Solved

OWA on Exchange 2010

Posted on 2010-09-08
20
974 Views
Last Modified: 2012-05-10
Exchange 2010 installed on 2008 R2 (virtualised in Xenserver 5.5).

I can access OWA on the LAN without issue.

Attempting to access from the WAN (Internet) results in:

Certificate Error (owa-err-01.jpg),

Continue

Certificate Error (owa-err-02.jpg)

Continue

Application Error (owa-err-03.jpg)

I am using port 445 forwarded through a Watchguard Firebox to the internal server on port 443.

Port 443 inbound is used for Citrix Secure Gateway traffic.

I am using a self cert certificate.

owa-err-01.jpg
owa-err-02.jpg
owa-err-03.jpg
0
Comment
Question by:3D2K
  • 9
  • 5
  • 3
  • +2
20 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33627021
the issue is the self signed certificate
you must install the certificate on the local machine for it to be trusted
you are must also enter the url with the name of the subject

in you case the subject for the cert is server.contoso.com but you are browsing to owa.contoso.com
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33627080
endital is right about the certificates

also run
get-owavirtualdirectory | fl

Is this a single exchange server / part of a CAS array ?

thanks
0
 
LVL 3

Expert Comment

by:thetime
ID: 33627371
If your company doesn't want to buy a SAN certificate and ONLY if they do not want to buy one then have a look at this link:

http://www.ms-phantom.com/2009/07/creating-san-certificate-for-exchange.html
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33627458
Looks like the port number is causing some issue here?

On the LAN, do you access OWA using http or https?
Can you try access OWA for other mailbox? any clues on the application logs? IIS logs?
0
 
LVL 3

Expert Comment

by:thetime
ID: 33627486
Ignore the link up top, seems the site was taken down. apologies for not checking it before posting it.
0
 

Author Comment

by:3D2K
ID: 33627866
Thanks for the fast response guys.

It's a single server.

Not sure what you mean by contoso.com etc.  I've added that to the URL and also my domain redwood.co.uk and all I get is a 404 File not found error.

I've attached the output from the get-owavirtualdirectory command.

Brian
owa.txt
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33627956
start > run > inetmgr
Expand Sites > default website

Right click on default website
Edit bindings

Check if HTTPS goes to 443 there
Edit that and change it to 445 for HTTPS

and then run this

iisreset /nofroce

thanks


0
 

Author Comment

by:3D2K
ID: 33628126
I've set up the Watchguard to port forward traffic coming in on 445 to port 443 on the Exchange Server.

Can't run the iisreset command "Command not found".

Stopped and started the IIS though and now I am unable to display web page.

Set it back to 443 and still unable to display web page.

Looks like it's broken now!
0
 

Author Comment

by:3D2K
ID: 33628132
That is I can't see the web page locally anymore!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33628145
when you reset it back to 443 > did you restart IIS Admin service ?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:3D2K
ID: 33628161
Correction, I can see the web page locally.

I'm checking all of my configs and will report back.

Brian
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33628239
your internalurl value is set to https://res-exs.redwood.co.uk/owa
the certificate installed on the server should have the name res-exs.redwood.co.uk

you could for external access update the externalurl value to match the name on the cert
https://mail.redwood.co.uk/owa
0
 

Author Comment

by:3D2K
ID: 33628614
Turns out 445 is used by another process, so I've changed to 448 which appears to be free.

However, same issue now Server Error '/' In Application blah blah blah.

The bums that write this stuff ought to try to install it in the wild before they release it!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33628640
can you try this from exchange server

netstat -ab

and see if 448 is showing up
0
 

Author Comment

by:3D2K
ID: 33629362
sunnyc7

No mention of 448.

I've realised to get Citrix Secure Gateway to work I have an entry in my hosts file that maps the hostname to the external ip address.  I believe this is also causing issues for owa.

I'm going to give up on owa for the time being and maybe come back to it later.

From my research (and previous experience)  it looks like self cert is not the way to go and I may need to get the end user to put his hands in his pockets and buy a SSL Certificate.  Although my last experience with a GoDaddy certificate on SBS 2003 wasn't a pleasurable one!
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 400 total points
ID: 33630057
You need a UCC/SAN certificate.
You can get it from godaddy or digicert here
digicert.com/easy-csr/exchange2007.htm

thanks
0
 

Author Comment

by:3D2K
ID: 33836299
Endital1097:

Your last post seemed to indicate that there was a mismatch in certificate values.

Now I'm sorry but I don't understand (but would like to) your post.

Can you be more specific about the steps to take.

I'm under some pressure to resolve thus issue and I really don't understand why a default installation of Exchange 2010 on Windows 2008 R2 should be so problematic when trying to access OWA from an external site.

Thank you.

Brian
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 100 total points
ID: 33836614
The following article discusses certificate errors (but doesn't address OWA)
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html

run the following cmdlets
Get-ExchangeCertificate | where { $_.Services.ToString().Contains(“IIS”) –eq $true } | fl Cert*
Get-OwaVirtualDirectory | fl *Url

you should see the vaules from the second cmdlet in the first
ex. ExternalUrl: https://mail.contoso.com/owa
InternalUrl: https://server.contoso.local/owa

the certificate would need to have mail.contoso.com,server.contoso.local to avoid errors
0
 

Author Comment

by:3D2K
ID: 33838731
endital1097

Many thanks again for your prompt response.

I've had a look at your article on certificate errors and it is very informative.

My main problem is that I'm not understanding the issues with certificates and I'm paranoid about breaking what is a production Exchange 2010 server that is over 200 miles from my location.

I've attached the output from the cmdlets you mention in your last post.  I have also approached GoDaddy with a view to purchasing a SSL certificate (proper).  What is the point of self certs?

However, there are some issues that I'm concerned about that are probably going to cause me problems going forward.

I (inadvertently) named the internal domain redwood.co.uk which is owned by another external entity and hence is not available to the company I deal with externally.  Their own domain is redwoodskills.com, but at the moment the DNS for redwoodskills.com points to an external web site and email is hosted as a 3rd party POP3 service.  I can't get me head around how a SSL certificate is going to work in this environment as I'm addressing the OWA by IP address.

Regards

Brian
RES-OWA-01.jpg
0
 

Author Closing Comment

by:3D2K
ID: 34239959
I recommend the first course of action is to purchase a UCC/SAN certificate from any of the vendors mentioned.  I chose GoDaddy, they are very helpful with any issues you may have, and their online help files are useful, if not complete (a bit thin for Exchange 2010).

I am still having major issues with this installation in getting Citrix Secure Gateway and Autodiscover to work together using SSL.

It was my misfortune to install CSG first and assign that the standard SSL port 443.  After many hours of trying I am resolved to reconfiguring CSG to use a different SSL port and let Exchange/Autodiscover have SSL port 443 all to itself.

That would be my final advice.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now