Solved

How can I configure my Exchange Server 2003 (on Windows Server 2003) to allow e-mail access via the internet?

Posted on 2010-11-30
12
844 Views
Last Modified: 2012-05-10
We have an Exchange Server (2003, SP2) that is only accessible internally on the domain.  I need help learning how to make it available to our users from the internet.  The Exchange server is running Windows Server 2003 R2, and it is also a DNS and DC (despite the fact that Microsoft does not recommend this configuration).  Blackberry Professional Software is installed, making it possible for BlackBerry users to access their e-mail, but the introduction of other phones, such as androids and iPads, will make it necessary to allow access to corporate e-mail via an internet URL.

Currently, the 15 domain users can get their e-mail internally with Outlook and OWA, but I want to make it available from the internet.  Does this work through port-forwarding? We have a static IP for the network, on a Cisco ASA5505 firewall, if that helps.  But I'm not sure how to set up IIS, if that is required. I do not have a front-end exchange server (and I don’t know what’s involved in setting this up, if it's required). Please help me figure out the parts that I'm missing to make this Exchange server available over the internet.  You will probably require more information, so please let me know what else is needed.

Thanks,
CSG
0
Comment
Question by:CompScienceGrad
  • 4
  • 4
  • 4
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Are you talking about Outlook over the web (RPC over HTTPS)?  If so - please have a read of the following article:

http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
0
 
LVL 10

Assisted Solution

by:172pilotSteve
172pilotSteve earned 250 total points
Comment Utility
I'm not clear on what you're trying to do..  You say that your users can access mail internally..  Does that mean that there is already mail flowing in from the outside, and if your users are inside, that they can send and recieve to the outside?  If so, then what you're asking is just how to get OWA to work from the outside, right?

Alternatively, if your users are only able to send email to each other, then we're talking about a full Internet mail configuration here.

I think it's the latter, so I'll go down that path first - It's also the most complex thing, so if it's my first option above, that'll be easy!

SO - First, you have to OWN A DOMAIN...  So, for example, I'll say I want my email address to be "Steve@acme.org"..  You would need to own "acme.org".  Go to Godaddy.com, or any other reputible registrar, and register the domain of  your choice.  Basically what that does, is makes it so that when anyone on the internet wants to talk to you, they can go to the root servers, which house a shared registrar DNS database, and find out that they can get to acme.org.

If someone wants to send you mail, you'll need to configure an "MX" record, which is short for "Mail Exchanger".  Basically, at your registrar, you'll configure an "MX record" to point to "mail.acme.org".   This tells someone else's mail server that to send mail to acme.org, they must look up the address of "mail.acme.org".  

You must then create a host record (known as an "A" record) to point mail.acme.org to YOUR FIREWALL ADDRESS (your outside, static address, provided by your ISP).

So far, this will allow someone trying to send you an email to actually find you.

Next, you must configure your ASA to forward inbound TCP traffic on port 25 (the inbound mail port) to your INSIDE address of your Exchange server.  So, for example, if your ISP gave you IP address 11.12.13.14, and your mail server inside is 192.168.1.10, you'll need to 1: allow the traffic, and 2: do a NAT to redirect the inbound traffic to your mail server.

The ASA has a GUI, and a command line interface (CLI) - If you're familiar with the GUI, just go ahead and do it in there.  If you want to do it on the command line, it will be something like this:

#this next command will tell the ASA to ALLOW all SMTP traffic that comes to it on the outside interface:
access-list outside_access_in extended permit tcp any interface outside eq smtp

#This next command will redirect that traffic to the mail server, assuming it's on 192.168.1.10 (substitute your exchange server's address)
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255

This assumes:  your interfaces are named "inside" and "outside" and that you are using an access list called "outside_access_in" which is the default.

NOW, you have everything you need to accept mail on the Exchange server.   It is likely that your exchange server is already configured to allow inbound mail to it, but now it is VERY IMPORTANT for you NOT to allow open relaying, or every hacker in the world will start sending spam through your server, and your ISP will get VERY UPSET and you'll be blacklisted.

