Link to home
Start Free TrialLog in
Avatar of sharris_glascol
sharris_glascolFlag for United States of America

asked on

Cannot Connect to OWA externally

Our router died and we had some email server issues that we got fixed.  Now the only problem is that we cannot access OWA externally.  We have several smartphones in the office that if we are wifi they can connect but once we shut off the wifi we can not connect anymore.  Im thinking that it may have something to do with the ports on the router but am not sure.  right now I have port 25 and 443 fowarded to the exchange server.
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image

Run the tests here and report back....

https://www.testexchangeconnectivity.com/
Avatar of sharris_glascol

ASKER

locally?  



ExRCA is testing Exchange ActiveSync.



 

The Exchange ActiveSync test failed.



 






Test Steps



 






Attempting the Autodiscover and Exchange ActiveSync test (if requested).



 

Testing of Autodiscover for Exchange ActiveSync failed.



 






Test Steps



 






Attempting each method of contacting the Autodiscover service.



 

The Autodiscover service couldn't be contacted successfully by any method.



 






Test Steps



 






Attempting to test potential Autodiscover URL https://glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name glascol.com in DNS.



 

The host name resolved successfully.



 






Additional Details



 

IP addresses returned: 216.193.219.138







Testing TCP port 443 on host glascol.com to ensure it's listening and open.



 

The port was opened successfully.






Testing the SSL certificate to make sure it's valid.



 

The SSL certificate failed one or more certificate validation checks.



 






Test Steps



 






ExRCA is attempting to obtain the SSL certificate from remote server glascol.com on port 443.



 

ExRCA successfully obtained the remote SSL certificate.



 






Additional Details



 

Remote Certificate Subject: CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US, Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US.







Validating the certificate name.



 

Certificate name validation failed.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.











Attempting to test potential Autodiscover URL https://autodiscover.glascol.com/AutoDiscover/AutoDiscover.xml



 

Testing of this potential Autodiscover URL failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the HTTP redirect method.



 

The attempt to contact Autodiscover using the HTTP Redirect method failed.



 






Test Steps



 






Attempting to resolve the host name autodiscover.glascol.com in DNS.



 

The host name couldn't be resolved.



 

 Tell me more about this issue and how to resolve it



 






Additional Details



 

Host autodiscover.glascol.com couldn't be resolved in DNS InfoDomainNonexistent.









Attempting to contact the Autodiscover service using the DNS SRV redirect method.



 

ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.



 






Test Steps



 






Attempting to locate SRV record _autodiscover._tcp.glascol.com in DNS.



 

The Autodiscover SRV record wasn't found in DNS.



 

 Tell me more about this issue and how to resolve it
Avatar of shahravish
shahravish

I am assuming you have set the right NATing rules. Since you are saying it works fine internally, my doubt goes towards the router/firewall. Are the clients connecting via IP (External/Internal) or DNS?

Can you please confirm if your external IP is [67.52.55.38] and it points to the correct internal IP address?

A snapshot of your NAT table would be good?

Thanks
A telnet test shows succesful connection to the exhcnage, would appreciat eif you can verify port 443 is connecting to the right ip too! if so, next place to look at would be the IIS
Yes the ip is the .38 and it points to the exchange.  port 443 is forwarded to our exchange server as well.  where is iis?
Should be under Administrative tools - Internet Information Services manager.

When you said you had some issues with your exchange that were resolved. can you elaborate as to what the problem was?
we had a hard drive that was degragated..  so we fixed it and then our exchange continuity system had our wrong ip address and we were not receiving emails.  And the owa thing started before all of this.  Also if I goto https://localhost on the exchange box I get under construction page..
That should be the IIS Page. Try going to https://localhost/owa or https://localhost/exchange

What exchange version is on here?
Have you got certificates installed for using HTTPS?

Try restarting the IIS service and then visit the OWA site locally.
just briefly went through the test results you posted up -
Host name glascol.com doesn't match any name found on the server certificate CN=secure84.inmotionhosting.com, OU=Comodo InstantSSL, OU="InMotion Hosting, Inc.", O="InMotion Hosting, Inc.", STREET=4553 Glencoe Ave, STREET=Suite 325, L=Marina Del Rey, S=ca, PostalCode=90292, C=US.

the certificate you have installed on your IIS doesnt seem to match the internal domain name?
have you tried to disable HTTPS and see if you can access via HTTP?
how would you disable https?
try allowing your firewall to forward traffic on port 80 to your internal server address. we can then test if your OWA works externally on HTTP.
IF so, we cna then narrow down to troubleshooting the HTTPS / certificate issue.

so forward port 80 to my exchange as well as 25 and 443
port 80 is ported
Ok! I am now getting the IIS error stating this site needs to be viewed via HTTPS - Which shows you have a require SSL setting selected under your default website.
For testing purposes, you can disable it and see if it is allowing you to access OWA via HTTP.

