We help IT Professionals succeed at work.

Exchange 2010 OWA not working externally

lscs
lscs used Ask the Experts™
on
Hi,

Got a problem with OWA, this can be accessed internally but not externally, the browser attempts to connect using both https://IPADDRESS/owa and also using the name created too.
Port 443 is pointing to the exchange server.

Can anyone help please as this is frustrating me now ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Do you get any error ?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Please check whether your port is open externally using below
http://canyouseeme.org/

If OWA works internally, normal case it will externally if the configuration done properly in the firewall/Router
do a telnet  to ipaddress 443 or with name and check.
Have you got anything else listening on 443? If so, it would probably be easier to configure the anything else to listen on a different port than to change the OWA setup.

Author

Commented:
When i telnet to ipaddress 443 i just get a blank CMD screen with nothing??

Also according to canyouseeme.org, port 443 is open
The port will be open anyway, as the connection would fail or be actively refused otherwise.

The fact that you're getting somewhere, even if it's blanksville,  tends to support the idea that another device is listening on that port and intercepting traffic coming in on it - it's just not expecting to hear what the OWA request has to say, and doesn't know how to respond.

A common source of this behaviour is routers and firewalls being configured for secure external access using 443, but what usually happens is that you get to that device's logon screen instead of the expected OWA login.

Can you check your system to see if anything else on it has been set up for secure access from outside?
Is the exchange servers default gateway the internal ip address of the router you are connecting to with your external ip?  i.e. is it going out the same path as you are coming in?
Sikhumbuzo NtsadaIT Administration

Commented:
What firewall solution are you using? ISA?

Commented:
Please check if have proper record in External DNS for the requested address

Author

Commented:
Anyone fancy helping remotely as i'm really struggling with this ?

Author

Commented:
ash007 i'm new to all this, can you point me in the right direction mate ?
If you browse to ww.ipchicken.com on the exchange server is it the same as the ip you are trying to browse to externally?

Author

Commented:
Yes it is tonyperth
Hendrik WieseInformation Security Manager

Commented:
Have you tried going to https://www.testexchangeconnectivity.com/

This will help troubleshoot your issue. Please run the test and post any errors that you are receiving?

Author

Commented:
Testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      ExRCA is attempting to test Autodiscover for ************************
       Testing Autodiscover failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://wfsmith.co.uk/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name wfsmith.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 212.53.65.86
      Testing TCP port 443 on host wfsmith.co.uk to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       A network error occurred while communicating with the remote host.
      Attempting to test potential Autodiscover URL https://autodiscover.wfsmith.co.uk/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.wfsmith.co.uk in DNS.
       The host name couldn't be resolved.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host autodiscover.wfsmith.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.wfsmith.co.uk in DNS.
       The host name couldn't be resolved.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host autodiscover.wfsmith.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.wfsmith.co.uk in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve it
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Send me your domain name to the personal email.
If you want I will check and let you know what is wrong.

You can see my email from my profile
Hendrik WieseInformation Security Manager

Commented:
Have you got a valid UCC Certificate installed that includes at least the following?:
autodiscover.domain.com
exchange.domain.com
exchangeserver

Author

Commented:
Yes i do Hendrik
Hendrik WieseInformation Security Manager

Commented:
Have you got external dns entries pointing autodiscover to your server?

Author

Commented:
autodiscover.domain.co.uk is now pointing to the static public IP address of the exchange server, i have just done this as it wasn't no
Hendrik WieseInformation Security Manager

Commented:
Ok. Now please run the test again at https://www.testexchangeconnectivity.com/

And let me know what you get?

Author

Commented:
Testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   ExRCA is attempting to test Autodiscover for rosie.molony@wfsmith.co.uk.
  Testing Autodiscover failed.
   Test Steps
   Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
   Test Steps
   Attempting to test potential Autodiscover URL https://wfsmith.co.uk/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name wfsmith.co.uk in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 212.53.65.86
 
 Testing TCP port 443 on host wfsmith.co.uk to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
 
 
 
 
 Attempting to test potential Autodiscover URL https://autodiscover.wfsmith.co.uk/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.wfsmith.co.uk in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 146.255.2.14
 
 Testing TCP port 443 on host autodiscover.wfsmith.co.uk to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.wfsmith.co.uk on port 443.
  ExRCA wasn't able to obtain the remote SSL certificate.
   Additional Details
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
 
 
 
 
 
 Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
   Test Steps
   Attempting to resolve the host name autodiscover.wfsmith.co.uk in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 146.255.2.14
 
 Testing TCP port 80 on host autodiscover.wfsmith.co.uk to ensure it's listening and open.
  The port was opened successfully.
 ExRCA is checking the host autodiscover.wfsmith.co.uk for an HTTP redirect to the Autodiscover service.
  ExRCA failed to get an HTTP redirect response for Autodiscover.
   Additional Details
  Exception details:
Message: The request was aborted: The operation has timed out.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Tests.AutoDiscover.AutoDiscHttpRedirectTest.PerformTestReally()
 
 
 
 
 Attempting to contact the Autodiscover service using the DNS SRV redirect method.
  ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
   Test Steps
   Attempting to locate SRV record _autodiscover._tcp.wfsmith.co.uk in DNS.
  The Autodiscover SRV record wasn't found in DNS.
   Tell me more about this issue and how to resolve it

Commented:
can u do nslookup to external addresss and resolve it on a machine which is external to your network.
hecgomrecNetwork Administrator

Commented:
DNS & FIREWALLS

You should always check is your IP is resolved by external DNS (nslookup).

Usually you won't have problems from your LAN, but your WAN.

If everthing is working in your LAN then you have to check the following:

Check if your "Domain_name" is really pointing to your external IP address.
  You can use nslookup, tracert or other tools described here.

Check if your Firewall is pointing to the right server and the right port, in some devices you can forward everything that is coming for your external IP to your internal server IP(NAT) and/or just a specific port(s) make sure not to have several servers with the same open ports unless you can specify in you firewall/router wich server will guest the request based on the external IP the request was from .

If you need more with your firewall settings or were to look please post your device brand and model.

Commented:
I just wanted to say something here... the exchange connectivity test is a joke in my opinion.
It has never worked right for me, and tells me port 443 is blocked, and other nasty little things.
Our exchange and connectivity works like a dream.
don't give that test a lot of weight in troubleshooting your problems.
I'd start looking into firewall as mentioned. Do you have a spam filter or other appliance in the mix?

Author

Commented:
This is still unresolved :(

Commented:
Do you have a spam filter or other appliance in the mix?

Commented:
Can you type https://mail.domain.com and let me know if you are getting under construction page it means it is hitting to default web site
Commented:
i no longer support this company, so a resolution is no longer needed

Author

Commented:
no longer supporting this company