Solved

Cannot Connect to OWA externally

Posted on 2011-09-08
49
453 Views
Last Modified: 2012-05-12
Our router died and we had some email server issues that we got fixed.  Now the only problem is that we cannot access OWA externally.  We have several smartphones in the office that if we are wifi they can connect but once we shut off the wifi we can not connect anymore.  Im thinking that it may have something to do with the ports on the router but am not sure.  right now I have port 25 and 443 fowarded to the exchange server.
0
Comment
Question by:sharris_glascol
  • 25
  • 23
49 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36504434
Run the tests here and report back....

https://www.testexchangeconnectivity.com/
0
 

Author Comment

by:sharris_glascol
ID: 36504486
locally?  



ExRCA is testing Exchange ActiveSync.



 

The Exchange ActiveSync test failed.



 






Test Steps



 






Attempting the Autodiscover and Exchange ActiveSync test (if requested).



 

Testing of Autodiscover for Exchange ActiveSync failed.



 






Test Steps



 






Attempting each method of contacting the Autodiscover service.



 

The Autodiscover service couldn't be contacted successfully by any method.



 






Test Steps



 






Attempting to test potential Autodiscover URL https://glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name glascol.com in DNS.



 

The host name resolved successfully.



 






Additional Details



 

IP addresses returned: 216.193.219.138







Testing TCP port 443 on host glascol.com to ensure it's listening and open.



 

The port was opened successfully.






Testing the SSL certificate to make sure it's valid.



 

The SSL certificate failed one or more certificate validation checks.



 






Test Steps



 






ExRCA is attempting to obtain the SSL certificate from remote server glascol.com on port 443.



 

ExRCA successfully obtained the remote SSL certificate.



 






Additional Details



 

Remote Certificate Subject: CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US, Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US.







Validating the certificate name.



 

Certificate name validation failed.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.











Attempting to test potential Autodiscover URL https://autodiscover.glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the HTTP redirect method.



 

The attempt to contact Autodiscover using the HTTP Redirect method failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the DNS SRV redirect method.



 

ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.



 






Test Steps



 






Attempting to locate SRV record _autodiscover._tcp.glascol.com in DNS.



 

The Autodiscover SRV record wasn't found in DNS.



 

 Tell me more about this issue and how to resolve it
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36504644
I am assuming you have set the right NATing rules. Since you are saying it works fine internally, my doubt goes towards the router/firewall. Are the clients connecting via IP (External/Internal) or DNS?

0
 

Author Comment

by:sharris_glascol
ID: 36504653
connecting via www.glascol.com/mail
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505057
Can you please confirm if your external IP is [67.52.55.38] and it points to the correct internal IP address?

A snapshot of your NAT table would be good?

Thanks
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505083
A telnet test shows succesful connection to the exhcnage, would appreciat eif you can verify port 443 is connecting to the right ip too! if so, next place to look at would be the IIS
0
 

Author Comment

by:sharris_glascol
ID: 36505163
Yes the ip is the .38 and it points to the exchange.  port 443 is forwarded to our exchange server as well.  where is iis?
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505188
Should be under Administrative tools - Internet Information Services manager.

When you said you had some issues with your exchange that were resolved. can you elaborate as to what the problem was?
0
 

Author Comment

by:sharris_glascol
ID: 36505239
we had a hard drive that was degragated..  so we fixed it and then our exchange continuity system had our wrong ip address and we were not receiving emails.  And the owa thing started before all of this.  Also if I goto https://localhost on the exchange box I get under construction page..
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505266
That should be the IIS Page. Try going to https://localhost/owa or https://localhost/exchange

What exchange version is on here?
Have you got certificates installed for using HTTPS?

Try restarting the IIS service and then visit the OWA site locally.
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505303
just briefly went through the test results you posted up -
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.

the certificate you have installed on your IIS doesnt seem to match the internal domain name?
have you tried to disable HTTPS and see if you can access via HTTP?
0
 

Author Comment

by:sharris_glascol
ID: 36505340
how would you disable https?
0
 

Author Comment

by:sharris_glascol
ID: 36505344
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505356
try allowing your firewall to forward traffic on port 80 to your internal server address. we can then test if your OWA works externally on HTTP.
IF so, we cna then narrow down to troubleshooting the HTTPS / certificate issue.

0
 

Author Comment

by:sharris_glascol
ID: 36505364
so forward port 80 to my exchange as well as 25 and 443
0
 

Author Comment

by:sharris_glascol
ID: 36505376
port 80 is ported
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505476
Ok! I am now getting the IIS error stating this site needs to be viewed via HTTPS - Which shows you have a require SSL setting selected under your default website.
For testing purposes, you can disable it and see if it is allowing you to access OWA via HTTP.

Do you have an SSL certificate installed? And what isd the ceriticate for? WHen I am browsing to the website, the certificate is issued to something else? Looks like a firewall? Is it a cisco firewall and have you got any HTTPS traffic coming on the firewall?
0
 

Author Comment

by:sharris_glascol
ID: 36505496
yes I have a ssl certificate from digicert.  yes its a cisco router..  where should I go to disable the ssl.
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505504
The certificate I am getting when visiting owa.glascol.com is issued by Cisco Systems , which leads me to beleive that the port only goes to the firewall and doesnt cross it!
Many firewalls have management configuration and SSL vpn enabled, and if you only have a single public IP, andyour SSL VPN is set to port 443, it cannot forward 443 to another internal server. You may want to consider changing your internal SSP port to something else, if youonly have 1 public ip or use another IP.

