jpipkins
asked on
Internet clients not able to access OWA
The login screen just keeps reposting.
Are you using FBA? Can people access it externally? Have you added all your internal IP sets to direct access under Configuration > Networks > Internal > (right click) properties > Web browser > "Directly access there servers or domains". You should also have your internal domains added to the domains tab.
Usually when i have seen this the problem is either permission related on the IIS directories on the Exchange server or with the authentication setup going through ISA. Here are some good references:
Publishing OWA with ISA
http://www.microsoft.com/technet/isa/2004/plan/owapublishing.mspx
http://www.isaserver.org/tutorials/2004owafba.html
Fix OWA
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
Publishing OWA with ISA
http://www.microsoft.com/technet/isa/2004/plan/owapublishing.mspx
http://www.isaserver.org/tutorials/2004owafba.html
Fix OWA
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
ASKER
yes, using FBA.
I can access the OWA login screen, but it now just goes to a Error Code 64: Host not available. This morning it would just repost the login screen.
Very simple internal network: single domain, single internal IP set. Everything is as you suggest.
I can access the OWA login screen, but it now just goes to a Error Code 64: Host not available. This morning it would just repost the login screen.
Very simple internal network: single domain, single internal IP set. Everything is as you suggest.
Any errors on Exchange? Is IIS started on the Exchange box? What about your AppPools? Any failed? If you cannot get to it internally...you should be bypassing for internal...than your problem is probably with OWA. Might want to take a peek at the ISA logs as well.
Make sure FBA is enabled only on the ISA server and not on the Exchange server.
Also check permissions in IIS for your Exchange, OWA and Public virtual directories - make sure their authentication methods are set to only use basic authentication, and anonymous access is not enabled for them.
Also check permissions in IIS for your Exchange, OWA and Public virtual directories - make sure their authentication methods are set to only use basic authentication, and anonymous access is not enabled for them.
ASKER
exchange error: MTA service not started(wasn't started by default, so I never set it up to start)
I can log on internally (from the server).
Eric: this is an SBS2003 server, where ISA and Exchange are on the same box.
I get the login screen, but when i enter my credentials, i get Error Code 64: Host not available.
I can log on internally (from the server).
Eric: this is an SBS2003 server, where ISA and Exchange are on the same box.
I get the login screen, but when i enter my credentials, i get Error Code 64: Host not available.
You can enable FBA in ISA2004 and in Exchange2003 - should be enabled only in ISA2004 - even if both on the same box as in SBS ;-)
It's worth firing up ISA2004 management and starting off a logging query under the monitoring section. Try hitting OWA externally and see what shows up in the logs (if anything).
It's worth firing up ISA2004 management and starting off a logging query under the monitoring section. Try hitting OWA externally and see what shows up in the logs (if anything).
ASKER
First, sorry about the delay...I've been out of town.
Ok, I've gotten it to where I can log on externally, except it doesn't use the normal OWA logon screen which I guess is the FBA from within Exchange. Instead I get a pop-up logon box. I turned FBA off in the http protocol properties under the server. Is that right? How do I turn FBA on in ISA so that I get the OWA logon screen?
Ok, I've gotten it to where I can log on externally, except it doesn't use the normal OWA logon screen which I guess is the FBA from within Exchange. Instead I get a pop-up logon box. I turned FBA off in the http protocol properties under the server. Is that right? How do I turn FBA on in ISA so that I get the OWA logon screen?
Sounds like you're winning now :-)
You can enable FBA in the properties of the OWA Web Listener in ISA server. This can be found within the properties of the OWA publishing rule.
Here's a good article for you (scroll down about half way) - http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html
You can enable FBA in the properties of the OWA Web Listener in ISA server. This can be found within the properties of the OWA publishing rule.
Here's a good article for you (scroll down about half way) - http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html
ASKER
That's the article I was using last night. I used the CEICW wizard to publish the mail server and modified the SBS Web listener to match his settings and did get it to work, but only when I used a https on the url. It wouldn't forward the http to https, so I kept working on it. Of course, now it won't work at all. I get a OWA logon screen, and after I login, I get a 500 error page. The real scary part is that when I try to reset and start over using the CEICW, the firewall fails to complete the configuration step.
