• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 491
  • Last Modified:

Cannot Connect to OWA externally

Our router died and we had some email server issues that we got fixed.  Now the only problem is that we cannot access OWA externally.  We have several smartphones in the office that if we are wifi they can connect but once we shut off the wifi we can not connect anymore.  Im thinking that it may have something to do with the ports on the router but am not sure.  right now I have port 25 and 443 fowarded to the exchange server.
0
sharris_glascol
Asked:
sharris_glascol
  • 25
  • 23
1 Solution
 
Neil RussellTechnical Development LeadCommented:
Run the tests here and report back....

https://www.testexchangeconnectivity.com/
0
 
sharris_glascolAuthor Commented:
locally?  



ExRCA is testing Exchange ActiveSync.



 

The Exchange ActiveSync test failed.



 






Test Steps



 






Attempting the Autodiscover and Exchange ActiveSync test (if requested).



 

Testing of Autodiscover for Exchange ActiveSync failed.



 






Test Steps



 






Attempting each method of contacting the Autodiscover service.



 

The Autodiscover service couldn't be contacted successfully by any method.



 






Test Steps



 






Attempting to test potential Autodiscover URL https://glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name glascol.com in DNS.



 

The host name resolved successfully.



 






Additional Details



 

IP addresses returned: 216.193.219.138







Testing TCP port 443 on host glascol.com to ensure it's listening and open.



 

The port was opened successfully.






Testing the SSL certificate to make sure it's valid.



 

The SSL certificate failed one or more certificate validation checks.



 






Test Steps



 






ExRCA is attempting to obtain the SSL certificate from remote server glascol.com on port 443.



 

ExRCA successfully obtained the remote SSL certificate.



 






Additional Details



 

Remote Certificate Subject: CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US, Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US.







Validating the certificate name.



 

Certificate name validation failed.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.











Attempting to test potential Autodiscover URL https://autodiscover.glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the HTTP redirect method.



 

The attempt to contact Autodiscover using the HTTP Redirect method failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the DNS SRV redirect method.



 

ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.



 






Test Steps



 






Attempting to locate SRV record _autodiscover._tcp.glascol.com in DNS.



 

The Autodiscover SRV record wasn't found in DNS.



 

 Tell me more about this issue and how to resolve it
0
 
shahravishCommented:
I am assuming you have set the right NATing rules. Since you are saying it works fine internally, my doubt goes towards the router/firewall. Are the clients connecting via IP (External/Internal) or DNS?

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sharris_glascolAuthor Commented:
connecting via www.glascol.com/mail
0
 
shahravishCommented:
Can you please confirm if your external IP is [67.52.55.38] and it points to the correct internal IP address?

A snapshot of your NAT table would be good?

Thanks
0
 
shahravishCommented:
A telnet test shows succesful connection to the exhcnage, would appreciat eif you can verify port 443 is connecting to the right ip too! if so, next place to look at would be the IIS
0
 
sharris_glascolAuthor Commented:
Yes the ip is the .38 and it points to the exchange.  port 443 is forwarded to our exchange server as well.  where is iis?
0
 
shahravishCommented:
Should be under Administrative tools - Internet Information Services manager.

When you said you had some issues with your exchange that were resolved. can you elaborate as to what the problem was?
0
 
sharris_glascolAuthor Commented:
we had a hard drive that was degragated..  so we fixed it and then our exchange continuity system had our wrong ip address and we were not receiving emails.  And the owa thing started before all of this.  Also if I goto https://localhost on the exchange box I get under construction page..
0
 
shahravishCommented:
That should be the IIS Page. Try going to https://localhost/owa or https://localhost/exchange

What exchange version is on here?
Have you got certificates installed for using HTTPS?

Try restarting the IIS service and then visit the OWA site locally.
0
 
shahravishCommented:
just briefly went through the test results you posted up -
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.

the certificate you have installed on your IIS doesnt seem to match the internal domain name?
have you tried to disable HTTPS and see if you can access via HTTP?
0
 
sharris_glascolAuthor Commented:
how would you disable https?
0
 
sharris_glascolAuthor Commented:
0
 
shahravishCommented:
try allowing your firewall to forward traffic on port 80 to your internal server address. we can then test if your OWA works externally on HTTP.
IF so, we cna then narrow down to troubleshooting the HTTPS / certificate issue.

0
 
sharris_glascolAuthor Commented:
so forward port 80 to my exchange as well as 25 and 443
0
 
sharris_glascolAuthor Commented:
port 80 is ported
0
 
shahravishCommented:
Ok! I am now getting the IIS error stating this site needs to be viewed via HTTPS - Which shows you have a require SSL setting selected under your default website.
For testing purposes, you can disable it and see if it is allowing you to access OWA via HTTP.

Do you have an SSL certificate installed? And what isd the ceriticate for? WHen I am browsing to the website, the certificate is issued to something else? Looks like a firewall? Is it a cisco firewall and have you got any HTTPS traffic coming on the firewall?
0
 
sharris_glascolAuthor Commented:
yes I have a ssl certificate from digicert.  yes its a cisco router..  where should I go to disable the ssl.
0
 
shahravishCommented:
The certificate I am getting when visiting owa.glascol.com is issued by Cisco Systems , which leads me to beleive that the port only goes to the firewall and doesnt cross it!
Many firewalls have management configuration and SSL vpn enabled, and if you only have a single public IP, andyour SSL VPN is set to port 443, it cannot forward 443 to another internal server. You may want to consider changing your internal SSP port to something else, if youonly have 1 public ip or use another IP.

