How do I configure OWA from scratch assuming only that in-office emailing is configured correctly?

Hi airzao,

you can use this article:

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

I used it quite a lot for my clients and it explains how to make OWA secure!

Hope this helps.

Cheers.

Hi,

Here are some links to your problem:

http://www.msexchange.org/tutorials/owa_exchange_server_2003.html

and here is some additional reading regarding OWA:

http://www.petri.co.il/g_search.htm?domains=www.petri.co.il&q=setting+up+owa+in+excahng+2003&sitesearch=www.petri.co.il&sa=Google+Search&client=pub-5120588263574562&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&safe=active&flav=0000&sig=aNnUtBcVpeWwLnAy&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23FFFFE8%3BVLC%3A008000%3BAH%3Acenter%3BBGC%3AFFFFE8%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A008000%3BGIMP%3A008000%3BFORID%3A11&hl=en

I hate to think it might be this easy:

http://technet.microsoft.com/en-us/library/aa998477(EXCHG.65).aspx

That's off Microsoft Technet...

Thanks all three of you. But to be honest, those are exactly the kinds of links that I have already found but which I find incomprehensible and / or incomplete (e.g. the first one which is JUST about SSL). Is my question (end-to-end OWA set up for Exchange 2003) so very obscure?! I probably sound like an idiot to you guys but I've done a little networking before and this stuff is just beyond me! Failing some existing, full instructions on the web, perhaps there's someone reputable I could pay to give me some remote support?

Hi,

If you have time and patience, I can help you step fo step to setup OWA. It might span over a couple of days, if it's ok with you?

Jo, a couple of days would be absolutely fine. I can even sort out a remote connection for you (tomorrow) and have me watch on-screen. Tell me what the best way to do this is and let's go!

Hi,

I would be more than happy to help you, but I think it'll rather be better you do not give me access. The best way for you to learn is to do it yourself. Let me know when you are ready?

Ok, ready! Feel free to change entirely the stages that I understand are necessary for configuring OWA:

1. Preparing the server for OWA. This apparently involves back- and front-end server. I think this is ok (SERVER properties, check This is a front-end sever) although not clear on DAVEx and ExProx. It's around this point I lose hope though! Now I am supposed to place the server on my perimeter network and configure the ports on the appropriate firewalls. Help!
2. Security. Get an SSL and use it, essentially. Help here too please although my suspicion is that this bit's easier.

Thanks Jo and totally agree with you that it's much better for me to do this myself!

Excellent!

Here we go...

STEP 1.

Do you have 2 Exchange servers? If not, it won't be a problem. We configure the only server for OWA.
You need the following ports to be opened on your firewall:

    * Port 80 for HTTP
    * Port 691 for Link State Algorithm routing protocol

    * Port 389 for LDAP (TCP and UDP)
    * Port 3268 for Global Catalog Server LDAP (TCP)
    * Port 88 for Kerberos Authentication (TCP and UDP)

What firewall are you running? It shouldn't be too difficult to open ports though.

Let me know.

Exchange 2003 ships with OWA!!! Which means that no EXTRA configuration will be neccessary! If you do not believe me, try it yourself.

If the ports are open on your firewall, try the following:

From a PC INSIDE your network, open IE and type: http://exchange_server_name/exchange

It should ask for your username and password!

From a PC OUTSIDE your network, open IE and type: http://router_external_ip/exchange

It should ask for your username and password! If not, then we have to configure your router or firewall to allow traffic on certain ports to your Exchange server.

Let me know.

Thanks Jo. Well, the internal link worked fine, got the OWA logo'd screen and login prompt. But externally (from where i need OWA!) and using my static IP, I'm told that "this page cannot be displayed", as you suggested might happen. I've attached a screen shot of the router (it's a 2wire) settings which seem (to me) to indicate that most stuff should be let through. Do we need to change a server firewall setting?

Thanks again - Marc
router-firewall.png

Hi,

Yeah, according to this screenshot, the router allows most traffic through. Are you running the server firewall service? If so, you need to add exceptions to the firewall. The ports and protocols to open is:

    * Port 80 for HTTP
    * Port 691 for Link State Algorithm routing protocol

    * Port 389 for LDAP (TCP and UDP)
    * Port 3268 for Global Catalog Server LDAP (TCP)
    * Port 88 for Kerberos Authentication (TCP and UDP

Most of these should already be open in any case.

