Solved

Exchange 2010 External OWA Problem

Posted on 2010-08-27
32
873 Views
Last Modified: 2012-05-10
I have just set up Exchange 2010 and am trying to get OWA to work correctly. It will work from the LAN with https://servername/owa. It does not work from https://webmail.mycompany.com. I have a public DNS record set and a NAT Policy to convert the public IP to the private IP. I cannot get the external URL to work from either external or internal. Anyone know why this could be?

In the install, I did not specify this as Internet facing. But I figured as long as specified the OWA external address in the EMC that it should still work.
0
Comment
Question by:MCSF
  • 15
  • 9
  • 6
  • +1
32 Comments
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
What is the error you are getting externally.
0
 

Author Comment

by:MCSF
Comment Utility
In Firefox I'm getting "the connection timed out" and in IE I'm getting "Internet Explorer cannot display the webpage".
0
 

Author Comment

by:MCSF
Comment Utility
One more thing. I currently do not have an SSL cert as the cert will have to be moved from our current production server to this one when we migrate. That shouldn't matter should it?
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Yes of course, certificate matters a lot for Https communication. Since we are able to access OWA locally using https at we would've got a certificate binded to DWS


Do you have Firewall or ISA where certificate is installed?
0
 

Author Comment

by:MCSF
Comment Utility
No, certificate is currently on a 2003 fron-end server. Will be moved to 2010 CAS server.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
First step, go here and test.
https://www.testexchangeconnectivity.com/
0
 

Author Comment

by:MCSF
Comment Utility
I've used that tool several times, but I don't see which tool would help test OWA. Which one should I use? We won't be using Outlook Anywhere or external autodiscover at this time.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
get-owavirtualdirectory | fl
If your externalURL is blank - it wont work form outside.
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Neilsr, we do not have any test for OWA in https://www.testexchangeconnectivity.com/ ...

MCSE,

Please move the certificate to CAS server as in a mixed envt of 2003 and 2007 CAS takes precedence than FE server. So, we should be able to resolve once we move the certificate to CAS server.

0
 

Author Comment

by:MCSF
Comment Utility
The external URL is listed correctly as https://webmail.mydomain.com/owa
0
 

Author Comment

by:MCSF
Comment Utility
I could move the cert, but then everyone would be cut off from OWA as they are all still on 2003 and I don't have a legacy cert. Even if I don't have a cert, shouldn't it at least give me a certificate warning? It doesn't even seem to be getting there.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
@kpoochi
What do you mean "We dont have any test for....." ? Hello?
 
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
a) www.canyouseeme.org
Check if 443 is open
b) did you install UCC/SAN Cert.
c) Can you post a screenshot of the error when accessing OWA externally ?

thanks
0
 

Author Comment

by:MCSF
Comment Utility
a.) At that website it is testing our WAN IP, so 443 fails. This is a private IP that has NAT. The NAT rule is open to 80 and 443.
b.) What is a UCC/SAN Cert?
c.) screenshot attached
screen.jpg
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Check whether the port is open....do nslookup for webmail.mydomain.com and check where it is pointing to..
0
 

Author Comment

by:MCSF
Comment Utility
I did an nslookup from the outside and it resolved to the correct public IP address.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Do u have proxy in ur clients? Check the internet connection in our clients....
0
 

Author Comment

by:MCSF
Comment Utility
No proxy. Is there anything in particular I need to worry about in IIS?
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Since internally it is working fine, it should not be a problem in IIS or anything on the Exchange server.....

Try browsing webmail.mydomain.com/owa internally and check (make sure you have a host (A) record for webmail in your internal DNS)
0
 

Author Comment

by:MCSF
Comment Utility
No, the external URL does not work internally either.
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
Do you have host headers set on Default Web Site in IIS... If yes remove the host headers and make sure the bindings are set properly to IP address as "All Unassigned"
0
 

Author Comment

by:MCSF
Comment Utility
Where would I check for host headers under Default Website?
0
 

Author Comment

by:MCSF
Comment Utility
I am using IIS 7 by the way.
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
In IIS, select Default Website... Right hand side, click on Bindings select port 80 and click edit... Host header box should be empty and IP should be "All Unassigned"

Check the same for port 443
0
 

Author Comment

by:MCSF
Comment Utility
Port 80: IP address is All Unassigned with no hostname
Port 443: IP address is All Unassigned with no hostname and SSL certificate is listed as Microsoft Exchange.
0
 
LVL 5

Expert Comment

by:kpoochi
Comment Utility
View certificate and check Issue to name
0
 

Author Comment

by:MCSF
Comment Utility
The certificate was issued by the Exchange server - Server1. Internally when connecting to internal URL I got a certificate error, but it worked. Is there some reason why the certificate would be required just to test the external URL?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can we focus on your firewall and see if its actually forwarding 443

If that doesn't work all iis stuff is moot
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
Comment Utility
you mentioned here http:#33544718 that 443 fails, hence I wanted to focus on firewall and see if NAT is working and forwarding 443 to exchange internal IP.

UCC/SAN Cert - is required for autodiscover and other exchange services.
You can get one from digicert here
www.digicert.com/easy-csr/exchange2007.htm

or Godaddy.
0
 

Author Comment

by:MCSF
Comment Utility
Called our firewall vendor and as it turns out it was an incorrect rule on the firewall for external access. Also had to create a loopback NAT policy for internal to work on the external address.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Life is good :)
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
thanks for the points !!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now