Can't access Outlook Web Access from outside the network


My users have begun to have issues accessing Outlook Web Access 2007 (OWA 2007) from outside the network.  We can access it just fine using the following from inside the network: "https://servername/owa".  However, when they use the external name: "" - they get: "Internet Explorer cannot display the webpage"

Here has what has changed recently: We just switched ISPs and we installed a new certificate.
Here is what I have done up to this point: The NATTING occurring by the firewall appears to be working.  So, the domain name, which now points to the new IP address, seems to be connecting to the firewall IP and then NATTED correctly to the internal server.  We know this because if you put in "" (with no /owa) - you ge a "page under construction".  This would seem to tell me that we are getting to the web server.  Additionally, just using the external IP address, you get the same results.  If you put in "", you get hit with a username and password window.  I know this used to be the correct directory in exchange 2003 but remmber, this is 2007.

I looked at the certficate and the correct domain name is listed.  I tested it externally when we first purchased it as well.  It is a UCC certificate and the Subject Alternative Names are all listed there.

The only thing I have been able to come up with is deleting and recreating the /owa directory but I'm a bit scared to do this (much less I don't know how to do it right).  I seem to have found the Power Shell command to do this somewhere but what are the possible repercussions of doing so?  Is this really the issue?

Thank you!

Who is Participating?
Gavilan123Connect With a Mentor Author Commented:
Ok - I have found "one" solution and the problem seems to be fixed.  As I mentioned, it kept redirecting to the internal server name to people outside the internal LAN couldn't get access.  Well, I simply pointed the CNAME record of (which is the INTERNAL domain as I had already registered the internal domain name with GoDaddy) to the server ip address and it worked.  So, seeing as how I couldn't stop it from redirecting to the internal server name, I just went ahead and made the internal server name resolve to the correct IP address.

I will admit this is an ugly way of doing it but at this point, I just needed to get it working.  Thanks for all your input people - I appreciate it.
have you port forwarded port 443 or setup a 1 to 1 NAT to an external IP address?

also you will need to permit port 443 on the firewall from the WAN to the LAN.

is all of this done on your end?

if you cant access OWA from the internet but you cant from the LAN then it is a port issue on the firewall
also is the external DNS name/Arecord pointing to the correct external IP address of the OWA 2007 server?

have you tried to access OWA external using the https://IPADDRESSOFOWASERVER/owa

this will rule out any issues with external DNS, but you will get a certificate error because the name is not the same as on the cert.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Re-creating V.Dir should not be an issue. Read -

You mentioned that when you hit - you get an error for internet explorer - what you get - page cannot be displayed with some error ?? is that so please post.

Also, do you get some error on CAS server application log ?

Also, is this the same URL mentioned - when you check ExternalURl while checking properties of the CAS server box in EMC.

Awaiting your response.
Gavilan123Author Commented:
Thank you for your responses!
Bertling - answers to your questions:
1. Yes - we've setup a 1 to 1 NAT from the external IP address to the internal LAN IP address
2. Yes - the firewall has a rule from the WAN to the LAN opening up port 443 to the internal IP address
3. We tried using the external IP address only to see if it is a DNS issue and we do get a certficate error - all with the same results as using the DNS name.
4. We confirmed from our domain hoster and through whois and nslookups that the ARecord does indeed point to the external IP address (which in turn is natted to the internal ip address of the server)
5. Just FYI, there are no firewalls running on the server, just the perimeter firewall.

Exchange Geek,
1. As for what error we get when we plug in, we get the good ol generic "Internet Explorer cannot display the webpage" - no specific errors like 404 errors and the like.
2. Can you please elaborate on the CAS server application log?  I don't know what you mean.  What is CAS and where is the application log?
3. I will look at recreateing the v.dir using the link you provided.
Gavilan123Author Commented:
I reviewed the link above regarding recreating a virtual directory and the article is actually about completely removing and reinstalling IIS from and Exchange server.  This entails reinstalling Exchange as well.  I don't think I'm at that point yet as it seems like there is a way to just recreate the /owa virtual directory.  Does anyone know where to look for that information?
CAS server is called Client Access Server - basically the server which controls all your client connectivity.
You could check this in EMC when you click on server configuration - on the right hand side you would see all your E2k7 boxes with the roles assigned to them.

Hence, i was talking about the application logs of that box and its errors in specific

If you face any issue with that kb do keep me updated.
Gavilan123Author Commented:
Exchange Geek

Ahh, gotcha.  I looked at the application logs on the Exchange Server (where CAS lives) and there is nothing in the application logs that would indicate a problem.  

I did find this article on how to recreate an individual v.dir:

I think I will try it and let you know.
Gavilan123Author Commented:

Ok, I tried recreating the OWA virtual directory with no luck.  I do want to be sure though that I have the directory security setup correctly.  I have anonymous user access enabled on the primary default website and basic authentication on the OWA virtual directory - does that configuration sound correct?

Also, the more I think on it, the more I think it's got something to do with the certificate.  However, when I use the IP address, I do get a certificate error and a page under construction when I don't use the /OWA directory in the address so maybe it nothing to do with the certificate.

Any more ideas?
Gavilan123Author Commented:
Sorry, one more thing.  If I use, and it hits me with a logon box, (NOT the Outlook Web Access login page, just a generic logon box) and I login using DOMAIN\Username, it kicks me to a page that says it can't find "servername"  where "servername" is the actual host name of the server.  AND, the Windows Security logs on the exchange server show a successful logon from that remote PC.  That tells me I'm getting to the server from outside the network, so what in the heck?!?!?
Gavilan123Author Commented:
Alright - sorry, another thought.  I can do a forward DNS lookup where the domain name resolves to the correct IP, but a reverse DNS lookup does not resolve to the correct domain name.  Could this be the issue?
Gavilan123Author Commented:
Ok - update: It is redirecting people from the external address to the internal host name address.  That is why people cannot access it from outsite the network.  I have set the CAS to the correct internal and external URL's so what's going on?

As stated above, could the problem be that I have the internal domain registered with GoDaddy?  Why is it redirecting to the internal host name of the server?
"However, when I use the IP address, I do get a certificate error and a page under construction when I don't use the /OWA directory in the address so maybe it nothing to do with the certificate."

If you try to access without /owa - this means you are hitting the default web site of the BE server and "page under construction" is a good reply.

"If I use, and it hits me with a logon box, (NOT the Outlook Web Access login page, just a generic logon box)"

This means that /exchange v.dir has only basic authentication - idealy this should be used only for re-direction to legacy servers.

"reverse DNS lookup does not resolve to the correct domain name."

This should definitely resolve to its correct FQDN.

"As stated above, could the problem be that I have the internal domain registered with GoDaddy?  Why is it redirecting to the internal host name of the server?"

I do not think this should be the issue, however you may want to try to run the following command.

Get-ExchangeCertificates | FL.

Check the subject alternate name mentioned on the certificate for IIS.
Great, yeah i do agree that this issue did go a long long troubleshooting ways.

Thanks for updating us with your ideas.

Take Care.

God Bless.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.