After this, you need to check your IIS settings. In IIS under default website, you need to ensure that the following directories are listed:

1. Exadmin - The Exadmin virtual directory is used when administering Public Folders via the Exchange System Manager.

2. Exchange - The Exchange virtual directory stores the mailbox root (\\.\BackOfficeStorage\domain\MBX

3. Exchweb - The Exchweb virtual directory stores all graphics and other subordinate files used by Outlook Web Access. This virtual directory points directly to C:\Program Files\Exchsrvr\ExchWeb.

4. Microsoft-Server-ActiveSync - The Microsoft-Server-ActiveSync virtual folder (please dont ask me why it was given this name) stores all the files used by Exchange ActiveSync (EAS). This virtual directory points directly to C:\Program Files\Exchsrvr\OMA\Sync.

5. OMA - The OMA virtual directory stores all files used by Outlook Mobile Access (OMA). This virtual directory points directly to C:\Program Files\Exchsrvr\OMA\Browse.

6. Public - The Public virtual directory stores the Public folders tree (\\.\BackOfficeStorage\domain\Public Folders).

After you can confirm that the exceptions to the firewall has been added and that these directories are present, you can try to access your OWA from "outside" your building.

Let me know although I'll probably only see your reply on Monday!!!

Cheers.

Thanks Jo. Well, I think that I am NOT using ahe server firewall as when I open that up it tells me that to use the firewall you must be using ICS and I'm not! So that's that.

And as for the IIS settings, I think that everything's there - see pic:
iis.PNG

Hi,

Ok, so the Windows firewall is not running and IIS is fine. Now we need to find out why OWA won't connect from "outside".

You do have the correct IP address of your router? You might need to check if there's a port forwarding page on the router's configuration.

Hmmm...yes I think the router ip (a static ip) is right as one of the following screenshots proves).

 i wondered though, on the second screenshot if i need to make any changes. do i?

couldn't see any port forwarding yet...

Hi,

PLEASE DO NOT POST YOUR SERVER SETTINGS!!! It's a security risk! I just wanted to know if you have the correct IP. Click on request attention on this page and ask a site admin to remove the attachments.

I downloaded the attachments and will have a look and get back to you within the hour.

Cheers till later!

Oops! Have requested it. Cheers Jo.

Hi,

If you connect from outside on http://81.xxx.xxx.xxx/exchange What do you get? The page cannot be displayed or a certificate issue?

Hi Jo. Page cannot be displayed.

Try https://81.xxx.xxx.xxx/exchange quickly and let me know?

The same with the s I'm afraid.

Any clue provided by those router screen shots?

Not really. The reason we're getting this screen is that something get blocked by the router, cause you could access OWA from inside the network.

You have no other firewall running? You server is connected to the router and the router to the DSL line?

you can use TcpView to monitor the connections, see what is blocked:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Jo, it just occurred to me that I've not done any SSL stuff yet. Might that not be the problem?

check the event log Application
do you have this event ID Error ID: 1005 or other?

Yeah, I was actually taking a chance there! I didn't think it'll work, but you never know! So? Is the configuration:

"You have no other firewall running? You server is connected to the router and the router to the DSL line?"

Definitely no other firewall running and yes, the server's connected to the router which is connected to dsl.

I'm barking up the wrong tree bout SSL am I?

this is a step by step guide that can walk you throw configuring OWA, with screen shots:

http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

I used it myself.

Yes I tried that but got lost which is why Jo is kindly walking me through it step-by-step.

I did a bit more thinking and digging and since you say that the router is what's stoppign this working, I wondered if I add the application (except I o not know what this is - OWA?) " that will be enabled to pass through the firewall to this computer"? There are a list of standard server, games, audio video apps you can add but then there's also a user-defined option which leads to this screen:
add-app.png

Hi,

Yeah, thislooks like something that we can use!

Try the following: (Part 1)

Application Name: OWA
Protocol: TCP
Port (or Range): 80 to 80
Leave the other 2 option on default

What is listed under "Application Type"?

Thanks Jo. Further options for App Type are as per the pic:
options.png

Hmmm...changing the settings as you suggested was preventing our access to the internet, throwing up the foollowing up message: Second router detected
Error: A third party router has been detected.

If you want to connect additional computers or devices to your network:

Click the Resolve button below to enable the Connection Manager to correct the problem. There may be a one minute delay while the problem is resolved.

Click the Disable button below if you wish to continue using your third party router rather than the BT Business Hub.(warning: many applications may not work in this case)

For detailed information regarding this issue please click here

Aaaahhhh... Now I understand your configuration a bit better!

