query under the monitoring section. Try hitting OWA externally and see what shows up in the logs (if anything).
0
 
jpipkinsAuthor Commented:
First, sorry about the delay...I've been out of town.

Ok, I've gotten it to where I can log on externally, except it doesn't use the normal OWA logon screen which I guess is the FBA from within Exchange.  Instead I get a pop-up logon box.   I turned FBA off in the http protocol properties under the server.  Is that right?  How do I turn FBA on in ISA so that I get the OWA logon screen?
0
 
EricTVikingCommented:
Sounds like you're winning now :-)

You can enable FBA in the properties of the OWA Web Listener in ISA server.  This can be found within the properties of the OWA publishing rule.

Here's a good article for you (scroll down about half way) - http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html 
0
 
jpipkinsAuthor Commented:
That's the article I was using last night.  I used the CEICW wizard to publish the mail server and modified the SBS Web listener to match his settings and did get it to work, but only when I used a https on the url.  It wouldn't forward the http to https, so I kept working on it.  Of course, now it won't work at all.  I get a OWA logon screen, and after I login, I get a 500 error page.  The real scary part is that when I try to reset and start over using the CEICW, the firewall fails to complete the configuration step.

Internally, if I go to http://servername/exchange, it works fine but no logon.  If I go to http://mail.domain.com/exchange, it forwards to https and I get a popup login screen that won't authenticate when I enter credentials (bounces back to me three times, then I get an Access Denied page).

Now I really don't know what the hell's going on.
0
 
EricTVikingCommented:
The usual problem with OWA is that you have Exchange Server, Internet Information Services and ISA Server to configure to get it to work. All three have to be correctly setup and it's easy to end up going round in circles making changes.

I would start from Exchange, make sure Exchange is setup correctly i.e. make sure FBA is disabled in exchange.

Then go through IIS and make sure you have the virtual directory permissions set correctly. Also make sure the correct cert is installed on the IIS default website (or whichever you have OWA setup in). There's a good chance your system is a bit fubar after running wizards and tweaking - this kb might help to get you back to a solid IIS baseline - http://support.microsoft.com/kb/883380.   Also this one has worked for me in the past - http://support.microsoft.com/kb/320202 - sometimes with OWA the configuration is actually correct but things are just plain buggered and a fresh start is what's required.

Finally work on ISA server making one change at a time and noting what you do. There are so many settings that can be changed it is best to be methodical.

0
 
jpipkinsAuthor Commented:
IT WORKS...almost.  I can access the site remotely and everything works great except for one little detail: previously typing mail.domain.com/exchange would bring up http://mail.domain.com/exchange which would forward to https://mail.domain.com/exchange.  Now, http://mail.domain.com/exchange gets a "Website cannot be displayed" error page.  Any ideas?
0
 
EricTVikingCommented:
Check the settings for the OWA rule in ISA server to make sure you have the correct domain name (FQDN).  

The FQDN mail.domain.com must resolve internally to the IP address of your Exchange server too.

What happens if you try mail.domain.com/OWA BTW?
0
 
jpipkinsAuthor Commented:
OWA rule Public Name is correct.  The To in the rule points to the internal FQDN that it created (publishing.domain.local) which resolves to the same ip as mail.domain.com.

Internal mail.domain.com resolves to my internal ip address of server.

I think you're on to something on the OWA site access, something's not right for sure.  Some results:

Internally:
http://servername/exchange - straight into OWA, no logon required.
http://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
https://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - Get the OWA login form, get 404 page after authentication.

Externally:
http://mail.domain.com/exchange - IE Cannot display the page.
https://mail.domain.com/exchange - Works perfectly, OWA login, authenticates, everything.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - 403 Page-Server denied the URL.


Eric, thank you so much for your help!
0
 
jpipkinsAuthor Commented:
Thanks, Eric.  I'll get a new question to get the internal OWA sites working properly, but I've got to run and won't be able to do that until tomorrow morning.
0
 
jpipkinsAuthor Commented:
Thanks Eric!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.