Solved

Exchange 2007 OWA

Posted on 2009-04-03
37
669 Views
Last Modified: 2012-05-06
I was wondering if someone could point me in the right direction on this.  I have just finished installing Exchange 2007, and for the time being, our company will remain in a coexistant state with Exchange 2003.  My question is in regards to setting up Exchange 2007 OWA for external access.  Internally, Exchange 2007 OWA is working perfectly.  However, I'm not 100% sure of how I need to configure it for external access.  I did notice that there is a configuration URL for internal and external access.  Right now, internal communications is pointing to https://exchange2007.domain.com/owa.  Do I need to leave it at this for external access as well?
I'm venturing to guess that I need to setup a new host (A) record in our hosting providers DNS that points to exchange2007.domain.com.  Is that correct?  We are running a Watchguard 750 firewall and I'm assuming that I just create a new policy opening port 25 to the new IP address.

Also, will there be any issues with having the 2003 OWA and 2007 OWA active at the same time since they are referenced by different (A) records?  Can both be used?

Thanks.

--dave
0
Comment
Question by:david_greer
  • 20
  • 17
37 Comments
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
You are correct with a few things.  You DO need to have your DNS provider setup a new record. You'll need to configure the firewall to do a NAT rule to allow incoming HTTP (or HTTPs) traffic from the IP of the new public record, TO the internal IP of the 2007 server.

You can have both servers running at the same time, but you'll need to give the correct URL to the users whose mailbox is on the respective server.  You can move a mailbox to the 2007 server but then the user will need to use the URL for that server.  If you give a user the URL to the 2007 server but their mailbox is still on the 2003 server, it will try to automatically redirect to the 2007 server.  This will most likely fail as it will only use the internal name of the server.

I would strongly consider purchasing a UCC/SAN certificate from a vendor such as GoDaddy or Digicert and implementing this on your Exchange server to secure the data.
0
 

Author Comment

by:david_greer
Comment Utility
Ah, good to talk to you again esmith.  Thanks for the information.  The reason I ask is because I have just noticed that we are having some issues with the Exchange 2003 OWA.  When we visit the exchange 2003 owa (externally), we get to the certificate page............go ahead and click Continue to this website (not recommended), and then we are prompted for credentials.  However, when anyone enters their credentials, they are immediately taken to a dead page..........."Internet Explorer cannot display this webpage."  Of coure we are not having the problems internally.  Would having Exchange 2007 setup now in a co-existant state have anything to do with this?
Any thoughts?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
The reason that it works internally is that OWA automatically redirects you to the server that hosts your specific mailbox, but it redirects using the NETBIOS name of the Exchange server (which obviously isn't valid outside of the network).

Have you moved over all your mailboxes from 2003 to 2007?  If so you could go ahead and change around your NAT mappings in your firewall so that people can use the same external name to get to OWA but then the firewall would send the packets to your Exchange 2007 server instead.
0
 

Author Comment

by:david_greer
Comment Utility
We haven't begun moving mailboxes yet.  I have only created a test user mailbox on Exchange 2007, but the rest of the mailboxes are legacy from Exchange 2003.  We were planning on being in a co-existant state for a little while.  So this should not have affected the Exchange 2003 OWA at all then, correct?  I just can't figure out why (externally) we can browse to https://domain.com/exchange and get to the login credentials, but once entered in, everyone is taken to a dead page.  I wanted to make sure that it wasn't related to Exchange 2007 being installed.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Ah, ok.  Yea I don't think that should be related to the 2007 install.  Was OWA working on the 2003 system before you installed 2007 on the other server?
0
 

Author Comment

by:david_greer
Comment Utility
Yes, Exchange 2003 OWA was working fine.  We used an external address of https://www.domain.com/exchange.  We didn't have a certificate (which I will definately be getting one for Exchange 2007), and users could just click through twice on the "Continue to this website (not recommended), enter their login credentials and be set.  Now, we can still get to the login credentials, but no matter what user we enter in, it always goes straight to a "Internet Explorer cannot display this webpage."
Maybe something has changed on the firewall.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
What is the URL that shows up when it's displaying that IE message?
0
 

Author Comment

by:david_greer
Comment Utility
It is still the same URL that the user types in.........

https://www.domainname.com/exchange
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
OK, I didn't know if maybe it was doing the redirect to the 2007 server but it sounds like that's not the case.

you may want to check the IIS logs on your 2003 server.  You can find the path to those by viewing the properties for the default web site in IIS.
0
 

Author Comment

by:david_greer
Comment Utility
Could this have anything to do with the certificate in IIS?  For example, if the certificate changed, could the site have this behavior of getting to the login prompt, and then dying?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Usually I would say no, but I guess in theory it's possible.  Has IIS been reset since the certificate changed?
0
 

