sharris_glascol
asked on
Cannot Connect to OWA externally
Our router died and we had some email server issues that we got fixed. Now the only problem is that we cannot access OWA externally. We have several smartphones in the office that if we are wifi they can connect but once we shut off the wifi we can not connect anymore. Im thinking that it may have something to do with the ports on the router but am not sure. right now I have port 25 and 443 fowarded to the exchange server.
ASKER
locally?
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://glascol.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name glascol.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 216.193.219.138
Testing TCP port 443 on host glascol.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server glascol.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=secure84.inmotionhostin g.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US, Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhostin g.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.
Attempting to test potential Autodiscover URL https://autodiscover.glascol.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.glascol.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.glascol.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.glascol .com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://glascol.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name glascol.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 216.193.219.138
Testing TCP port 443 on host glascol.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server glascol.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=secure84.inmotionhostin
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhostin
Attempting to test potential Autodiscover URL https://autodiscover.glascol.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.glascol.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.glascol.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.glascol
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
I am assuming you have set the right NATing rules. Since you are saying it works fine internally, my doubt goes towards the router/firewall. Are the clients connecting via IP (External/Internal) or DNS?
ASKER
connecting via www.glascol.com/mail
Can you please confirm if your external IP is [67.52.55.38] and it points to the correct internal IP address?
A snapshot of your NAT table would be good?
Thanks
A snapshot of your NAT table would be good?
Thanks
A telnet test shows succesful connection to the exhcnage, would appreciat eif you can verify port 443 is connecting to the right ip too! if so, next place to look at would be the IIS
ASKER
Yes the ip is the .38 and it points to the exchange. port 443 is forwarded to our exchange server as well. where is iis?
Should be under Administrative tools - Internet Information Services manager.
When you said you had some issues with your exchange that were resolved. can you elaborate as to what the problem was?
When you said you had some issues with your exchange that were resolved. can you elaborate as to what the problem was?
ASKER
we had a hard drive that was degragated.. so we fixed it and then our exchange continuity system had our wrong ip address and we were not receiving emails. And the owa thing started before all of this. Also if I goto https://localhost on the exchange box I get under construction page..
That should be the IIS Page. Try going to https://localhost/owa or https://localhost/exchange
What exchange version is on here?
Have you got certificates installed for using HTTPS?
Try restarting the IIS service and then visit the OWA site locally.
What exchange version is on here?
Have you got certificates installed for using HTTPS?
Try restarting the IIS service and then visit the OWA site locally.
just briefly went through the test results you posted up -
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhostin g.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.
the certificate you have installed on your IIS doesnt seem to match the internal domain name?
have you tried to disable HTTPS and see if you can access via HTTP?
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhostin
the certificate you have installed on your IIS doesnt seem to match the internal domain name?
have you tried to disable HTTPS and see if you can access via HTTP?
ASKER
how would you disable https?
ASKER
http://localhost/owa works
try allowing your firewall to forward traffic on port 80 to your internal server address. we can then test if your OWA works externally on HTTP.
IF so, we cna then narrow down to troubleshooting the HTTPS / certificate issue.
IF so, we cna then narrow down to troubleshooting the HTTPS / certificate issue.
ASKER
so forward port 80 to my exchange as well as 25 and 443
ASKER
port 80 is ported
Ok! I am now getting the IIS error stating this site needs to be viewed via HTTPS - Which shows you have a require SSL setting selected under your default website.
For testing purposes, you can disable it and see if it is allowing you to access OWA via HTTP.
Do you have an SSL certificate installed? And what isd the ceriticate for? WHen I am browsing to the website, the certificate is issued to something else? Looks like a firewall? Is it a cisco firewall and have you got any HTTPS traffic coming on the firewall?
For testing purposes, you can disable it and see if it is allowing you to access OWA via HTTP.
Do you have an SSL certificate installed? And what isd the ceriticate for? WHen I am browsing to the website, the certificate is issued to something else? Looks like a firewall? Is it a cisco firewall and have you got any HTTPS traffic coming on the firewall?
ASKER
yes I have a ssl certificate from digicert. yes its a cisco router.. where should I go to disable the ssl.
The certificate I am getting when visiting owa.glascol.com is issued by Cisco Systems , which leads me to beleive that the port only goes to the firewall and doesnt cross it!
Many firewalls have management configuration and SSL vpn enabled, and if you only have a single public IP, andyour SSL VPN is set to port 443, it cannot forward 443 to another internal server. You may want to consider changing your internal SSP port to something else, if youonly have 1 public ip or use another IP.
have you recently implemented SSL VPN ?
Many firewalls have management configuration and SSL vpn enabled, and if you only have a single public IP, andyour SSL VPN is set to port 443, it cannot forward 443 to another internal server. You may want to consider changing your internal SSP port to something else, if youonly have 1 public ip or use another IP.
have you recently implemented SSL VPN ?
Don't disable SSL on the IIS yet! It seems the problem is with the router not forwarding traffic on 443 to the internal server. Are you using port 443 on the firewall/router for anything?
ASKER
no vpn isn't suppose to be on unless it's a default setting on the router.
ASKER
the router shows remote management on port 443 but it is disabled..