Go toi your Exchange server, open up Exchange Management Console (EMC) and drill down to your server.  You should see "Protocols" and under SMTP, you'll see "Default SMTP Server".  Right-click and go to properties of the Default SMTP server.

On the "Access" tab, go to the authentication tab, and click on Relay Restrictions.  Make sure it says "Only the list below" and that the list is either empty, or  has only trusted machines listed.  Also, you can allow authenticated machines to relay (checkbox near the bottom) safely.

THAT should really be it..  I know I glossed over a bunch of stuff, but I dont know which of it you're comfortable with..  Ask more details on whatever you need!!

Oh...  and, if you were just looking to do external access to OWA, then you'll just need to open those ports on the firewall (80 if http, or 443 if https) so it'd look somethign like this on the ASA:

access-list outside_access_in extended permit tcp any interface outside eq http
static (inside,outside) tcp interface http 192.168.1.10 http netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq https
static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255

Good luck!
-Steve
0
 

Author Comment

by:CompScienceGrad
Comment Utility
alanhardisty - Thanks for the link for RPC over HTTPS.  I am reading through this to see if I would encounter any roadblocks.  Of course, I am interested in external access to OWA and access with mobile devices, rather than Outlook 2003 clients (which the article is focused on).  Once RPC over HTTPS is set up, would I be able to access OWA externally, and sync with phones that connect with Exchange?

Steve - That was very informative!  At times I have considered hosting external mail right on the sever, but at present I am just using a PopGrabber application and the Exchange "Internet Mail SMTP Connector, " which connects to my hosted external mail server.  I don't necessarily prefer it this way, but I never really knew how to do it differently -- but your post could change that!   HOWEVER, for now I am focused on how to get OWA to work from the outside.  I'm glad you are familiar with the ASA.  Actually, I'm not very familiar with the ASA command lines.  I opened the ASDM and entered the access-list command using my server's IP address, but I got some error messages:

Result of the command: "access-list outside_access_in extended permit tcp any interface outside eq https"

The command has been sent to the device

Result of the command: "static (inside,outside) tcp interface https 192.168.1.159 https netmask 255.255.255.255"

ERROR: unable to reserve port 443 for static PAT
ERROR: unable to download policy


I work better with the ASDM GUI, so I tried this: Under Configuration, I entered an Access Rule with the "tcp/https" service (port 443)


Interface: outside
Source: any
Destination: 192.168.1.159
Service: "tcp/https" (port 443)

Once I applied this access rule, I tried going to https://<my_external_ip>/ from the outside, but unfortunately, this took me to the ASA web interface (I forgot that the ASA already used this URL to provide VPN access by means of a web portal).  Do you have any ideas as to how I can get it to port-forward to the exchange server?

Thanks,
CSG
0
 
LVL 10

Expert Comment

by:172pilotSteve
Comment Utility
Ah..  So, here's what's going on - Your ASA is already forwarding 443 to itself basically, so that you can do the VPN..  Do you know if you have more than one IP address from your ISP?  If so, then we can configure the ASA to use the other IP address for the Exchange RPC over HTTPS, but if not, we might have to pick another port for Exchange, so the URL would be more like:

https://externalip:4433/exchange

Basically, we'd be using another port (4433 in this example) instead of 443 since it's already used..

Alternatively, if you dont use the VPN, we could re-use 443..

-Steve
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
There are 3 separate elements to Exchange that you are asking about:

1. OWA - Outlook Web Access
2. RPC over HTTPS - Outlook Anywhere as it is called on Exchange 2007 / 2010 which gives you access to Exchange via Outlook with just an internet connection.
3. Activesync - access to your mail / contacts / calendar / tasks (tasks is only available natively on a windows mobile) via mobile phones etc.

OWA uses HTTPS (TCP Port 443) / RPC over HTTPS use TCP Port 443 and Activesync uses TCP Port 443 - so all work simply by opening up TCP Port 443, and then some configurational tweaks and all should be good.

Where would you like to start?

Alan
0
 

Author Comment

by:CompScienceGrad
Comment Utility
Steve - I only have one IP address from my ISP, so I guess we would need to use ports. I do use the VPN.  

