• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

Changing WAN port for Outlook Web Access

Running MS Exchange Serve 2003 (6.5) SP2 on Windows 2000 Server SP4.  Users inside the building have access at http://mailserver/exchange (port 80), and I want to allow users to access OWA through the firewall through port mapping at some obscure port.  However, if I map a public port, say, 23844 to port 80 on the mail server, OWA outside the firewall doesn't work.  What other mappings do I need to get this to work?  Thanks for the help.
0
cgtyoder
Asked:
cgtyoder
  • 2
  • 2
  • 2
  • +1
1 Solution
 
zelron22Commented:
First, have you changed the NAT to point that port to the OWA server?

Second, be aware that if OWA isn't port 80, Active Sync won't work.
0
 
cgtyoderAuthor Commented:
Currently, I have the OWA server port changed to port n, and our public IP port n, so there is no change of port in the port mapping from the public IP to the private IP of the OWA server.  If I change the OWA server back to port 80, and change the firewall port mapping to point from port n on the public IP to port 80 on the private IP, then OWA does not function outside the firewall.

Is ActiveSync required for OWA to work?  If not, I don't need that to function outside the firewall.
0
 
MesthaCommented:
OWA doesn't respond well to being used on another port.
You don't get security by obscurity. If you want to secure the deployment, use an SSL certificate and only open port 443.

-M
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
zelron22Commented:
Active Sync isn't required for OWA to work.  But if down the road, your boss says, "Hey, I have this new (insert current hot PDA here) and I want to get my email on it", you may want to be able to tell him "yes" without mucking about with changes you made months ago.

Mestha is, as usual, correct that the best choice would be to get an SSL cert.  Thawte and Verisign have them for only a couple hundred dollars per year.
0
 
cgtyoderAuthor Commented:
I realize that using SSL is preferable to a non-encrypted port (security actually IS about obscurity, but that debate is for another time), but this is what I want to do.

Can you be more specific about "OWA doesn't respond well to being used on another port"?  I am using OWA without a problem now, on my non-80 port.  The problem arises when I try to map port 80 internally to another port externally thru the NAT'd firewall.
0
 
MesthaCommented:
You can get an SSL certificate for US$30/year from GoDaddy which work fine.
As for OWA, I have just seen it not behave correctly on any other port. I put it back to 80/443 and it behaves.

Moving to an alternative port slows down an attacker for what, 20 seconds, if that. All it does it annoy the users as they have to remember some random port number.

-M
0
 
heikoCommented:
it's not necesary to buy a certificate, you can made you own by using MS-CA (delivered with server but most not installed). But you should use HTTP/HTTPS. for http you can use virtual server by name on IIS. for SSL you need a port for this virtual server. on SSL its not possible to get the right virtual server by name. thats why you need one port per virtual server.
this all is also know be exchange and IIS. to reference and forward to right places its sometimes required to build complete URL-strings (including port numbers). everytime such a string passes a port-translation-device where this URL is unchanged, the application is no longer working.

conclusion:
- dont translate ports of exchange-web-applications.
- if somer ports are already in use and you have to change them, then do this direct on then exchange-web-server. there you can easy change http and https ports.
- additionaly you can also setup second web-servers and/or additional ports for internal and external use.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now