Author Comment

by:david_greer
Comment Utility
Yes, I have stopped and restarted the services for the Default WebSite.  However, I did notice something strange.  I noticed that it is being listed now as Default Web Site2..........I'm not 100% sure, but I'm almost positive that it used to be just Default Web Site.  Could that have any bearing on anything?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Sorry for the delayed response.  Yes, it definitely could affect things.  Are you seeing the Exchange-related virtual directories under this newly-created site?  Check out this MS article for more specifics on what SHOULD be there:  http://support.microsoft.com/kb/821898/

Also, here is an article about how to re-create the IIS virtual directories for Exchange-related services:.  http://support.microsoft.com/kb/883380

Usually a new web site does not get created by itself.  Was any other software recently installed onto the 2003 server?  Specifically, maybe something that uses port 80?


0
 

Author Comment

by:david_greer
Comment Utility
Okay, I have checked our IIS according to the MS article and everything is there, including:
/Exchweb
/Exadmin
/Exchange
/Public
/Microsoft-Server-ActiveSync
/OMA

However, we also have some additional items there, besides the ones listed above, including:
/CertControl
/CertEnroll
/CertSrv
/Exchange-oma
/resources
/aspnet_client

Please bear in mind that all of this was already setup when I joined this company.  Something (to me) still seems off though regarding the website being named "Default Web Site2."  I'm almost positive that it used to say "Default Web Site."  But no, we have not installed any software on the server at all.  However, I do remember management changing some things about the certificate on this server.
0
 

Author Comment

by:david_greer
Comment Utility
I thought I might have been close to the solution, however, to no avail.  I looked at the properties of the /Exchange virtual directory, and noticed under Directory Security that it had "require 128 bit encryption"
After unchecking that box, I am still having the same issue.
0
 

Author Comment

by:david_greer
Comment Utility
Just thought I was throw this in here as well.  I had read somewhere that you should be able to right click the /Exchange directory and choose browse.  When I try to browse the /Exchange directory, I get the following error:
"The Page Must Be Viewed Over a Secure Channel.
The page you are trying to access is secured with Secured Sockets Layer (SSL).
 - Type https:// at the beginning of the address you are attempting to reach and press ENTER."

However, I have "Require Secure Channel" set at the Default Web Site level and at the /Exchange directory level.

Don't know if that was needed, but just thought I would throw it in there.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
All of the virtual directories you mentioned...are those ones that are showing up under default website 2?  Or just default website?  And I assume it says both sites are running?  Are both using port 80?  Any host headers configured on either one?
0
 

Author Comment

by:david_greer
Comment Utility
Actually, I went in a renamed the "Default Web Site2" back to just "Default Web Site" as I have a sneaky feeling that got changed while they were working on the certificate.  Yes, all of those virtual directories are showing under Default Web Site.
At any rate, yes, both sites are running.  When I say both, there are 2............Default Web Site and Cayenet.  Cayenet is being used as an intranet website.  The configuration for both are as follows:

Default Web Site - TCP Port: 8095; SSL Port: 443; No Host Headers
Cayenet - TCP Port: 80; SSL Port - (blank); No Host Headers

I'm not sure about the 8095 port..........that was set when I got here.  I think, though, that it had something to do with Sharepoint.  
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Technically that setup with two sites but no host headers should work I think--as long as people use HTTPS to connect to OWA.  All of the settings for the Exchange-related virtual directories need to be correct of course(i.e. the ones that need to have force SSL enabled have it, and the ones that don't do not).

Have you checked the IIS log files yet?
0
 

Author Comment

by:david_greer
Comment Utility
Yes, I have checked the logs, but I do not see anything that really grabs my attention.  The numbers must be error codes, I'm assuming.
I will post part of the log for you to view.

Also, I have the SSL setting as follows:
Default Web Site - Require secure channel - checked
Require 128 bit encryption - unchecked

/Exchange - Require secure channel - checked
Require 128 bit encryption - unchecked
Partial-Exchange-OWA-Log.txt
0
 
LVL 9

Assisted Solution

by:esmith69
esmith69 earned 250 total points
Comment Utility
The 302 error code means that it's trying to redirect the request.