Can you change that to port 4443 for example or anything other than 443! Make sure port 443 is not used anywhere on the firewall
ASKER
the remote management port to 4443?
yes! and keep a record of this, incase you are trying to access it in the future! Bascially as we normally do for all our clients iwth single IP, we change the configuration and administration ports for firewalls to different ports, which allow us to administer and also allow the client to use the default ports for other applications
ASKER
so the remote management port which was disabled I enabled to change it to port 4443. I can't find anything else on the router that is pointed to 443.. Is there away to see if there is anything else pointed to it?
Do you know who configured the router for you?
It may be best for them to make these changes and ensure the router/firewall is forwarding traffic on port 443 to your exchange server. Currently the issue is at your firewall, where it is not frwarding 443 traffic to the exchange.
In terms of checking, I am not so used with Cisco Routers, especially at the command line. Most firewall I use have a config or admin page which shows all the administrative ports and their assignments. Once you change the remote management port to something else, you can test access from external to see if its working
It may be best for them to make these changes and ensure the router/firewall is forwarding traffic on port 443 to your exchange server. Currently the issue is at your firewall, where it is not frwarding 443 traffic to the exchange.
In terms of checking, I am not so used with Cisco Routers, especially at the command line. Most firewall I use have a config or admin page which shows all the administrative ports and their assignments. Once you change the remote management port to something else, you can test access from external to see if its working
The change you have done doesnt seem to work. I still get to the Cisco main page when accessing without /owa
I should be able to get through to the exchange server.
If you access the site https://owa.glascol.com externally, you get to a cisco remote management page.
Did someone configure this device for you?
I should be able to get through to the exchange server.
If you access the site https://owa.glascol.com externally, you get to a cisco remote management page.
Did someone configure this device for you?
Even though oyu have changed the remote management port to 4443, access to the firewall is still active on port 443. There should be some place where this would be defined>?
ASKER
there is an access rule setup for https 443 source interface wan1 source any destination any. would this be causing the issue? I setup the router with help from cisco.
In that palce, the destination should be your exchange server. You have the NAT policy setup correct?
If you have NAt setup on port 443, you set up your access rule to accept any source, and destination should be your exchange
If you have NAt setup on port 443, you set up your access rule to accept any source, and destination should be your exchange
ASKER
I have port 443 point to forward to my exchange. But have nothing in the NAT
I thought you had that defined earlier? you mentioend you haave port 443 forwarded to exchange?>
I am not sure what model of cisco this is, but you also have to write memory to ensure changes are saved.
ASKER
i do but do I also need the firewall to also forward port 443? on the wan?
ASKER
it is a cisco rv042
Yes. The firewall has to mainly forward all traffic on port 443 to the exchange server sitting internally.
You need to ensure an ACL exists to allow traffic from WAN on port 443 to go on internal exchange server and you need to have a NAT/PAT policy which will translate outsite IP or port to internal and forward the packet
You need to ensure an ACL exists to allow traffic from WAN on port 443 to go on internal exchange server and you need to have a NAT/PAT policy which will translate outsite IP or port to internal and forward the packet
ASKER
ok so here is what I have so far.. I have a
access rule for
port https (443) wan 1 source any destination x.x.x.47-x.x.x.47.
port forwarding:
https {tcp/443-443]->x.x.x.47 [enabled]
so now your saying i need to set up a nat/pat policy???
access rule for
port https (443) wan 1 source any destination x.x.x.47-x.x.x.47.
port forwarding:
https {tcp/443-443]->x.x.x.47 [enabled]
so now your saying i need to set up a nat/pat policy???
ASKER
ok there is a one-to-one NAT.
private range x.x.x.47
public range ??????
range length ?????
is the public range my static IP?
private range x.x.x.47
public range ??????
range length ?????
is the public range my static IP?
No that port forwarding should be fine! You can either have NAT or Port forwarding (PAT) or both!
NAT is what will translate your external IP to internal withall ports
PAT (Port Address Tranlation) translate specific ports from external to internal
If you have setup the ACL and Port Forwarding correctly, it should go through to exchange
Do you have to reboot to save changes or something?
My test still shows me the router login page! Disable the remote management
NAT is what will translate your external IP to internal withall ports
PAT (Port Address Tranlation) translate specific ports from external to internal
If you have setup the ACL and Port Forwarding correctly, it should go through to exchange
Do you have to reboot to save changes or something?
My test still shows me the router login page! Disable the remote management
ASKER
don't have to reboot. and remote management is disabled.
I am still getting the Cisco Certificate. The firewall is not forwarding traffic internal to exchange. What model is the firewall? You'll have to excuse me for now, as I have to leave but do replyt wiyth the firewall/router details and i will look into to see whats set and how.
ASKER
IT is a RV042 10/100 4-port VPN Router.. THat is fine I have to leave for the evening as well..
Hi Sharris, can you please upload a few screenshots of where you have configured the rules and port forwarding? i have looked around abit, and this is a small business grade router (linksys, now cisco)
i think from some screenshots i have seen, you go into port forwarding and setup the firewall rule and it should work!
id like to see a few screenshots to understsand, or it might be better for you to contact cisco support, if you have it, and work with them to get this fixed quick!
i think from some screenshots i have seen, you go into port forwarding and setup the firewall rule and it should work!
id like to see a few screenshots to understsand, or it might be better for you to contact cisco support, if you have it, and work with them to get this fixed quick!
ASKER
here is the screenshot
cisco-port-forwarding.gif
cisco-port-forwarding.gif
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
fixed problem
Great! Glad it is fixed for you! Would appreciate if you can award the points :)
Thanks
Thanks
ASKER
c
https://www.testexchangeconnectivity.com/