We help IT Professionals succeed at work.

Changing WAN port for Outlook Web Access

cgtyoder
cgtyoder asked
on
Medium Priority
798 Views
Last Modified: 2012-05-06
Running MS Exchange Serve 2003 (6.5) SP2 on Windows 2000 Server SP4.  Users inside the building have access at http://mailserver/exchange (port 80), and I want to allow users to access OWA through the firewall through port mapping at some obscure port.  However, if I map a public port, say, 23844 to port 80 on the mail server, OWA outside the firewall doesn't work.  What other mappings do I need to get this to work?  Thanks for the help.
Comment
Watch Question

Commented:
First, have you changed the NAT to point that port to the OWA server?

Second, be aware that if OWA isn't port 80, Active Sync won't work.

Author

Commented:
Currently, I have the OWA server port changed to port n, and our public IP port n, so there is no change of port in the port mapping from the public IP to the private IP of the OWA server.  If I change the OWA server back to port 80, and change the firewall port mapping to point from port n on the public IP to port 80 on the private IP, then OWA does not function outside the firewall.

Is ActiveSync required for OWA to work?  If not, I don't need that to function outside the firewall.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
OWA doesn't respond well to being used on another port.
You don't get security by obscurity. If you want to secure the deployment, use an SSL certificate and only open port 443.

-M

Commented:
Active Sync isn't required for OWA to work.  But if down the road, your boss says, "Hey, I have this new (insert current hot PDA here) and I want to get my email on it", you may want to be able to tell him "yes" without mucking about with changes you made months ago.

Mestha is, as usual, correct that the best choice would be to get an SSL cert.  Thawte and Verisign have them for only a couple hundred dollars per year.

Author

Commented:
I realize that using SSL is preferable to a non-encrypted port (security actually IS about obscurity, but that debate is for another time), but this is what I want to do.

Can you be more specific about "OWA doesn't respond well to being used on another port"?  I am using OWA without a problem now, on my non-80 port.  The problem arises when I try to map port 80 internally to another port externally thru the NAT'd firewall.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
You can get an SSL certificate for US$30/year from GoDaddy which work fine.
As for OWA, I have just seen it not behave correctly on any other port. I put it back to 80/443 and it behaves.

Moving to an alternative port slows down an attacker for what, 20 seconds, if that. All it does it annoy the users as they have to remember some random port number.

-M
Leiter IT
Commented:
it's not necesary to buy a certificate, you can made you own by using MS-CA (delivered with server but most not installed). But you should use HTTP/HTTPS. for http you can use virtual server by name on IIS. for SSL you need a port for this virtual server. on SSL its not possible to get the right virtual server by name. thats why you need one port per virtual server.
this all is also know be exchange and IIS. to reference and forward to right places its sometimes required to build complete URL-strings (including port numbers). everytime such a string passes a port-translation-device where this URL is unchanged, the application is no longer working.

conclusion:
- dont translate ports of exchange-web-applications.
- if somer ports are already in use and you have to change them, then do this direct on then exchange-web-server. there you can easy change http and https ports.
- additionaly you can also setup second web-servers and/or additional ports for internal and external use.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.