Link to home
Create AccountLog in
Avatar of 3D2K
3D2KFlag for United Kingdom of Great Britain and Northern Ireland

asked on

OWA on Exchange 2010

Exchange 2010 installed on 2008 R2 (virtualised in Xenserver 5.5).

I can access OWA on the LAN without issue.

Attempting to access from the WAN (Internet) results in:

Certificate Error (owa-err-01.jpg),

Continue

Certificate Error (owa-err-02.jpg)

Continue

Application Error (owa-err-03.jpg)

I am using port 445 forwarded through a Watchguard Firebox to the internal server on port 443.

Port 443 inbound is used for Citrix Secure Gateway traffic.

I am using a self cert certificate.

owa-err-01.jpg
owa-err-02.jpg
owa-err-03.jpg
Avatar of endital1097
endital1097
Flag of United States of America image

the issue is the self signed certificate
you must install the certificate on the local machine for it to be trusted
you are must also enter the url with the name of the subject

in you case the subject for the cert is server.contoso.com but you are browsing to owa.contoso.com
endital is right about the certificates

also run
get-owavirtualdirectory | fl

Is this a single exchange server / part of a CAS array ?

thanks
Avatar of thetime
thetime

If your company doesn't want to buy a SAN certificate and ONLY if they do not want to buy one then have a look at this link:

http://www.ms-phantom.com/2009/07/creating-san-certificate-for-exchange.html
Looks like the port number is causing some issue here?

On the LAN, do you access OWA using http or https?
Can you try access OWA for other mailbox? any clues on the application logs? IIS logs?
Ignore the link up top, seems the site was taken down. apologies for not checking it before posting it.
Avatar of 3D2K

ASKER

Thanks for the fast response guys.

It's a single server.

Not sure what you mean by contoso.com etc.  I've added that to the URL and also my domain redwood.co.uk and all I get is a 404 File not found error.

I've attached the output from the get-owavirtualdirectory command.

Brian
owa.txt
start > run > inetmgr
Expand Sites > default website

Right click on default website
Edit bindings

Check if HTTPS goes to 443 there
Edit that and change it to 445 for HTTPS

and then run this

iisreset /nofroce

thanks


Avatar of 3D2K

ASKER

I've set up the Watchguard to port forward traffic coming in on 445 to port 443 on the Exchange Server.

Can't run the iisreset command "Command not found".

Stopped and started the IIS though and now I am unable to display web page.

Set it back to 443 and still unable to display web page.

Looks like it's broken now!
Avatar of 3D2K

ASKER

That is I can't see the web page locally anymore!
when you reset it back to 443 > did you restart IIS Admin service ?
Avatar of 3D2K

ASKER

Correction, I can see the web page locally.

I'm checking all of my configs and will report back.

Brian
your internalurl value is set to https://res-exs.redwood.co.uk/owa
the certificate installed on the server should have the name res-exs.redwood.co.uk

you could for external access update the externalurl value to match the name on the cert
https://mail.redwood.co.uk/owa
Avatar of 3D2K

ASKER

Turns out 445 is used by another process, so I've changed to 448 which appears to be free.

However, same issue now Server Error '/' In Application blah blah blah.

The bums that write this stuff ought to try to install it in the wild before they release it!
can you try this from exchange server

netstat -ab

and see if 448 is showing up
Avatar of 3D2K

ASKER

sunnyc7

No mention of 448.

I've realised to get Citrix Secure Gateway to work I have an entry in my hosts file that maps the hostname to the external ip address.  I believe this is also causing issues for owa.

I'm going to give up on owa for the time being and maybe come back to it later.

From my research (and previous experience)  it looks like self cert is not the way to go and I may need to get the end user to put his hands in his pockets and buy a SSL Certificate.  Although my last experience with a GoDaddy certificate on SBS 2003 wasn't a pleasurable one!
ASKER CERTIFIED SOLUTION
Avatar of sunnyc7
sunnyc7
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of 3D2K

ASKER

Endital1097:

Your last post seemed to indicate that there was a mismatch in certificate values.

Now I'm sorry but I don't understand (but would like to) your post.

Can you be more specific about the steps to take.

I'm under some pressure to resolve thus issue and I really don't understand why a default installation of Exchange 2010 on Windows 2008 R2 should be so problematic when trying to access OWA from an external site.

Thank you.

Brian
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of 3D2K

ASKER

endital1097

Many thanks again for your prompt response.

I've had a look at your article on certificate errors and it is very informative.

My main problem is that I'm not understanding the issues with certificates and I'm paranoid about breaking what is a production Exchange 2010 server that is over 200 miles from my location.

I've attached the output from the cmdlets you mention in your last post.  I have also approached GoDaddy with a view to purchasing a SSL certificate (proper).  What is the point of self certs?

However, there are some issues that I'm concerned about that are probably going to cause me problems going forward.

I (inadvertently) named the internal domain redwood.co.uk which is owned by another external entity and hence is not available to the company I deal with externally.  Their own domain is redwoodskills.com, but at the moment the DNS for redwoodskills.com points to an external web site and email is hosted as a 3rd party POP3 service.  I can't get me head around how a SSL certificate is going to work in this environment as I'm addressing the OWA by IP address.

Regards

Brian
RES-OWA-01.jpg
Avatar of 3D2K

ASKER

I recommend the first course of action is to purchase a UCC/SAN certificate from any of the vendors mentioned.  I chose GoDaddy, they are very helpful with any issues you may have, and their online help files are useful, if not complete (a bit thin for Exchange 2010).

I am still having major issues with this installation in getting Citrix Secure Gateway and Autodiscover to work together using SSL.

It was my misfortune to install CSG first and assign that the standard SSL port 443.  After many hours of trying I am resolved to reconfiguring CSG to use a different SSL port and let Exchange/Autodiscover have SSL port 443 all to itself.

That would be my final advice.