have you recently implemented SSL VPN ?
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505516
Don't disable SSL on the IIS yet! It seems the problem is with the router not forwarding traffic on 443 to the internal server. Are you using port 443 on the firewall/router for anything?
0
 

Author Comment

by:sharris_glascol
ID: 36505518
no vpn isn't suppose to be on unless it's a default setting on the router.
0
 

Author Comment

by:sharris_glascol
ID: 36505557
the router shows remote management on port 443 but it is disabled..
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505672
Can you change that to port 4443 for example or anything other than 443! Make sure port 443 is not used anywhere on the firewall
0
 

Author Comment

by:sharris_glascol
ID: 36505679
the remote management port to 4443?
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 3

Expert Comment

by:shahravish
ID: 36505693
yes! and keep a record of this, incase you are trying to access it in the future! Bascially as we normally do for all our clients iwth single IP, we change the configuration and administration ports for firewalls to different ports, which allow us to administer and also allow the client to use the default ports for other applications
0
 

Author Comment

by:sharris_glascol
ID: 36505705
so the remote management port which was disabled I enabled to change it to port 4443.  I can't find anything else on the router that is pointed to 443..  Is there away to see if there is anything else pointed to it?
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505728
Do you know who configured the router for you?
 It may be best for them to make these changes and ensure the router/firewall is forwarding traffic on port 443 to your exchange server. Currently the issue is at your firewall, where it is not frwarding 443 traffic to the exchange.

In terms of checking, I am not so used with Cisco Routers, especially at the command line. Most firewall I use have a config or admin page which shows all the administrative ports and their assignments. Once you change the remote management port to something else, you can test access from external to see if its working
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505754
The change you have done doesnt seem to work. I still get to the Cisco main page when accessing without /owa
I should be able to get through to the exchange server.

If you access the site https://owa.glascol.com externally, you get to a cisco remote management page.
Did someone configure this device for you?
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505786
Even though oyu have changed the remote management port to 4443, access to the firewall is still active on port 443. There should be some place where this would be defined>?
0
 

Author Comment

by:sharris_glascol
ID: 36505811
there is an access rule setup for https 443 source interface wan1 source any destination any.  would this be causing the issue?  I setup the router with help from cisco.
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505821
In that palce, the destination should be your exchange server. You have the NAT policy setup correct?
If you have NAt setup on port 443, you set up your access rule to accept any source, and destination should be your exchange
0
 

Author Comment

by:sharris_glascol
ID: 36505858
I have port 443 point to forward to my exchange.  But have nothing in the NAT
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505891
I thought you had that defined earlier? you mentioend you haave port 443 forwarded to exchange?>
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505898
I am not sure what model of cisco this is, but you also have to write memory to ensure changes are saved.
0
 

Author Comment

by:sharris_glascol
ID: 36505900
i do but do I also need the firewall to also forward port 443? on the wan?
0
 

Author Comment

by:sharris_glascol
ID: 36505920
it is a cisco rv042
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36505928
Yes. The firewall has to mainly forward all traffic on port 443 to the exchange server sitting internally.

You need to ensure an ACL exists to allow traffic from WAN on port 443 to go on internal exchange server and you need to have a NAT/PAT policy which will translate outsite IP or port to internal and forward the packet
0
 

Author Comment

by:sharris_glascol
ID: 36505965
ok so here is what I have so far..  I have a
 access rule for
 port https (443) wan 1 source any destination x.x.x.47-x.x.x.47.

port forwarding:
https {tcp/443-443]->x.x.x.47 [enabled]

so now your saying i need to set up a nat/pat policy???
0
 

Author Comment

by:sharris_glascol
ID: 36505978
ok there is a one-to-one NAT.  
private range x.x.x.47
public range ??????
range length ?????

is the public range my static IP?
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36506011
No that port forwarding should be fine! You can either have NAT or Port forwarding (PAT) or both!
NAT is what will translate your external IP to internal withall ports
PAT (Port Address Tranlation) translate specific ports from external to internal

If you have setup the ACL and Port Forwarding correctly, it should go through to exchange
Do you have to reboot to save changes or something?

My test still shows me the router login page! Disable the remote management
0
 

Author Comment

by:sharris_glascol
ID: 36506027
don't have to reboot.  and remote management is disabled.
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36506064
I am still getting the Cisco Certificate. The firewall is not forwarding traffic internal to exchange. What model is the firewall? You'll have to excuse me for now, as I have to leave but do replyt wiyth the firewall/router details and i will look into to see whats set and how.
0
 

Author Comment

by:sharris_glascol
ID: 36506073
IT is a RV042 10/100 4-port VPN Router..  THat is fine I have to leave for the evening as well..
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36509903
Hi Sharris, can you please upload a few screenshots of where you have configured the rules and port forwarding? i have looked around abit, and this is a small business grade router (linksys, now cisco)

i think from some screenshots i have seen, you go into port forwarding  and setup the firewall rule and it should work!

id like to see a few screenshots to understsand, or it might be better for you to contact cisco support, if you have it, and work with them to get this fixed quick!

0
 

Author Comment

by:sharris_glascol
ID: 36510014
here is the screenshot
cisco-port-forwarding.gif
0
 

Accepted Solution

by:
sharris_glascol earned 0 total points
ID: 36510496
So.  It is all fixed now..  The Https port on the router needed to be disabled because it was using port 443 now I can get in.
0
 

Author Closing Comment

by:sharris_glascol
ID: 36534651
fixed problem
0
 
LVL 3

Expert Comment

by:shahravish
ID: 36510803
Great! Glad it is fixed for you! Would appreciate if you can award the points :)

Thanks
0
 

Author Comment

by:sharris_glascol
ID: 36510830
c
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now