Problems with exchange sync outside the network

JohnGrunwell
JohnGrunwell used Ask the Experts™
on
I have an exchange 2007 server.  The problem I'm having is when someone from home tries to
add an exchange account via office outlook it will not find the server 204.210.164.218 . RPC over http
is installed and allowed.  I have ports 80, 110, 135, 143, 443, 993, 995 open on the exchange server
and port 25 open on the mailmarshal server.  I can connect mobile devices via exchange
account, outlook will add the exchange account inside the network, and OWA works fine.  
 Does anyone have any ideas why it will not sync to a computer outside the network?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shreedhar EtteTechnical Manager
Top Expert 2010

Commented:
Does the IP 204.210.164.218 is public address of the server? If yes, then it not resolving propelry to name.

Please check with the ISP...

Also go to https://www.testexchangeconnectivity.com/ and perfom RPC over HTTP and post result.
If you have RPC over HTTPS enabled, you need only ports 80 or 443.
Do you have autodiscover configured? If not what happens if you manually try to configure the Outlook?
When you configure mobile devices are you using the same ip address?

Author

Commented:
yes 204.210.164.218 is the public address to the exchange server.  Should come up as exchange.midohiofoodbank.org.  

Yes auto discovery is configured.  If I try to manually configure outlook it still will not locate the server.  With the mobile devices I use exchange.midohiofoodbank.org ( aka 204.210.164.218 ) as the exchange server the domain/username and It has worked every time.

It stil makes me think that there is something in the firewall that is blocking incoming connections to the exchange.  I will try tonight to see if I can connect a POP account and also an IMAP account with the ports I just opened.  
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
shreedhar

It came up with a SSL certificate error on the test.  Certificate could not validate.

Author

Commented:
How do you fix a mis-match name for the SSL on exchange?

 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name exchange.midohiofoodbank.org does not match any name found on the server certificate CN=exchange
 
 
 

Author

Commented:
Alright guys this is where I'm at.  Do I need to open port 6001 up?

ExRCA is testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   Attempting to resolve the host name exchange.midohiofoodbank.org in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 204.210.164.218
 
 Testing TCP Port 443 on host exchange.midohiofoodbank.org to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   The certificate name is being validated.
  Successfully validated the certificate name
   Additional Details
  Found hostname exchange.midohiofoodbank.org in Certificate Subject Common name
 
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Additional Details
  The Certificate chain has be validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
 
 The certificate date is being confirmed to ensure the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  Certificate is valid: NotBefore = 10/19/2010 12:00:00 AM, NotAfter = 11/17/2010 11:59:59 PM"
 
 
 
 The IIS configuration is being checked for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates not configured.
 
 Testing Http Authentication Methods for URL https://exchange.midohiofoodbank.org/rpc/rpcproxy.dll 
  The HTTP authentication methods are correct.
   Additional Details
  Found all expected authentication methods and no disallowed methods. Methods Found: Negotiate, NTLM
 
 SSL mutual authentication with the RPC proxy server is being tested.
  Mutual authentication was verified successfully.
   Additional Details
  Certificate common name exchange.midohiofoodbank.org matches msstd:exchange.midohiofoodbank.org
 
 Attempting to Ping RPC Proxy exchange.midohiofoodbank.org
  RPC Proxy was pinged successfully.
   Additional Details
  Completed with HTTP status 200 - OK
 
 Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server exchange.midohiofoodbank.org
  The attempt to ping the endpoint failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime
 
 
 

 
 
 
run the following command on the CAS server:
get-exchangecertificate | fl
and check the certificate used for owa and autodiscover. Make sure the certificate has all the SAN (subject alternate names)
 

Author

Commented:
This is what I got.  Looks like autodiscover and owa are in there.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange.midohiofoodbank.org, autodiscover.midohiofoodbank.org, exchange}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 11/17/2010 6:59:59 PM
NotBefore          : 10/18/2010 8:00:00 PM
PublicKeySize      : 1024
RootCAType         : ThirdParty
SerialNumber       : 0EC41430053F427F84B8EC41B5ADD28C
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=exchange.midohiofoodbank.org, OU=Information Technology, O=Mid-Ohio Foodbank, L=Grove City, S=Ohio, C=US
Do you have autodiscover registered with external DNS pointing to 204.210.164.218? I am not able to ping it or at least it should resolve to an ip address:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\Administrator.AV-PC>ping autodiscover.midohiofoodbank.org
Ping request could not find host autodiscover.midohiofoodbank.org. Please check
the name and try again.
C:\Users\Administrator.AV-PC>ping exchange.midohiofoodbank.org
Pinging exchange.midohiofoodbank.org [204.210.164.218] with 32 bytes of data:
Reply from 204.210.164.218: bytes=32 time=44ms TTL=49
Reply from 204.210.164.218: bytes=32 time=120ms TTL=49
Reply from 204.210.164.218: bytes=32 time=90ms TTL=49
Reply from 204.210.164.218: bytes=32 time=112ms TTL=49
Ping statistics for 204.210.164.218:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 44ms, Maximum = 120ms, Average = 91ms
C:\Users\Administrator.AV-PC>ping autodiscover.midohiofoodbank.org
Ping request could not find host autodiscover.midohiofoodbank.org. Please check
the name and try again.
C:\Users\Administrator.AV-PC>
Also it is a good practice to add server's FQDN in the SAN cert...

Author

Commented:
I do not have autodiscover.midohiofoodbank.org pointed to 204.210.164.218 .   Also I do not own the FQDN that I is used for internal server.  so I had to change the identity using MMC  and set auto.xml, exchange.asmx, oab, and service.asmx to use exchange.midohiofoodbank.org
You must have autodiscover point to the same ip address, if you want to configure outlook from internet without VPN.

Author

Commented:
Alright thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial