3D2K
asked on
OWA on Exchange 2010
Exchange 2010 installed on 2008 R2 (virtualised in Xenserver 5.5).
I can access OWA on the LAN without issue.
Attempting to access from the WAN (Internet) results in:
Certificate Error (owa-err-01.jpg),
Continue
Certificate Error (owa-err-02.jpg)
Continue
Application Error (owa-err-03.jpg)
I am using port 445 forwarded through a Watchguard Firebox to the internal server on port 443.
Port 443 inbound is used for Citrix Secure Gateway traffic.
I am using a self cert certificate.
owa-err-01.jpg
owa-err-02.jpg
owa-err-03.jpg
I can access OWA on the LAN without issue.
Attempting to access from the WAN (Internet) results in:
Certificate Error (owa-err-01.jpg),
Continue
Certificate Error (owa-err-02.jpg)
Continue
Application Error (owa-err-03.jpg)
I am using port 445 forwarded through a Watchguard Firebox to the internal server on port 443.
Port 443 inbound is used for Citrix Secure Gateway traffic.
I am using a self cert certificate.
owa-err-01.jpg
owa-err-02.jpg
owa-err-03.jpg
endital is right about the certificates
also run
get-owavirtualdirectory | fl
Is this a single exchange server / part of a CAS array ?
thanks
also run
get-owavirtualdirectory | fl
Is this a single exchange server / part of a CAS array ?
thanks
If your company doesn't want to buy a SAN certificate and ONLY if they do not want to buy one then have a look at this link:
http://www.ms-phantom.com/2009/07/creating-san-certificate-for-exchange.html
http://www.ms-phantom.com/2009/07/creating-san-certificate-for-exchange.html
Looks like the port number is causing some issue here?
On the LAN, do you access OWA using http or https?
Can you try access OWA for other mailbox? any clues on the application logs? IIS logs?
On the LAN, do you access OWA using http or https?
Can you try access OWA for other mailbox? any clues on the application logs? IIS logs?
Ignore the link up top, seems the site was taken down. apologies for not checking it before posting it.
ASKER
Thanks for the fast response guys.
It's a single server.
Not sure what you mean by contoso.com etc. I've added that to the URL and also my domain redwood.co.uk and all I get is a 404 File not found error.
I've attached the output from the get-owavirtualdirectory command.
Brian
owa.txt
It's a single server.
Not sure what you mean by contoso.com etc. I've added that to the URL and also my domain redwood.co.uk and all I get is a 404 File not found error.
I've attached the output from the get-owavirtualdirectory command.
Brian
owa.txt
start > run > inetmgr
Expand Sites > default website
Right click on default website
Edit bindings
Check if HTTPS goes to 443 there
Edit that and change it to 445 for HTTPS
and then run this
iisreset /nofroce
thanks
Expand Sites > default website
Right click on default website
Edit bindings
Check if HTTPS goes to 443 there
Edit that and change it to 445 for HTTPS
and then run this
iisreset /nofroce
thanks
ASKER
I've set up the Watchguard to port forward traffic coming in on 445 to port 443 on the Exchange Server.
Can't run the iisreset command "Command not found".
Stopped and started the IIS though and now I am unable to display web page.
Set it back to 443 and still unable to display web page.
Looks like it's broken now!
Can't run the iisreset command "Command not found".
Stopped and started the IIS though and now I am unable to display web page.
Set it back to 443 and still unable to display web page.
Looks like it's broken now!
ASKER
That is I can't see the web page locally anymore!
when you reset it back to 443 > did you restart IIS Admin service ?
ASKER
Correction, I can see the web page locally.
I'm checking all of my configs and will report back.
Brian
I'm checking all of my configs and will report back.
Brian
your internalurl value is set to https://res-exs.redwood.co.uk/owa
the certificate installed on the server should have the name res-exs.redwood.co.uk
you could for external access update the externalurl value to match the name on the cert
https://mail.redwood.co.uk/owa
the certificate installed on the server should have the name res-exs.redwood.co.uk
you could for external access update the externalurl value to match the name on the cert
https://mail.redwood.co.uk/owa
ASKER
Turns out 445 is used by another process, so I've changed to 448 which appears to be free.
However, same issue now Server Error '/' In Application blah blah blah.
The bums that write this stuff ought to try to install it in the wild before they release it!
However, same issue now Server Error '/' In Application blah blah blah.
The bums that write this stuff ought to try to install it in the wild before they release it!
can you try this from exchange server
netstat -ab
and see if 448 is showing up
netstat -ab
and see if 448 is showing up
ASKER
sunnyc7
No mention of 448.
