Solved

Exchange 2010 External OWA Problem

Posted on 2010-08-27
32
875 Views
Last Modified: 2012-05-10
I have just set up Exchange 2010 and am trying to get OWA to work correctly. It will work from the LAN with https://servername/owa. It does not work from https://webmail.mycompany.com. I have a public DNS record set and a NAT Policy to convert the public IP to the private IP. I cannot get the external URL to work from either external or internal. Anyone know why this could be?

In the install, I did not specify this as Internet facing. But I figured as long as specified the OWA external address in the EMC that it should still work.
0
Comment
Question by:MCSF
  • 15
  • 9
  • 6
  • +1
32 Comments
 
LVL 5

Expert Comment

by:kpoochi
ID: 33544050
What is the error you are getting externally.
0
 

Author Comment

by:MCSF
ID: 33544142
In Firefox I'm getting "the connection timed out" and in IE I'm getting "Internet Explorer cannot display the webpage".
0
 

Author Comment

by:MCSF
ID: 33544171
One more thing. I currently do not have an SSL cert as the cert will have to be moved from our current production server to this one when we migrate. That shouldn't matter should it?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Expert Comment

by:kpoochi
ID: 33544240
Yes of course, certificate matters a lot for Https communication. Since we are able to access OWA locally using https at we would've got a certificate binded to DWS


Do you have Firewall or ISA where certificate is installed?
0
 

Author Comment

by:MCSF
ID: 33544277
No, certificate is currently on a 2003 fron-end server. Will be moved to 2010 CAS server.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33544286
First step, go here and test.
https://www.testexchangeconnectivity.com/ 
0
 

Author Comment

by:MCSF
ID: 33544346
I've used that tool several times, but I don't see which tool would help test OWA. Which one should I use? We won't be using Outlook Anywhere or external autodiscover at this time.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544371
get-owavirtualdirectory | fl
If your externalURL is blank - it wont work form outside.
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33544377
Neilsr, we do not have any test for OWA in https://www.testexchangeconnectivity.com/ ...

MCSE,

Please move the certificate to CAS server as in a mixed envt of 2003 and 2007 CAS takes precedence than FE server. So, we should be able to resolve once we move the certificate to CAS server.

0
 

Author Comment

by:MCSF
ID: 33544415
The external URL is listed correctly as https://webmail.mydomain.com/owa
0
 

Author Comment

by:MCSF
ID: 33544446
I could move the cert, but then everyone would be cut off from OWA as they are all still on 2003 and I don't have a legacy cert. Even if I don't have a cert, shouldn't it at least give me a certificate warning? It doesn't even seem to be getting there.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33544447
@kpoochi
What do you mean "We dont have any test for....." ? Hello?
 
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544456
a) www.canyouseeme.org
Check if 443 is open
b) did you install UCC/SAN Cert.
c) Can you post a screenshot of the error when accessing OWA externally ?

thanks
0
 

Author Comment

by:MCSF
ID: 33544718
a.) At that website it is testing our WAN IP, so 443 fails. This is a private IP that has NAT. The NAT rule is open to 80 and 443.
b.) What is a UCC/SAN Cert?
c.) screenshot attached
screen.jpg
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33544731
Check whether the port is open....do nslookup for webmail.mydomain.com and check where it is pointing to..
0
 

Author Comment

by:MCSF
ID: 33544897
I did an nslookup from the outside and it resolved to the correct public IP address.
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33544923
Do u have proxy in ur clients? Check the internet connection in our clients....
0
 

Author Comment

by:MCSF
ID: 33545126
No proxy. Is there anything in particular I need to worry about in IIS?
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33545171
Since internally it is working fine, it should not be a problem in IIS or anything on the Exchange server.....

Try browsing webmail.mydomain.com/owa internally and check (make sure you have a host (A) record for webmail in your internal DNS)
0
 

Author Comment

by:MCSF
ID: 33545368
No, the external URL does not work internally either.
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33545405
Do you have host headers set on Default Web Site in IIS... If yes remove the host headers and make sure the bindings are set properly to IP address as "All Unassigned"
0
 

Author Comment

by:MCSF
ID: 33545523
Where would I check for host headers under Default Website?
0
 

Author Comment

by:MCSF
ID: 33545527
I am using IIS 7 by the way.
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33545545
In IIS, select Default Website... Right hand side, click on Bindings select port 80 and click edit... Host header box should be empty and IP should be "All Unassigned"

Check the same for port 443
0
 

Author Comment

by:MCSF
ID: 33545565
Port 80: IP address is All Unassigned with no hostname
Port 443: IP address is All Unassigned with no hostname and SSL certificate is listed as Microsoft Exchange.
0
 
LVL 5

Expert Comment

by:kpoochi
ID: 33545618
View certificate and check Issue to name
0
 

Author Comment

by:MCSF
ID: 33545704
The certificate was issued by the Exchange server - Server1. Internally when connecting to internal URL I got a certificate error, but it worked. Is there some reason why the certificate would be required just to test the external URL?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33545769
Can we focus on your firewall and see if its actually forwarding 443

If that doesn't work all iis stuff is moot
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
ID: 33545857
you mentioned here http:#33544718 that 443 fails, hence I wanted to focus on firewall and see if NAT is working and forwarding 443 to exchange internal IP.

UCC/SAN Cert - is required for autodiscover and other exchange services.
You can get one from digicert here
www.digicert.com/easy-csr/exchange2007.htm

or Godaddy.
0
 

Author Comment

by:MCSF
ID: 33546317
Called our firewall vendor and as it turns out it was an incorrect rule on the firewall for external access. Also had to create a loopback NAT policy for internal to work on the external address.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33546329
Life is good :)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33546331
thanks for the points !!
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question