Solved

OWA untraditional setup

Posted on 2009-05-08
24
848 Views
Last Modified: 2012-05-06
Here's the layout.

I have a Sprint T1 that comes in on one firewall which host exchange and corp website.  I have a second firewall with Comcast that is used primarily for internet access to LAN users.

I'm trying to set up OWA to come in on the Comcast firewall because the Sprint firewall is already using port 443 for corportate website.  I have created a subdomain with Sprint (owa.company.com) that points to my Comcast IP.

I have opened 443 on the Comcast firewall to allow SSL traffic.  I can see requests hitting and allowed on this firewall but nothing seems to be hitting the exchange server.  Hence no OWA access.

Ideas ....
0
Comment
Question by:Niples
  • 14
  • 5
  • 3
  • +2
24 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
What type of firewall/router are you using?  You need to specify on router itself that incoming packets on port 443 get forwarded to the internal IP address of your Exchange server.  How this gets done depends on the firewall model, since interfaces and control languages can vary.
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
I have 2 Watchguard Firebox 1000.  

I have a NAT rule setup to forward SSL traffic from my Public IP on the Comcast Firebox to my Exchange Server.

log on the firewall shows the rule and is allowing the traffic through....

0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
That sounds good, then.  And you do, in fact, have an SSL certificate installed on the Exchange server and enabled for the Exchange, ExchWeb and Public virtual directories?
A few questions:
1.  Is this Exchange 2003 or Exchange 2007?
2.  Can you access the OWA website internally if you open IE and go to https://servername/exchange?
3.  What URL are you using to access the OWA website from outside your company network?  
4.  If the website won't open, what error message do you get?
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
I intalled CA on the exchange server and have it named to match my new subdomain owa.company.com.

OWA works fine internally.

1) 2003
2)yes
3)https://owa.blackdiamondonline.us/exchange
4)if you can try to hit it and you'll see.

Also, just ran the Exchange Server Remote Connectivity Analyzer and it says:

Testing TCP Port 443 on host owa.blackdiamondonline.us to ensure it is listening/open.
The specified port is either blocked, not listening, or not producing the expected response

I then ran portquery on the server and it is indeed open
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
I tested it a couple of different ways - telnet, an SSL port test from DNSstuff.com - and I cannot connect to port 443 at that IP address or server name at all.  So, it really sounds like a problem on the router. Is there any other router between the Comcast router and the server?  Have you tried just rebooting the Comcast router to see if that helps? I'm not too familiar with Watchguard, but have you made sure that in addition to the NAT rule, the firewall is set to allow incoming packets on port 443?
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Yes 443 rule is on and can see it accepting traffic

I know the firewall on the router is off but may its not set for ip passthrough?
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Is the default gateway set correctly on the Exchange server.

Simon.
0
 
LVL 1

Accepted Solution

by:
mikesm559 earned 250 total points
Comment Utility
I suspect the issue is that the exchange server is routing traffic back out the Sprint connection instead of the comcast connection.  And since you seem to be doing NAT, that will not work.  It's best to try and keep all your wan connections on one firewall box and deal with WAN selection there, else you end up having to have some devices routed out through one box and others through another, and that makes LAN administration a nightmare.
0
 
LVL 5

Expert Comment

by:DTAHARLEV
Comment Utility
mikesm559 is probably right, we have this all the time. If the firewall forwards the original IP address of the user, Exchange gets it from one interface (comcast) and sends out the reply from the other. have it reverse-nat, i.e. the IP address for the request will be the firewall's, not the original client. NOTE: Do this only for OWA, as if you do this for SMTP for instance you're killing all of the filtering (it will look as if every message came from the firewall)
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
DATHARLEV, reveverse NAT is not an option because then it would reroute all website traffic back out the Comcast Firewall as well and then Mikesm559 is right this will become a giant nightmare trying to log and analyze traffic.

I think I'm going to have to revert to my other option and request another Static IP from Sprint, put it on the same Firewall, and set up a NAT rule to point it to the Exchange Server.

So now that I'm back to my original problem and I'm going to have to use a custom SSL port for OWA.  

I have no problem with this the only thing is this whole project is kind of focused around the COO getting a new iphone and trying to setup Exchange email on it.  I hope the iPhone doesn't give any issues trying to come accross this custom SSL port.

Thanks guys
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Guys,
One last attempt at this...  

What if I used a second NIC , cable it directly to the firewalll, give it an out of scope IP, and the Comcast Firewall Gateway, putting it in a  DMZ?  

You believe the traffic will still go out Sprint Firewall?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 250 total points
Comment Utility
You cannot use two NICs because a server itself can only have one default gateway. Dual homing Exchange simply confuses it and you will find nothing works.

You cannot use ActiveSync on a custom port. It is hard coded to port 443.
If both the OWA system and the corporate web site are on the same server then you have no other option but to use the same internet connection for both services. If you want to use SSL then you will need to get an additional external IP address. You have no other options if you want to retain everything on the same server.