have you recently implemented SSL VPN ?
0
 
shahravishCommented:
Don't disable SSL on the IIS yet! It seems the problem is with the router not forwarding traffic on 443 to the internal server. Are you using port 443 on the firewall/router for anything?
0
 
sharris_glascolAuthor Commented:
no vpn isn't suppose to be on unless it's a default setting on the router.
0
 
sharris_glascolAuthor Commented:
the router shows remote management on port 443 but it is disabled..
0
 
shahravishCommented:
Can you change that to port 4443 for example or anything other than 443! Make sure port 443 is not used anywhere on the firewall
0
 
sharris_glascolAuthor Commented:
the remote management port to 4443?
0
 
shahravishCommented:
yes! and keep a record of this, incase you are trying to access it in the future! Bascially as we normally do for all our clients iwth single IP, we change the configuration and administration ports for firewalls to different ports, which allow us to administer and also allow the client to use the default ports for other applications
0
 
sharris_glascolAuthor Commented:
so the remote management port which was disabled I enabled to change it to port 4443.  I can't find anything else on the router that is pointed to 443..  Is there away to see if there is anything else pointed to it?
0
 
shahravishCommented:
Do you know who configured the router for you?
 It may be best for them to make these changes and ensure the router/firewall is forwarding traffic on port 443 to your exchange server. Currently the issue is at your firewall, where it is not frwarding 443 traffic to the exchange.

In terms of checking, I am not so used with Cisco Routers, especially at the command line. Most firewall I use have a config or admin page which shows all the administrative ports and their assignments. Once you change the remote management port to something else, you can test access from external to see if its working
0
 
shahravishCommented:
The change you have done doesnt seem to work. I still get to the Cisco main page when accessing without /owa
I should be able to get through to the exchange server.

If you access the site https://owa.glascol.com externally, you get to a cisco remote management page.
Did someone configure this device for you?
0
 
shahravishCommented:
Even though oyu have changed the remote management port to 4443, access to the firewall is still active on port 443. There should be some place where this would be defined>?
0
 
sharris_glascolAuthor Commented:
there is an access rule setup for https 443 source interface wan1 source any destination any.  would this be causing the issue?  I setup the router with help from cisco.
0
 
shahravishCommented:
In that palce, the destination should be your exchange server. You have the NAT policy setup correct?
If you have NAt setup on port 443, you set up your access rule to accept any source, and destination should be your exchange
0
 
sharris_glascolAuthor Commented:
I have port 443 point to forward to my exchange.  But have nothing in the NAT
0
 
shahravishCommented:
I thought you had that defined earlier? you mentioend you haave port 443 forwarded to exchange?>
0
 
shahravishCommented:
I am not sure what model of cisco this is, but you also have to write memory to ensure changes are saved.
0
 
sharris_glascolAuthor Commented:
i do but do I also need the firewall to also forward port 443? on the wan?
0
 
sharris_glascolAuthor Commented:
it is a cisco rv042
0
 
shahravishCommented:
Yes. The firewall has to mainly forward all traffic on port 443 to the exchange server sitting internally.

You need to ensure an ACL exists to allow traffic from WAN on port 443 to go on internal exchange server and you need to have a NAT/PAT policy which will translate outsite IP or port to internal and forward the packet
0
 
sharris_glascolAuthor Commented:
ok so here is what I have so far..  I have a
 access rule for
 port https (443) wan 1 source any destination x.x.x.47-x.x.x.47.

port forwarding:
https {tcp/443-443]->x.x.x.47 [enabled]

so now your saying i need to set up a nat/pat policy???
0
 
sharris_glascolAuthor Commented:
ok there is a one-to-one NAT.  
private range x.x.x.47
public range ??????
range length ?????

is the public range my static IP?
0
 
shahravishCommented:
No that port forwarding should be fine! You can either have NAT or Port forwarding (PAT) or both!
NAT is what will translate your external IP to internal withall ports
PAT (Port Address Tranlation) translate specific ports from external to internal

If you have setup the ACL and Port Forwarding correctly, it should go through to exchange
Do you have to reboot to save changes or something?

My test still shows me the router login page! Disable the remote management
0
 
sharris_glascolAuthor Commented:
don't have to reboot.  and remote management is disabled.
0
 
shahravishCommented:
I am still getting the Cisco Certificate. The firewall is not forwarding traffic internal to exchange. What model is the firewall? You'll have to excuse me for now, as I have to leave but do replyt wiyth the firewall/router details and i will look into to see whats set and how.
0
 
sharris_glascolAuthor Commented:
IT is a RV042 10/100 4-port VPN Router..  THat is fine I have to leave for the evening as well..
0
 
shahravishCommented:
Hi Sharris, can you please upload a few screenshots of where you have configured the rules and port forwarding? i have looked around abit, and this is a small business grade router (linksys, now cisco)

i think from some screenshots i have seen, you go into port forwarding  and setup the firewall rule and it should work!

id like to see a few screenshots to understsand, or it might be better for you to contact cisco support, if you have it, and work with them to get this fixed quick!

0
 
sharris_glascolAuthor Commented:
here is the screenshot
cisco-port-forwarding.gif
0
 
sharris_glascolAuthor Commented:
So.  It is all fixed now..  The Https port on the router needed to be disabled because it was using port 443 now I can get in.
0
 
sharris_glascolAuthor Commented:
fixed problem
0
 
shahravishCommented:
Great! Glad it is fixed for you! Would appreciate if you can award the points :)

Thanks
0
 
sharris_glascolAuthor Commented:
c
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 25
  • 23
Tackle projects and never again get stuck behind a technical roadblock.
Join Now