Also, I just realized that I currently access OWA using http, not https. (I was getting my server confused with another one I've been working on).  Now I we appreciate your advice on setting up SSL.   I have been using: http://<servername>/exchange to access OWA internally, but I am not set up for https.  I found this article on setting up SSL, but it is for OWA 2000, and they are using a paid service (Instant SSL).  I need a free certificate service if possible...  

Alan - Thanks for explaining this.  I know I am talking about multiple technologies, but if I can get access from the outside to OWA, then I hope to be on the right track.  To clarify, I am interested in synching with Droid and iPhone -- not sure if Activesync is involved.  These phones just ask for a URL to the Exchange server.

Thanks for your help so far.

CSG
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 10

Assisted Solution

by:172pilotSteve
172pilotSteve earned 250 total points
Comment Utility
For the FREE certificate, you can either use a "self signed" certificate, which would have to be installed on all your clients or they'll always get the "this certificate is invalid, are you sure you want to continue" message...  OR, you can install the "Certificate Services" service on your PDC/Exchange server, and make your own corporate certificate authority.  The advantage of that, is that at least your domain machines should understand and trust the certificate.

Instructions on the CA process is in these 2 articles - They can explain it with pictures and everything more easily than I can, but if you need help with it, let me know, I can do it in a virtual lab environment and send screenprints

http://www.petri.co.il/install_windows_server_2003_ca.htm
and
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx

Then here are two articles about creating a certificate and attaching it to the IIS site:
http://support.microsoft.com/kb/228821
and
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/IIS/RequestacertificateforanIISwebserver.html


As for the sharing of the IP / using a non-standard port, that should be fine with your OWA users - We can probably even configure some kind of redirect to make the URL easy, but are you needing activesync to work over the Internet?  If so, using a non-standard port may not be an option..

To save yourself a lot of headaches, you might want to find out from your ISP what it would take to get a second IP address.  It's easy to put a second IP address on the ASA, and have it manage the two IP addresses separately.  I have 5 IP addresses on my home ASA with Comcast Business Class internet, and it's only about $75/month total..

-Steve

0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
Comment Utility
Your best bet is to buy and install a 3rd party SSL certificate such as www.godaddy.com - single name certificate not a SAN / UCC certificate, then install it into IIS and then you can access OWA via HTTPS.  $45 should buy you a 1 year SSL cert from GoDaddy.

This will also enable Activesync (iPhone / Droid access) to be secure and you can then read through my Exchange 2003 / Activesync article to help you get that part configured:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

If you get stuck anywhere - I never too far away : )

Alan
0
 
LVL 10

Expert Comment

by:172pilotSteve
Comment Utility
I definitely agree with Alan on the GoDaddy cert, and they make it REALLY simple to install..  I just went down the self signed and / or corporate CA route because you said "free"...  If godaddy is free enough, then I DEFINITELY recommend going that way..

BTW - I would NOT do the cert until you solidify and test your solution to the "one ip address" problem..  You're going to have to prove that either the VPN, OR the Exchange RPC can move to a different port and meet your needs, OR you're going to have to get a second IP address.  Dont get the cert 'till you know you're ready, or at least until you KNOW the exact DNS names you're going to be working with.

-Steve
0
 

Author Comment

by:CompScienceGrad
Comment Utility
This gives me a lot to think about and read over.  While I'm mulling this over, I had a few related questions:

Would a phone have issues with a certificate from our own CA (or a self-signed certificate)?

Do you think that a shared IP / non-standard port (like https://externalip:4433/exchange) wouldn't work for phones?

CSG
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
Comment Utility
Some phones would have issues with a self-signed cert - some won't.

iPhones don't really care as long as the name matches - Droid's are about the same.

Windows Mobiles are much stricter and you would have to install the cert on the phone for it to work.  Most other phones are not as fussy as the Windows Ones - funny that!

You have to use port 443 and port 80 on the Default Website otherwise Activesync will not work.  It is hard-coded in the system.

In terms of a shared IP - as long as port 443 points to your server - no issues.  If not - no dice.
0
 

Author Comment

by:CompScienceGrad
Comment Utility
Thanks for your answers!  I am temporarily putting this project on hold, but now I have a better idea of what's involved.

CSG
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now