Internally, if I go to http://servername/exchange, it works fine but no logon. If I go to http://mail.domain.com/exchange, it forwards to https and I get a popup login screen that won't authenticate when I enter credentials (bounces back to me three times, then I get an Access Denied page).
Now I really don't know what the hell's going on.
Internally, if I go to http://servername/exchange, it works fine but no logon. If I go to http://mail.domain.com/exchange, it forwards to https and I get a popup login screen that won't authenticate when I enter credentials (bounces back to me three times, then I get an Access Denied page).
Now I really don't know what the hell's going on.
The usual problem with OWA is that you have Exchange Server, Internet Information Services and ISA Server to configure to get it to work. All three have to be correctly setup and it's easy to end up going round in circles making changes.
I would start from Exchange, make sure Exchange is setup correctly i.e. make sure FBA is disabled in exchange.
Then go through IIS and make sure you have the virtual directory permissions set correctly. Also make sure the correct cert is installed on the IIS default website (or whichever you have OWA setup in). There's a good chance your system is a bit fubar after running wizards and tweaking - this kb might help to get you back to a solid IIS baseline - http://support.microsoft.com/kb/883380. Also this one has worked for me in the past - http://support.microsoft.com/kb/320202 - sometimes with OWA the configuration is actually correct but things are just plain buggered and a fresh start is what's required.
Finally work on ISA server making one change at a time and noting what you do. There are so many settings that can be changed it is best to be methodical.
I would start from Exchange, make sure Exchange is setup correctly i.e. make sure FBA is disabled in exchange.
Then go through IIS and make sure you have the virtual directory permissions set correctly. Also make sure the correct cert is installed on the IIS default website (or whichever you have OWA setup in). There's a good chance your system is a bit fubar after running wizards and tweaking - this kb might help to get you back to a solid IIS baseline - http://support.microsoft.com/kb/883380. Also this one has worked for me in the past - http://support.microsoft.com/kb/320202 - sometimes with OWA the configuration is actually correct but things are just plain buggered and a fresh start is what's required.
Finally work on ISA server making one change at a time and noting what you do. There are so many settings that can be changed it is best to be methodical.
ASKER
IT WORKS...almost. I can access the site remotely and everything works great except for one little detail: previously typing mail.domain.com/exchange would bring up http://mail.domain.com/exchange which would forward to https://mail.domain.com/exchange. Now, http://mail.domain.com/exchange gets a "Website cannot be displayed" error page. Any ideas?
Check the settings for the OWA rule in ISA server to make sure you have the correct domain name (FQDN).
The FQDN mail.domain.com must resolve internally to the IP address of your Exchange server too.
What happens if you try mail.domain.com/OWA BTW?
The FQDN mail.domain.com must resolve internally to the IP address of your Exchange server too.
What happens if you try mail.domain.com/OWA BTW?
ASKER
OWA rule Public Name is correct. The To in the rule points to the internal FQDN that it created (publishing.domain.local) which resolves to the same ip as mail.domain.com.
Internal mail.domain.com resolves to my internal ip address of server.
I think you're on to something on the OWA site access, something's not right for sure. Some results:
Internally:
http://servername/exchange - straight into OWA, no logon required.
http://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
https://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - Get the OWA login form, get 404 page after authentication.
Externally:
http://mail.domain.com/exchange - IE Cannot display the page.
https://mail.domain.com/exchange - Works perfectly, OWA login, authenticates, everything.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - 403 Page-Server denied the URL.
Eric, thank you so much for your help!
Internal mail.domain.com resolves to my internal ip address of server.
I think you're on to something on the OWA site access, something's not right for sure. Some results:
Internally:
http://servername/exchange - straight into OWA, no logon required.
http://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
https://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - Get the OWA login form, get 404 page after authentication.
Externally:
http://mail.domain.com/exchange - IE Cannot display the page.
https://mail.domain.com/exchange - Works perfectly, OWA login, authenticates, everything.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - 403 Page-Server denied the URL.
Eric, thank you so much for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Eric. I'll get a new question to get the internal OWA sites working properly, but I've got to run and won't be able to do that until tomorrow morning.
ASKER
Thanks Eric!