I've realised to get Citrix Secure Gateway to work I have an entry in my hosts file that maps the hostname to the external ip address. I believe this is also causing issues for owa.
I'm going to give up on owa for the time being and maybe come back to it later.
From my research (and previous experience) it looks like self cert is not the way to go and I may need to get the end user to put his hands in his pockets and buy a SSL Certificate. Although my last experience with a GoDaddy certificate on SBS 2003 wasn't a pleasurable one!
No mention of 448.
I've realised to get Citrix Secure Gateway to work I have an entry in my hosts file that maps the hostname to the external ip address. I believe this is also causing issues for owa.
I'm going to give up on owa for the time being and maybe come back to it later.
From my research (and previous experience) it looks like self cert is not the way to go and I may need to get the end user to put his hands in his pockets and buy a SSL Certificate. Although my last experience with a GoDaddy certificate on SBS 2003 wasn't a pleasurable one!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Endital1097:
Your last post seemed to indicate that there was a mismatch in certificate values.
Now I'm sorry but I don't understand (but would like to) your post.
Can you be more specific about the steps to take.
I'm under some pressure to resolve thus issue and I really don't understand why a default installation of Exchange 2010 on Windows 2008 R2 should be so problematic when trying to access OWA from an external site.
Thank you.
Brian
Your last post seemed to indicate that there was a mismatch in certificate values.
Now I'm sorry but I don't understand (but would like to) your post.
Can you be more specific about the steps to take.
I'm under some pressure to resolve thus issue and I really don't understand why a default installation of Exchange 2010 on Windows 2008 R2 should be so problematic when trying to access OWA from an external site.
Thank you.
Brian
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
endital1097
Many thanks again for your prompt response.
I've had a look at your article on certificate errors and it is very informative.
My main problem is that I'm not understanding the issues with certificates and I'm paranoid about breaking what is a production Exchange 2010 server that is over 200 miles from my location.
I've attached the output from the cmdlets you mention in your last post. I have also approached GoDaddy with a view to purchasing a SSL certificate (proper). What is the point of self certs?
However, there are some issues that I'm concerned about that are probably going to cause me problems going forward.
I (inadvertently) named the internal domain redwood.co.uk which is owned by another external entity and hence is not available to the company I deal with externally. Their own domain is redwoodskills.com, but at the moment the DNS for redwoodskills.com points to an external web site and email is hosted as a 3rd party POP3 service. I can't get me head around how a SSL certificate is going to work in this environment as I'm addressing the OWA by IP address.
Regards
Brian
RES-OWA-01.jpg
Many thanks again for your prompt response.
I've had a look at your article on certificate errors and it is very informative.
My main problem is that I'm not understanding the issues with certificates and I'm paranoid about breaking what is a production Exchange 2010 server that is over 200 miles from my location.
I've attached the output from the cmdlets you mention in your last post. I have also approached GoDaddy with a view to purchasing a SSL certificate (proper). What is the point of self certs?
However, there are some issues that I'm concerned about that are probably going to cause me problems going forward.
I (inadvertently) named the internal domain redwood.co.uk which is owned by another external entity and hence is not available to the company I deal with externally. Their own domain is redwoodskills.com, but at the moment the DNS for redwoodskills.com points to an external web site and email is hosted as a 3rd party POP3 service. I can't get me head around how a SSL certificate is going to work in this environment as I'm addressing the OWA by IP address.
Regards
Brian
RES-OWA-01.jpg
ASKER
I recommend the first course of action is to purchase a UCC/SAN certificate from any of the vendors mentioned. I chose GoDaddy, they are very helpful with any issues you may have, and their online help files are useful, if not complete (a bit thin for Exchange 2010).
I am still having major issues with this installation in getting Citrix Secure Gateway and Autodiscover to work together using SSL.
It was my misfortune to install CSG first and assign that the standard SSL port 443. After many hours of trying I am resolved to reconfiguring CSG to use a different SSL port and let Exchange/Autodiscover have SSL port 443 all to itself.
That would be my final advice.
I am still having major issues with this installation in getting Citrix Secure Gateway and Autodiscover to work together using SSL.
It was my misfortune to install CSG first and assign that the standard SSL port 443. After many hours of trying I am resolved to reconfiguring CSG to use a different SSL port and let Exchange/Autodiscover have SSL port 443 all to itself.
That would be my final advice.
you must install the certificate on the local machine for it to be trusted
you are must also enter the url with the name of the subject
in you case the subject for the cert is server.contoso.com but you are browsing to owa.contoso.com