Well, you can scrap the firt rule I gave you, but enter the following:

Application Name: LSARP
Protocol: TCP
Port (or Range): 691 to 691
Leave the other 2 option on default

Application Name: LDAP
Protocol: TCP & UDP (If you cannot select both, then you have to create another rule for UDP)
Port (or Range): 389 to 389
Leave the other 2 option on default

Application Name: GCS
Protocol: TCP
Port (or Range): 3268 to 3268
Leave the other 2 option on default

Application Name: KA
Protocol: TCP & UDP (If you cannot select both, then you have to create another rule for UDP)
Port (or Range): 88 to 88
Leave the other 2 option on default

Let me know.

Ok,thanks Jo, done that as screen shot shows. But still not able to access from outside...

WHAT???? Still the same error?

Perhaps I've not done the settings right (see below) or perhaps I'm not going to the right url. I think it's:

http://81.***.***.***/exchange

where the starred out ip address is my static ip. Is this right?
four-application-types.png

Try http://mail.yourdomain.com/exchange

What about Port 80 for HTTP?

80  should be open... You can browse the internet, right? The rules you added now, are they inbound rules? I tried to ping your IP address now and it times out...

We must be almost there!

I think they are inbound rules as the accompanying text is:

"Allow individual application(s)  Choose the application(s) that will be enabled to pass through the firewall to this computer. Click ADD to add it to the Hosted Applications list."

Checked your settings and they're right. Ok... Did you add/enable these rules? Does the router require a reboot or is all rules automatically accepted?

Rules definitely enabled and I've restarted the router anyway. How about enabling the rule for https?

We can, but we need to sort out the http first. https is the next step. We need to create a certificate for you then.... I'll check what else we can try to open this issue...

What router are you using?

Hello again Jo. It's a British Telecommunications 2wire BT 2700 HGV (BT Business Hub)

Hi,

Got this article:

http://portforward.com/english/routers/port_forwarding/BT/BT2700HGV/Echolink.htm

It shows how you can forward the ports we opened to your server!

Try it and let me know!

Cheers!

Thanks Jo. Just read through the whole thing very carefully and the problem is that that's exactly what I've done!

Oh no!!! I was afraid you were going to say that. Well... We can, with almost certainty say that the router is fine then... One more thing... Does this make sense to you:

Any port forwarding is done via http://home or http://gateway.2wire.net or default gateway address.

Go to firewall > firewall settings.

Select the server and allow individual applications (e.g SMTP server) and then add > save.

if you want a specific range open (e.g 82-84) then click on add user defined application, follow the defaults that are there, save > listed at the top and add

Got it from the router's site.

Yes, I was hoping there'd be something new there too!

Yes, I did the port forwarding by going to home (or the ip address of the router) then ffirewall and firewall settings, selected the server adn then allowed individual apps.

BUT I have not allowed SMTP and that is one of the app options (under the server category). Should this be allowed also? And are there any others? E.g. the below (not an exhaustive list)...
other-apps.png

Excellent!!! Yeah, SMTP must be allowed through! Others might be:

IMAP
NNTP
POP3
PPTP

Anything else there?

yes, the below + Unreal server & Web server. Add some of these too?

Here's the attachment!
more-apps.png

Nah... You won't need the rest of the services...

Thanks once again Jo I've done all that but still can't access from outside. The settings I have (and I've rebooted the router too) are as follows:
app-type-settings.png

No error message? Just the page cannot be displayed? Just a simple question... Do you host your own mail or do you download it to exchange via pop3?

I still can't ping your IP address....

Yes, just the 'normal' page cannot be displayed message.

It's via POP3. No idea why you can't ping my static ip - it's obviously working. This is so annoying! But your help is greatly appreciated!

Hi,

Yeah, I agree, this is frustrating! But we'll get it right! I checked all the settings and everything looks fine... Except, I can't see where the router FORWARDS the requests to your server?

I mean, the ports are open, so the router accepts the connections, but it doesn't know what to do with it... Is there a configuration page for port forwarding on the router?

I'm sure we will!

Well I think this is right as I have chosen our server to be "the computer that will host applications through the firewall". Quite why they phrase it like this I don't know, but that IS forwarding thing, right? See below

port-fwd.png

Under the list of apps in the screenshot you sent now, it there no Outlook or other MS program listed?

Oh yes... One more thing. In IIS, right click Default Website and click properties. Click ISAPI Filters and let me know how many filters are in there?

After that right click Default Website -> Permissions and send me a screenshot?

DAMMIT!!!

I just thought of something!

Open Exchange Manager -> Administrative Groups -> Servers -> Your server name -> Protocols -> HTTP:

Make sure that Exchange Virtual Server is STARTED!