I think there's something up with the part in the log where it says:

GET /exchange path=exchange

Normally it should just say "GET /exchange" and then 443 (or "80" if it didn't have SSL turned on).  But in your case it looks like it's trying to use some additional "/exchange" to reach IIS or something along those lines.


if you go into the properties for the "Exchange" virtual directory, under the "local path" field, what does it list?
0
 

Author Comment

by:david_greer
Comment Utility
In the "local path" field, it lists the following:

\\.\BackOfficeStorage\domain.com\MBX
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
When you go into Exchange System Manager and browse to your server, then to protocols->HTTP, when you expand "Exchange Virtual Server", what does it list?  There should be exadmin, exchange, microsoft-server-activesync, oma, and public
0
 

Author Comment

by:david_greer
Comment Utility
Yes, I have all of those listed; however, I have one additional one listed:
exchange-oma
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Going back through this thread to your previus posts--I'm pretty sure that right clicking on the Exchange virtual directory IS supposed to give that "this page must be viewed over a secure channel" message.  That's because when you click browse it just tries to load that virtual directory using regular HTTP.

Are you able to get to OWA from the Exchange server itself?  You will still need to use HTTPS at the beginning, but it should accept either "localhost" or the name of the server.  Then of course add in the /Exchange part.

0
 

Author Comment

by:david_greer
Comment Utility
Yes, just tried that.  Works perfectly from the server (and all internal machines as well).  From the server I tried:
https://naexchange/exchange

Works perfectly.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
ah ok, I may have missed from your previous posts that internal is working fine.  That definitely changes things.

Have you already reconfigured your firewall so that incoming HTTPS request get NAT'd to the Exchange 2007 server?  If so, you'll need to undo this and point things back to the 2003 server until you get all the mailboxes moved to the 2007 server.
0
 

Author Comment

by:david_greer
Comment Utility
That's what is really strange.  I haven't touched the firewall config during this whole process.  As far as the firewall is concerned, it should still be pointing HTTPS to the Exchange 2003 server.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Have you tried moving just one account from the 2003 server to the 2007 server and then trying to log on to OWA with that user and seeing if it behaves the same way?
0
 

Author Comment

by:david_greer
Comment Utility
Sorry for the delay.  I haven't moved any of the mailboxes yet, as I'm not 100% sure we are ready to start moving them.  I could create a test account..............however, now that Exchange 07 is in the picture, I have read that you can no longer create mailboxes through ADUC............it must be done through EMC.  Am I correct on this?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
You should still be able to create mailboxes on Exchange 2003 using ADUC on that server.  It will just create them on the 2003 server (which is what you want anyways).
0
 

Author Comment

by:david_greer
Comment Utility
I can't test the Exchange 2007 OWA externally just yet.  My hosting provider has not finished setting up the DNS record........as soon as they get the (A) record setup, I can test.
0
 

Author Comment

by:david_greer
Comment Utility
Ok.  Sorry I haven't been able to update you.
The hosting provider finally got the DNS setup on their end, and I have ordered a SSL certificate for the new Exchange 2007 server.  I should be able to implement that in a couple of days.  The Exchange 2007 OWA is now working perfectly (with the exception of the certificate of course).

As far as moving a user, I did move 1 user this afternoon to 07.  They are able to logon to the new 07 OWA with no problem.  However, we still are having the same issue with the 2003 OWA.  It never reaches a point that tells me if the login credentials are correct or not.........it just fails after you attempt to login.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
I'm pretty sure this has to do with that /GET Exchange path=exchange thing you saw in some of the IIS logs.  The only way really to fix that I think would be to recreate the Exchange-related sites in IIS.  You may want to consider doing that since it's not even working right now anyways.

One thing to check first is in ESM, go to that same section I had you go to before under protocols->HTTP->Exchange Virtual Server.  Right click the "Exchange" virtual directory under there and choose properties.  Then under "Exchange Path" everything should be grayed out, but it should have the top "Mailboxes for SMTP domain" bullet selected (though it will also be grayed out so it's kinda hard to tell).

If there's any other value in that particular section or if things are not grayed out, let me know.
0
 

Author Comment

by:david_greer
Comment Utility
Yes, everything is grayed out.  The "Mailboxes for SMTP domain" is also bulleted and grayed out as well.

So do you think I need to rebuild OWA in IIS?  Is this something that has to be done occassionally, and what causes it to be in a state that it needs to be rebuilt?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Yes I am pretty sure OWA needs to be rebuilt.  This Microsoft article should walk you through the process:  http://support.microsoft.com/kb/883380

This is definitely NOT something that needs to be done even occasionally.  Usually it only happens when something messes with IIS.
0
 

Accepted Solution

by:
david_greer earned 0 total points
Comment Utility
Hi esmith.  Sorry for the long delay getting back with you.

I actually had to break down and call Microsoft on this issue and spend 5 hours on the phone with them.  However, we didn't have to rebuild OWA.

What ended up working was this MS kb......... http://support.microsoft.com/kb/834141/
What worked was option 2 on this knowledgebase.  I had to use the adsutil and /SetHostName to our IP address.  

Again, thank you for all of your input and insight.  It has been very helpful through this entire process.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now