Do you have an SSL certificate installed? And what isd the ceriticate for? WHen I am browsing to the website, the certificate is issued to something else? Looks like a firewall? Is it a cisco firewall and have you got any HTTPS traffic coming on the firewall?
yes I have a ssl certificate from digicert.  yes its a cisco router..  where should I go to disable the ssl.
The certificate I am getting when visiting owa.glascol.com is issued by Cisco Systems , which leads me to beleive that the port only goes to the firewall and doesnt cross it!
Many firewalls have management configuration and SSL vpn enabled, and if you only have a single public IP, andyour SSL VPN is set to port 443, it cannot forward 443 to another internal server. You may want to consider changing your internal SSP port to something else, if youonly have 1 public ip or use another IP.

have you recently implemented SSL VPN ?
Don't disable SSL on the IIS yet! It seems the problem is with the router not forwarding traffic on 443 to the internal server. Are you using port 443 on the firewall/router for anything?
no vpn isn't suppose to be on unless it's a default setting on the router.
the router shows remote management on port 443 but it is disabled..
Can you change that to port 4443 for example or anything other than 443! Make sure port 443 is not used anywhere on the firewall
the remote management port to 4443?
yes! and keep a record of this, incase you are trying to access it in the future! Bascially as we normally do for all our clients iwth single IP, we change the configuration and administration ports for firewalls to different ports, which allow us to administer and also allow the client to use the default ports for other applications
so the remote management port which was disabled I enabled to change it to port 4443.  I can't find anything else on the router that is pointed to 443..  Is there away to see if there is anything else pointed to it?
Do you know who configured the router for you?
 It may be best for them to make these changes and ensure the router/firewall is forwarding traffic on port 443 to your exchange server. Currently the issue is at your firewall, where it is not frwarding 443 traffic to the exchange.

In terms of checking, I am not so used with Cisco Routers, especially at the command line. Most firewall I use have a config or admin page which shows all the administrative ports and their assignments. Once you change the remote management port to something else, you can test access from external to see if its working
The change you have done doesnt seem to work. I still get to the Cisco main page when accessing without /owa
I should be able to get through to the exchange server.

If you access the site https://owa.glascol.com externally, you get to a cisco remote management page.
Did someone configure this device for you?
Even though oyu have changed the remote management port to 4443, access to the firewall is still active on port 443. There should be some place where this would be defined>?
there is an access rule setup for https 443 source interface wan1 source any destination any.  would this be causing the issue?  I setup the router with help from cisco.
In that palce, the destination should be your exchange server. You have the NAT policy setup correct?
If you have NAt setup on port 443, you set up your access rule to accept any source, and destination should be your exchange
I have port 443 point to forward to my exchange.  But have nothing in the NAT
I thought you had that defined earlier? you mentioend you haave port 443 forwarded to exchange?>
I am not sure what model of cisco this is, but you also have to write memory to ensure changes are saved.
i do but do I also need the firewall to also forward port 443? on the wan?
it is a cisco rv042
Yes. The firewall has to mainly forward all traffic on port 443 to the exchange server sitting internally.

You need to ensure an ACL exists to allow traffic from WAN on port 443 to go on internal exchange server and you need to have a NAT/PAT policy which will translate outsite IP or port to internal and forward the packet
ok so here is what I have so far..  I have a
 access rule for
 port https (443) wan 1 source any destination x.x.x.47-x.x.x.47.

port forwarding:
https {tcp/443-443]->x.x.x.47 [enabled]

so now your saying i need to set up a nat/pat policy???
ok there is a one-to-one NAT.  
private range x.x.x.47
public range ??????
range length ?????

is the public range my static IP?
No that port forwarding should be fine! You can either have NAT or Port forwarding (PAT) or both!
NAT is what will translate your external IP to internal withall ports
PAT (Port Address Tranlation) translate specific ports from external to internal

If you have setup the ACL and Port Forwarding correctly, it should go through to exchange
Do you have to reboot to save changes or something?

My test still shows me the router login page! Disable the remote management
don't have to reboot.  and remote management is disabled.
I am still getting the Cisco Certificate. The firewall is not forwarding traffic internal to exchange. What model is the firewall? You'll have to excuse me for now, as I have to leave but do replyt wiyth the firewall/router details and i will look into to see whats set and how.
IT is a RV042 10/100 4-port VPN Router..  THat is fine I have to leave for the evening as well..
Hi Sharris, can you please upload a few screenshots of where you have configured the rules and port forwarding? i have looked around abit, and this is a small business grade router (linksys, now cisco)

i think from some screenshots i have seen, you go into port forwarding  and setup the firewall rule and it should work!

id like to see a few screenshots to understsand, or it might be better for you to contact cisco support, if you have it, and work with them to get this fixed quick!

here is the screenshot
cisco-port-forwarding.gif
ASKER CERTIFIED SOLUTION
Avatar of sharris_glascol
sharris_glascol
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
fixed problem
Great! Glad it is fixed for you! Would appreciate if you can award the points :)

Thanks