Internal/External OWA access disabled

In the last 2 days we have to reboot our FE (Exch 2003 Standard) and back-end (Exch 2003 Enterprise) servers because we updated the Store DB size limit on the back end and installed Symantec Endpoint (Anti-virus only) on the front end.
Now, we can't access OWA  (https://mail."domain name".com/exchange).  We get Internet Explorer cannot display the webpage.
No changes made to firewall.  I've stopped and restarted all Exchange services on both servers.
Windows intergrated authentication is selected for both the default web site and Exchange in IIS
All other web and exchange services are fine.
Any ideas?
DDJCapAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DDJCapAuthor Commented:
One addition:  I just typed in http://servername/exchange and OWA opened up to my mailbox without any login prompt.  I was at my desk and logged in.
0
LeeDerbyshireCommented:
Can you find the IIS log entries generated by the request that results in the error message?
0
DDJCapAuthor Commented:
There are no log entries.  All I do is click the Employee acess button on our website.
It then points to https://mail."domainname".com/exchange
On my PC I have SSL 3.0 and TLS 1.0 checked off.
We can access OWA by typing in  http://servername/exchange
Could it be an SSL issue on IIS?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LeeDerbyshireCommented:
You don't actually have those " " quotes in your URL do you?  I assume not, but I ought to ask.

Anyway, can you confirm that mail.domain.com and servername actually resolve to the same IP address?  Try pinging them, and see which IP address is shown.  It's possible that mail.domain.com resolves to your public IP address, and that servername resolves to a private IP address.
0
DDJCapAuthor Commented:
I know you had to ask...but no I didn't.  (grin)
servername does resolve to an internal IP address
mail.domain.com does not resolve.
0
LeeDerbyshireCommented:
If the client can't resolve it to an IP address, you will never reach it in your browser.  Have you created an internal DNS record for mail.domain.com ?
0
DDJCapAuthor Commented:
Just created an A record for Mail on internal DNS server using it's private IP address.
Do we need to have that address added to our ISP's DNS records too?
0
LeeDerbyshireCommented:
If you want to be able to use that name externally, then yes, you need a public DNS record using the public IP address.
0
DDJCapAuthor Commented:
I creates the A record and still can't go to   https://mail.domainname.com/exchange
I'll check our ISP to make sure their record still exists.
0
DDJCapAuthor Commented:
We figured it out...the SSL certificate was corrupt.
We removed and readded a certificate to the website in IIS.
It's about 90% fixed.  When you go to our webpage and click on the button to access OWA, you get "There is a problem with this website's security certificate"
Click "Continue to this website" and the logon box pops up.
Now, can anyone help me fully fix this?
0
LeeDerbyshireCommented:
You get that message because IE at the client end does not recognise your certificate.  By default, it will recognise some of the famous ones, like Thawte or VeriSign, but if you created your own, it will only only be recognised when you import it to each client's certificate cache.
0
DDJCapAuthor Commented:
We actually have a certificate from GoDaddy.com.  I installed it in IIS under Default Web Site and Exchange.
It was working before, but then reverted to not recognizing the cert.
I installed the cert on the front end and back end servers
0
LeeDerbyshireCommented:
If you install it on a BE server, make sure that Require SSL is not selected on its Exchange VDir.  If it is, the FE will not be able to contact it.
0
DDJCapAuthor Commented:
I remoted the cert and imported the cert in IIS on the Front end to IIS on the back end.
Seems to be working now, with SSL enabled.
Will wait until declaring victory.
Thanks, LeeDerbyShire
0
DDJCapAuthor Commented:
GoDaddy.com certificate is on the BE;  none on the FE.  SSL disabled on back end
Internal users can access OWA.  External users can't.  Says "the page you are trying to reach cannot be displayed."  DNS settings from ISP are fine.  Any ideas?
0
DDJCapAuthor Commented:
Figured out externally, the mail server's IP address does not resolve.
It's listed in our ISP's DNS records.
0
LeeDerbyshireCommented:
What is the FQDN of the mail server?  I'll see if it resolves here.
0
DDJCapAuthor Commented:
We already checked with our cert provider and ISP.  The server's external address does not resolve.
We have uninstalled Symantec Endpoint Protection and rebooted server to see if that is blocking anything.
Will try uninstalling updates downloaded 10 days ago if that does nto work.
Already conferred with firewall co that all ports are open and server is seeing/acceptign traffic
0
LeeDerbyshireCommented:
Where are you trying to resolve the public name from?  If it doesn't resolve from the LAN, then you may have an internal DNS problem.  If it doesn't resolve from an external location, then nothing you do internally will help the situation.
0
DDJCapAuthor Commented:
The address resolves internally.  Anyone in the office can open our home page and click the link to OWA and get a login box.  Externally, the address is listed with our ISP.
0
LeeDerbyshireCommented:
Yet it won't resolve externally?  Only your ISP can fix that.  If your public DNS contains an A record for the server within the correct domain, and it isn't being propagated, then they have a problem.  Of course, that assumes that DNS resolution at the client end is working properly, and that external clients aren't somehow trying to use your own internal DNS servers from an external location.
0
DDJCapAuthor Commented:
External clients should not be using our internal servers.  I had a friend who never connected to our home page do so then click on OWA link.  Our link is https://mail.domainname.com/exchange.  Our ISP has mail.domainname.com listed with the correct external IP addressd.
I had 4 external clients try conecting.  Non have an issue resolving DNS to other websites
Removing AV did not work, so we're going to remove Windows updates.  Those were the only 2 server changes in the past 2-3 weeks
0
LeeDerbyshireCommented:
I think you need to ask your ISP about it, before you remove anything.  See if they can resolve it themselves.  That would surely demonstrate to them that they might have a problem.
0
DDJCapAuthor Commented:
We're holding off uninstalling Windows Server updates since we downloaded 19 of them on 08 Nov., along with a bunch of .NET 2.0/3.0 updates.  We're going to research them first to see if there are any known side-effects.
0
DDJCapAuthor Commented:
We spent 2 hours on the phone with MS and got it done.
The OWA certificate needs to be on the Front-End server with SSL enabled.
SSL needs to be disabled on back-end server.
However, we had to request a new cert from godaddy.com and rekey it.  We could not move cert back to FE because it was missing private key.  Once we got new cert, we added it to certificates MMC sanp-in.
Then went to IIS, removed anonymous access and chose Windwos integrated access.
Finalyl we stopped and restarted IIS service
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.