Simon.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:Niples
Comment Utility
The corporate website is on a seperate webserver on the DMZ.  The traffic comes accross the Sprint Firewalll for the web traffic as well as Exchange.  

So there is no way to use 443 for both the website and OWA with 2 different static IP's on the same firewall?
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If you have two IP addresses then you can just direct them to the different servers.
With SSL it is one IP address per certificate.

Whether your firewall can do it is another matter. I know the Cisco device I have sat next to me can.

Simon.
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
I just sent a dns change to sprint to point my owa host address to one of my other sprint IP's.  

My firebox allows me to add up to 8 external IP's.  I have CA installed on the exchange server and I configured its name to match my host name (owa.company.com).  So I should be good.  I'll update you when the DNS change completes...
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Update:

I have another static address from Sprint and now have my new host name pointing to it.  I've added the new public IP to my Sprint firewall and created HTTPS and HTTP NAT rules to point to my exchange server.  I have my wildcard certificate from Network Solution installed and OWA works perfect.  

The only problem now is along the way some how the Default Webstie won't start with port 80.  So I had to change it to 81 for the site to start in IIS.  But from what I understand is that Activesync and Mobile Access require port 80.  

This is crucial because the whole purpose for getting this up and running was to deploy an iPhone for my COO.  The exchange account verifies but when it goes to sync and pull mail, contacts, and calendar it fails with "Cannot connect to Server".

I ran the Exchange Server Remote Connectivity Analyzer for Activesync and all goes well until it hits Attempting FolderSync command on ActiveSync session and it returns "FolderSync command test failed",   "Exchange Activesync returned an HTTP 500 response."

I'm assuming this is the result of the default website not listening on port 80.  I ran nestat -ano and inetinfo.exe is the only thing listening on port 80.  I tried running httpcfg set iplisten on my exchange server to port 80 and that didnt work.

Suggestions????
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 250 total points
Comment Utility
Something has to be listening on port 80 for the site to fail to start. You may also have problems with a wildcard certificate. I cannot remember if the version of ActiveSync that Apple have implemented can support wildcard.

Is anything logged when you try to start the default web site?

Simon.
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Mestha:

I spoke to Network Solutions and they mentioned the same thing with an issue using the wildcard so I've purchased a separate cert for OWA which I should have in the next day or so.  

As far as IIS, I changed the port back to 80 and then attempted to start the default website.  It throws the following errors in the System Log (See Code Snippet).  I've also attached the resuts of the netstat -ano after changing the port back to 80.

I've researched the eventid's and tried all suggested resolutions but nothing has worked.

The only thing I can think of that may have caused this is I had taken the exchange server down for maintenance and accidently plugged the network cable back in the wrong nic which was set to DHCP, resulting in a bunch of dns issues which I finally resolved.  Could the default website port still be bound to the other nic?

Thanks !


Event ID: 15005

Source: HTTP
 

Unable to bind to the underlying transport for 0.0.0.0:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.
 

AND ALSO:
 

Event ID: 1004

Sourche:  W3SVC
 

Cannot register the URL prefix 'http://*:80/ExchWeb/' for site '1'. The site has been deactivated.  The data field contains the error number.

Open in new window

ExchangeNetStatAno.txt
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Update:

I restored IIS Metabase to an earlier version and port 80 is active on the default site and running.

I'll give another update when I have the new cert and hopefully everything will be up and running on the iPhone.

Thanks
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Another Update:

Now that I have restored the IIS Metabase and I run the Exchange Server Remote Connectivity Analyzer for ActiveSync I dont get as far as I did before!  

Before I could create an Activesync session with the server and it would error out on the last step when attempting to send OPTIONS command to server.  Now I receive "Errors were encountered while testing the ActiveSync Session"

This is nutts!  It's like 1 step forward 2 back !!!!
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Another update:

I followed the steps listed in this article: http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm
and now when i run the Exchange remote connectivity Analyzer for ActiveSync (without SSL verification) now connects with no errors !!!

Is there a way to take my wildcard cert and rename it to match my host name and import it to Exchange?
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
The only way to change the wildcard certificate is to get another certificate issued. Wildcard certificates are slightly different to regular certificates so new certificates will be needed.

Simon.
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
Thanks Simon!

I'll get back to you Monday when I should have the new cert installed and hopefully this will resolve my remaining issue!

Mick
0
 
LVL 1

Author Comment

by:Niples
Comment Utility
All good !
I installed the cert and iphone is connected and "sunk".
Funny thing is I also applied a hotfix KB 924334 patch to the exchange server to fix the COO's issue with OWA IE7 S/MIME issue and I'm wondering if that had something to do with it also.

That patch update's Davex.dll and Exoledb.dll which are used to communicate between Exchange and IIS and with the information store...

Hmmm....
Thanks for help guys!
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now