Hi Jo. Ok responding to all your questions:

1. I could see no other programmes that look like MSl apart from: X Windows; XP Remote Assistance; XP Remote Desktop

2. There are three: SBSFLT (high); fpexeddll.dll (low); OWA logon (unknown)

3. See attachment.

Cheers.
permissions.PNG

Morning,

What permissions does the everyone group have on the IIS Default Website? Did you check:

Open Exchange Manager -> Administrative Groups -> Servers -> Your server name -> Protocols -> HTTP:

Make sure that Exchange Virtual Server is STARTED!

Morning Jo.

Ok, permissions on the first screen shot below. You will see that there's no "Everyone" group but there is a users/purepotential/users which I think is the same.

As regards the virtual server being started, I don't know how to tell it's started. it's certainly there as you can see from the second screen shot below.

Cheers - Marc


everyone-permissions.PNG
virtual-server.PNG

Thanx.

If you right click on the virtual server, does it show Start or Stop? If it shows start, click on start to start it up. If it shows stop, click on stop, give it 10 seconds and start it again.

It was showing Stop. So I stopped it, waited 10s and then Started.

But, sadly, still being told that the server at my static ip is taking too long to respond when i try the owa url.

Remote assistance??!!

One more thing... Can you find out from you ISP why the IP address can't be pinged from outside and why you'll get a timeout? If we can sort this out, then you can send me remote assistance.

Thanks Jo. Ok...asked them and they are referring me to their Help desk this afternoon. Will report back shortly...

Excellent! I'm starting to think it must be that, cause EVERYTHING else is configured properly!

Howzit!

I've been sick a bit and only back at the office today. Any luck there yet?

Hi Jo, sorry to hear that. Well my ISP (BT) are taking a while to check the static ip and the fact that it cannot be pinged. I do, however, expect an answer later today and will post ASAP. I really want to sort this because as I understand it, OWA is necessary to do any blackberry config and I want one! :)

Cool man! They're really taking their time, hey?

They are. But if I start ranting about BT I won't stop. So I had better not start! In the meantime though, exactly what should I say to them about this static ip - simply that outsiders can't ping the ip address (even though it clearly works and is static)?

LOL!!!

Yeah and tell them about the OWA issue.

Jo, the ISP is slowly responding (sending some info to their Exchange Team). In the meantime, I found this:

http://msmvps.com/blogs/bradley/archive/2005/01/21/33537.aspx

and wondered since the settings are very different to my current router settings, if you thought mine are right?

You have port 80 open, right? Otherwise you would not be able to browse the internet. Port 443 must be open when we configure OWA over SSL.

Why on earth are they taking so long?

right, done it!!!

the problem was that http was not opened by default and 80 and 443 were closed. Just opened them and it's working. So, SSL is all we need to do now. I hope this is easier! Thanks Jo!

WOW!!!!

That is excellent!!!! Hhhmmm... Starnge that port 80 was not open...

Oh well, we're not moaning about it now, are we???

Ok, so here goes:

Firstly, do you have Microsoft Certificate Server installed?

Not sure. Should I obtain a new server certificate using the Web Server Certificate Wizard?

Yes, But do not apply for a 3rd party certificate. Let your server issue the certificate himself.

You can have a look at this:

http://www.msexchange.org/tutorials/MF004.html

Ignore the part where they say you send it off...

Well I started this and the instructions are very very clear. But I think I already have one issued by and to my website with serial number, public key, etc. Can I just use this?

Oh, if you have it, then use it!!! Saves you a lot of trouble!

I've alo gone into Exchange Virtual Directory / Directory Security / Edit and made sure that SSL is required. So am I right in saying that I should only be able to access OWA with https:// rather than http:?

GO FOR IT!!!

Ok! So I before I (finally)  close this ticket (and thank you profusely) I have a question: ssl is making it so that if i put http:// i have to click on a continue option to access OWA whereas with https:// i go straight there. but that doesn't seem much more secure to me! What am I missing?!

Hhhhmmm... If you just put http, then it should say access forbidden...

What is the continue option? Is it redirecting to https?

I don't know because I'm in the office. But you will see it: http://81.136.162.208/exchange. Cheers

Oh... You don't have to worry about that! It does use SSL and is secure.

What you can do now is to import this certificate into IE (You are using IE as your default browser?) and add it to the trusted list and the error will not come up again!

cheers jo. i think the remaining problem is that you CAN access owa from http:// despite the ssl (although it takes one step longer than https://). Is this the problem you are suggesting will be resolved by adding the cert to IE? I think not. Thanks again!

Jo, you're a star. Pleasure for me too and you were right at the top of this that it's much better to do it this way (although it obviously takes longer) in terms of learning - and I really learnt a lot!