Solved

Can't access Outlook Web Access from outside the network

Posted on 2008-10-15
15
4,182 Views
Last Modified: 2010-09-03
Hi,

My users have begun to have issues accessing Outlook Web Access 2007 (OWA 2007) from outside the network.  We can access it just fine using the following from inside the network: "https://servername/owa".  However, when they use the external name: "https://www.domainname.net/owa" - they get: "Internet Explorer cannot display the webpage"

Here has what has changed recently: We just switched ISPs and we installed a new certificate.
 
Here is what I have done up to this point: The NATTING occurring by the firewall appears to be working.  So, the domain name, which now points to the new IP address, seems to be connecting to the firewall IP and then NATTED correctly to the internal server.  We know this because if you put in "https://www.domainname.net" (with no /owa) - you ge a "page under construction".  This would seem to tell me that we are getting to the web server.  Additionally, just using the external IP address, you get the same results.  If you put in "https://www.domainname.net/exchange", you get hit with a username and password window.  I know this used to be the correct directory in exchange 2003 but remmber, this is 2007.

I looked at the certficate and the correct domain name is listed.  I tested it externally when we first purchased it as well.  It is a UCC certificate and the Subject Alternative Names are all listed there.

The only thing I have been able to come up with is deleting and recreating the /owa directory but I'm a bit scared to do this (much less I don't know how to do it right).  I seem to have found the Power Shell command to do this somewhere but what are the possible repercussions of doing so?  Is this really the issue?

Thank you!

0
Comment
Question by:Gavilan123
  • 8
  • 5
  • 2
15 Comments
 
LVL 11

Expert Comment

by:Bertling
ID: 22723989
have you port forwarded port 443 or setup a 1 to 1 NAT to an external IP address?

also you will need to permit port 443 on the firewall from the WAN to the LAN.

is all of this done on your end?

if you cant access OWA from the internet but you cant from the LAN then it is a port issue on the firewall
0
 
LVL 11

Expert Comment

by:Bertling
ID: 22724006
also is the external DNS name/Arecord pointing to the correct external IP address of the OWA 2007 server?

have you tried to access OWA external using the https://IPADDRESSOFOWASERVER/owa
e.g. https://195.11.11.11/owa

this will rule out any issues with external DNS, but you will get a certificate error because the name is not the same as on the cert.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22724045
Re-creating V.Dir should not be an issue. Read - http://support.microsoft.com/kb/320202

You mentioned that when you hit https://www.domainname.net/owa - you get an error for internet explorer - what you get - page cannot be displayed with some error ?? is that so please post.

Also, do you get some error on CAS server application log ?

Also, is this the same URL mentioned - when you check ExternalURl while checking properties of the CAS server box in EMC.

Awaiting your response.
0
 

Author Comment

by:Gavilan123
ID: 22724901
Thank you for your responses!
Bertling - answers to your questions:
1. Yes - we've setup a 1 to 1 NAT from the external IP address to the internal LAN IP address
2. Yes - the firewall has a rule from the WAN to the LAN opening up port 443 to the internal IP address
3. We tried using the external IP address only to see if it is a DNS issue and we do get a certficate error - all with the same results as using the DNS name.
4. We confirmed from our domain hoster and through whois and nslookups that the ARecord does indeed point to the external IP address (which in turn is natted to the internal ip address of the server)
5. Just FYI, there are no firewalls running on the server, just the perimeter firewall.

Exchange Geek,
1. As for what error we get when we plug in https://domainname.net/owa, we get the good ol generic "Internet Explorer cannot display the webpage" - no specific errors like 404 errors and the like.
2. Can you please elaborate on the CAS server application log?  I don't know what you mean.  What is CAS and where is the application log?
3. I will look at recreateing the v.dir using the link you provided.
0
 

Author Comment

by:Gavilan123
ID: 22724953
I reviewed the link above regarding recreating a virtual directory and the article is actually about completely removing and reinstalling IIS from and Exchange server.  This entails reinstalling Exchange as well.  I don't think I'm at that point yet as it seems like there is a way to just recreate the /owa virtual directory.  Does anyone know where to look for that information?
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22724980
CAS server is called Client Access Server - basically the server which controls all your client connectivity.
You could check this in EMC when you click on server configuration - on the right hand side you would see all your E2k7 boxes with the roles assigned to them.

