Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1010
  • Last Modified:

OWA on Exchange 2010

Exchange 2010 installed on 2008 R2 (virtualised in Xenserver 5.5).

I can access OWA on the LAN without issue.

Attempting to access from the WAN (Internet) results in:

Certificate Error (owa-err-01.jpg),

Continue

Certificate Error (owa-err-02.jpg)

Continue

Application Error (owa-err-03.jpg)

I am using port 445 forwarded through a Watchguard Firebox to the internal server on port 443.

Port 443 inbound is used for Citrix Secure Gateway traffic.

I am using a self cert certificate.

owa-err-01.jpg
owa-err-02.jpg
owa-err-03.jpg
0
3D2K
Asked:
3D2K
  • 9
  • 5
  • 3
  • +2
2 Solutions
 
endital1097Commented:
the issue is the self signed certificate
you must install the certificate on the local machine for it to be trusted
you are must also enter the url with the name of the subject

in you case the subject for the cert is server.contoso.com but you are browsing to owa.contoso.com
0
 
sunnyc7Commented:
endital is right about the certificates

also run
get-owavirtualdirectory | fl

Is this a single exchange server / part of a CAS array ?

thanks
0
 
thetimeCommented:
If your company doesn't want to buy a SAN certificate and ONLY if they do not want to buy one then have a look at this link:

http://www.ms-phantom.com/2009/07/creating-san-certificate-for-exchange.html
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
e_aravindCommented:
Looks like the port number is causing some issue here?

On the LAN, do you access OWA using http or https?
Can you try access OWA for other mailbox? any clues on the application logs? IIS logs?
0
 
thetimeCommented:
Ignore the link up top, seems the site was taken down. apologies for not checking it before posting it.
0
 
3D2KAuthor Commented:
Thanks for the fast response guys.

It's a single server.

Not sure what you mean by contoso.com etc.  I've added that to the URL and also my domain redwood.co.uk and all I get is a 404 File not found error.

I've attached the output from the get-owavirtualdirectory command.

Brian
owa.txt
0
 
sunnyc7Commented:
start > run > inetmgr
Expand Sites > default website

Right click on default website
Edit bindings

Check if HTTPS goes to 443 there
Edit that and change it to 445 for HTTPS

and then run this

iisreset /nofroce

thanks


0
 
3D2KAuthor Commented:
I've set up the Watchguard to port forward traffic coming in on 445 to port 443 on the Exchange Server.

Can't run the iisreset command "Command not found".

Stopped and started the IIS though and now I am unable to display web page.

Set it back to 443 and still unable to display web page.

Looks like it's broken now!
0
 
3D2KAuthor Commented:
That is I can't see the web page locally anymore!
0
 
sunnyc7Commented:
when you reset it back to 443 > did you restart IIS Admin service ?
0
 
3D2KAuthor Commented:
Correction, I can see the web page locally.

I'm checking all of my configs and will report back.

Brian
0
 
endital1097Commented:
your internalurl value is set to https://res-exs.redwood.co.uk/owa
the certificate installed on the server should have the name res-exs.redwood.co.uk

you could for external access update the externalurl value to match the name on the cert
https://mail.redwood.co.uk/owa
0
 
3D2KAuthor Commented:
Turns out 445 is used by another process, so I've changed to 448 which appears to be free.

However, same issue now Server Error '/' In Application blah blah blah.

The bums that write this stuff ought to try to install it in the wild before they release it!
0
 
sunnyc7Commented:
can you try this from exchange server

netstat -ab

and see if 448 is showing up
0
 
3D2KAuthor Commented:
sunnyc7

No mention of 448.

I've realised to get Citrix Secure Gateway to work I have an entry in my hosts file that maps the hostname to the external ip address.  I believe this is also causing issues for owa.

I'm going to give up on owa for the time being and maybe come back to it later.

From my research (and previous experience)  it looks like self cert is not the way to go and I may need to get the end user to put his hands in his pockets and buy a SSL Certificate.  Although my last experience with a GoDaddy certificate on SBS 2003 wasn't a pleasurable one!
0
 
sunnyc7Commented:
You need a UCC/SAN certificate.
You can get it from godaddy or digicert here
digicert.com/easy-csr/exchange2007.htm

thanks
0
 
3D2KAuthor Commented:
Endital1097:

Your last post seemed to indicate that there was a mismatch in certificate values.

Now I'm sorry but I don't understand (but would like to) your post.

Can you be more specific about the steps to take.

I'm under some pressure to resolve thus issue and I really don't understand why a default installation of Exchange 2010 on Windows 2008 R2 should be so problematic when trying to access OWA from an external site.

Thank you.

Brian
0
 
endital1097Commented:
The following article discusses certificate errors (but doesn't address OWA)
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html

run the following cmdlets
Get-ExchangeCertificate | where { $_.Services.ToString().Contains(“IIS”) –eq $true } | fl Cert*
Get-OwaVirtualDirectory | fl *Url

you should see the vaules from the second cmdlet in the first
ex. ExternalUrl: https://mail.contoso.com/owa
InternalUrl: https://server.contoso.local/owa

the certificate would need to have mail.contoso.com,server.contoso.local to avoid errors
0
 
3D2KAuthor Commented:
endital1097

Many thanks again for your prompt response.

I've had a look at your article on certificate errors and it is very informative.

My main problem is that I'm not understanding the issues with certificates and I'm paranoid about breaking what is a production Exchange 2010 server that is over 200 miles from my location.

I've attached the output from the cmdlets you mention in your last post.  I have also approached GoDaddy with a view to purchasing a SSL certificate (proper).  What is the point of self certs?

However, there are some issues that I'm concerned about that are probably going to cause me problems going forward.

I (inadvertently) named the internal domain redwood.co.uk which is owned by another external entity and hence is not available to the company I deal with externally.  Their own domain is redwoodskills.com, but at the moment the DNS for redwoodskills.com points to an external web site and email is hosted as a 3rd party POP3 service.  I can't get me head around how a SSL certificate is going to work in this environment as I'm addressing the OWA by IP address.

Regards

Brian
RES-OWA-01.jpg
0
 
3D2KAuthor Commented:
I recommend the first course of action is to purchase a UCC/SAN certificate from any of the vendors mentioned.  I chose GoDaddy, they are very helpful with any issues you may have, and their online help files are useful, if not complete (a bit thin for Exchange 2010).

I am still having major issues with this installation in getting Citrix Secure Gateway and Autodiscover to work together using SSL.

It was my misfortune to install CSG first and assign that the standard SSL port 443.  After many hours of trying I am resolved to reconfiguring CSG to use a different SSL port and let Exchange/Autodiscover have SSL port 443 all to itself.

That would be my final advice.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now