Link to home
Create AccountLog in
Avatar of bns-nyc
bns-nycFlag for United States of America

asked on

SBS 2011 and Outlook Anywhere and "The specified port is either blocked..." Error

Hi, we have a SBS 2011 server with Exchange 2010 on it and are trying to get Outlook Anywhere setup. As of now, all other services are working fine; including Active Sync on our phones, Outlook Web Access, Outlook Remote Access.  However, we cannot get Outlook Anywhere to connect for some reason. When we use the testexchangeconnectivity tool online, it prompts us with this error:

      Testing TCP port 443 on host remote.domain.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.

I've checked the firewall, etc and obviously port 443 must be open and forwarded to SBS server since Outlook Web Access is working. I've tried removing then re-initializing Outlook Anywhere is EMC but to no avail. Does anyone have any ideas?  Thanks in advance
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

What firewall do you have and is is grabbing port 443 as it's remote management port?  If it is - you need to change the port to something else.

Can you access OWA externally?
Avatar of bns-nyc

ASKER

I'm using a Cisco ASA 5505.  I don't believe anything else is being used up on port 443, except redirecting SSL to SBS server internally, for OWA.

Yes, all other services work externally, including OWA, activesync, Remote Workspace
Okay - have you run / re-run the fix my network wizard and the Connect to the Internet Wizards?
Avatar of Joseph_Barron
Joseph_Barron

Are you sharing the IP address for the SBS server with the Cisco Router for VPN or are your routing a completely separate IP address for SBS. Check your ACL rules as well.
Avatar of bns-nyc

ASKER

Not as of yet, but will definitely try that later tonight during off hours just in case.  Am I just re-doing the steps for any external access options like OWA, etc? Or should I be looking for something in particular?  Thanks again for help so far
Just re-running and completing the wizards not changing anything should sort it out.
SOLUTION
Avatar of Joseph_Barron
Joseph_Barron

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Agreed and  if still issues: Run the BPA.
Update it to version 1.3. It will tell you about most exchange, networking issues amongst other things.
http://www.microsoft.com/en-us/download/details.aspx?id=15556 (Both files)
You need to install this first: http://www.microsoft.com/en-us/download/details.aspx?id=16475
Hope that helps,
Olaf
Avatar of bns-nyc

ASKER

thanks for the information guys.  I didnt have a chance to run the wizards remotely yet last night; however I will try and run them tonight and hopefully that'll fix it.

I also ran the "get-outlookanywhere" command in management shell and wanted to post it here, in case I might be missing something as well.  I also like to think ahead, in case the wizard does not work tonight :)

RunspaceId                      : 453ccd35-e61f-4553-a8cc-21fc0dc1dc8a
ServerName                      : DOMAIN-SBS
SSLOffloading                   : False
ExternalHostname                : remote.domain.com
ClientAuthenticationMethod      : Basic
IISAuthenticationMethods        : {Basic}
XropUrl                         :
MetabasePath                    : IIS://DOMAIN-SBS.adomain.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : DOMAIN-SBS
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : Rpc (Default Web Site)
DistinguishedName               : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=DOMAIN-SBS,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ADOMAIN,CN=Micros
                                  oft Exchange,CN=Services,CN=Configuration,DC=adomain,DC=local
Identity                        : DOMAIN-SBS\Rpc (Default Web Site)
Guid                            : 628c84cd-7bb1-4f4d-8ffb-0b6f3686458f
ObjectCategory                  : adomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 11/3/2012 11:50:55 AM
WhenCreated                     : 11/3/2012 11:50:55 AM
WhenChangedUTC                  : 11/3/2012 3:50:55 PM
WhenCreatedUTC                  : 11/3/2012 3:50:55 PM
OrganizationId                  :
OriginatingServer               : DOMAIN-SBS.adomain.local
IsValid                         : True
The " Set up your internet address" wizard should fix this.
If you had a trusted certificate you will have to reimport it.
Run the SBS BPA if this fails.
Good luck.
You can safely run the wizards remotely. It will log you off for a while.
Good luck,
Olaf
Avatar of bns-nyc

ASKER

I was able to run the "setup your internet access" wizard last night, but did not get a chance to do "Fix my network".  I actually updated the internet access setup from remote.domain.com to mail.domain.com and ran the testexchangeconnectivity tool online.  I got past the 443 error and seems like I almost got to the end; however am now being prompted with a certificate error. Below is the output:


      Testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server mail.domain.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
      Certificate trust is being validated.
       Certificate trust validation failed.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=mail.domain.com.
       A certificate chain couldn't be constructed for the certificate.
       
      Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.


Anyone have any ideas what this means by anychance?  Will the "fix my network" wizard help resolve this at all? Or is it strictly cert related?? Thanks
Well - if you have gone from remote.domain.com to mail.domain.com, does your SSL certificate include mail.domain.com in it?

Is this a 3rd party SSL certificate or the self-issued certificate?
Avatar of bns-nyc

ASKER

it's a self-issued certificate I believe. I'm sort of just taking over the server / IT role here, but it looks like self issued.

Also, I'm going away from remote.domain.com to mail.domain.com because it seems that when I ping their external IP...it points to mail.domain.com, and therefore changed it accordingly.  Furthermore, looking over the cert, it looks like it only contains remote.domain.com...Maybe, I'll switch it back to remote.domain.com again tonight and see if that fixes it, because I'm fairly sure they do not want to purchase another cert.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
When you changed from remote to mail. did you use the wizard Set up my internet address?
During the wizard when entering the domain name there is an advanced button: add mail there. (Remote is the default)
Olaf
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of bns-nyc

ASKER

thanks for the help and info guys. I'm going to try and get a new cert, to link it accordingly and see if that works.  I assume it should, since all other settings on SBS side look good now.  Thanks again