Hence, i was talking about the application logs of that box and its errors in specific

If you face any issue with that kb do keep me updated.
0
 

Author Comment

by:Gavilan123
ID: 22725101
Exchange Geek

Ahh, gotcha.  I looked at the application logs on the Exchange Server (where CAS lives) and there is nothing in the application logs that would indicate a problem.  

I did find this article on how to recreate an individual v.dir:

http://exchangeshare.wordpress.com/2008/07/16/how-to-recreate-owa-virtual-directory-exchange-2007/

I think I will try it and let you know.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22725201
Cool.
0
 

Author Comment

by:Gavilan123
ID: 22772180
Hi,

Ok, I tried recreating the OWA virtual directory with no luck.  I do want to be sure though that I have the directory security setup correctly.  I have anonymous user access enabled on the primary default website and basic authentication on the OWA virtual directory - does that configuration sound correct?

Also, the more I think on it, the more I think it's got something to do with the certificate.  However, when I use the IP address, I do get a certificate error and a page under construction when I don't use the /OWA directory in the address so maybe it nothing to do with the certificate.

Any more ideas?
0
 

Author Comment

by:Gavilan123
ID: 22773327
Sorry, one more thing.  If I use https://domainname.net/exchange, and it hits me with a logon box, (NOT the Outlook Web Access login page, just a generic logon box) and I login using DOMAIN\Username, it kicks me to a page that says it can't find "servername"  where "servername" is the actual host name of the server.  AND, the Windows Security logs on the exchange server show a successful logon from that remote PC.  That tells me I'm getting to the server from outside the network, so what in the heck?!?!?
0
 

Author Comment

by:Gavilan123
ID: 22773357
Alright - sorry, another thought.  I can do a forward DNS lookup where the domain name resolves to the correct IP, but a reverse DNS lookup does not resolve to the correct domain name.  Could this be the issue?
0
 

Author Comment

by:Gavilan123
ID: 22914525
Ok - update: It is redirecting people from the external address to the internal host name address.  That is why people cannot access it from outsite the network.  I have set the CAS to the correct internal and external URL's so what's going on?

As stated above, could the problem be that I have the internal domain registered with GoDaddy?  Why is it redirecting to the internal host name of the server?
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22919762
"However, when I use the IP address, I do get a certificate error and a page under construction when I don't use the /OWA directory in the address so maybe it nothing to do with the certificate."

If you try to access without /owa - this means you are hitting the default web site of the BE server and "page under construction" is a good reply.

"If I use https://domainname.net/exchange, and it hits me with a logon box, (NOT the Outlook Web Access login page, just a generic logon box)"

This means that /exchange v.dir has only basic authentication - idealy this should be used only for re-direction to legacy servers.

"reverse DNS lookup does not resolve to the correct domain name."

This should definitely resolve to its correct FQDN.

"As stated above, could the problem be that I have the internal domain registered with GoDaddy?  Why is it redirecting to the internal host name of the server?"

I do not think this should be the issue, however you may want to try to run the following command.

Get-ExchangeCertificates | FL.

Check the subject alternate name mentioned on the certificate for IIS.
0
 

Accepted Solution

by:
Gavilan123 earned 0 total points
ID: 22922674
Ok - I have found "one" solution and the problem seems to be fixed.  As I mentioned, it kept redirecting to the internal server name to people outside the internal LAN couldn't get access.  Well, I simply pointed the CNAME record of mailserver.domainname.com (which is the INTERNAL domain as I had already registered the internal domain name with GoDaddy) to the server ip address and it worked.  So, seeing as how I couldn't stop it from redirecting to the internal server name, I just went ahead and made the internal server name resolve to the correct IP address.

I will admit this is an ugly way of doing it but at this point, I just needed to get it working.  Thanks for all your input people - I appreciate it.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22922698
Great, yeah i do agree that this issue did go a long long troubleshooting ways.

Thanks for updating us with your ideas.

Take Care.

God Bless.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now