Solved

External SSL Email Access Stopped Working

Posted on 2013-05-28
15
228 Views
Last Modified: 2013-06-09
SBS2008 server with latest patches as per this weekend.
Suddenly find webmail and SSL external access through the firewall has stopped working.
On the internal network is OK.
Firewall has port redirection for SSL to the correct internal IP and port scan indicates it is open.
And yet, no response from external IP now. This has worked for years. What's wrong? Is it a recent patch?
0
Comment
Question by:ajmcqueen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39202905
Extremely unlikely. The fact that it is working internally tells me the server is fine and responding, as it is not trivial to configure it to allow internal but block external. All it knows is that it receives a request, and it responds to that request. Since it is clearly receiving and responding internally, one can (usually) safely conclude that it is working as expected.

Which leaves the firewall. If SSL management is enabled, any port-open test will report that the port is open (because it is) but it can't/doesn't test that SBS is the one that is responding. It only knows that "something" seems to be there. Which would be the firewall.

It could also be that outbound traffic is not being returned. So SBS receives the request, responds, and the firewall is dropping the response. Again, depending on how you are testing that the port is open, this can result in a successful test, but the actual legitimate response is never forthcoming.

It could even be your ISP blocking traffic. This happens on residential connections if the ISP "discovers" a business is abusing their residential pricing.

I'd consider all of those far more likely than SBS being the issue, given that things work internally.

-Cliff
0
 

Author Comment

by:ajmcqueen
ID: 39202975
Cliff

Yes, I came to more-or-less the same conclusion earlier today - that it isn't the server. As it happens I patched the firewall at the weekend as well as the server. I also made a minor change to a permanent IPSEC VPN set up between this firewall and another. The trouble is I can't find anything wrong with the firewall and its logs indicate it is getting the SSL request. I am chasing the providers for support - hopefully hear tomorrow. The fact that firewall logs indicate SSL traffic is arriving really takes the connection out of the equation (it's a leased line - business connection anyway).

Is there an easy way of logging whether SSL traffic is reaching IIS 7.x on the server?
0
 

Author Comment

by:ajmcqueen
ID: 39202985
Your note about SSL management - it is open on the firewall but on port 441 instead of 443. I have 6 firewalls all configured the same way and they work fine, except this one (which did work fine before the weekend). The permanent IPSEC tunnel to another site is exclusive to this firewall....
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ajmcqueen
ID: 39202988
Note that when I turn off port forwarding of SSL traffic on the firewall, the port scan says SSL not open. The reverse is also true.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39203020
Use something that can actually view the HTTP requests and responses. IE developer tools or Firefox firebug. See what is being sent and coming back.
0
 

Author Comment

by:ajmcqueen
ID: 39203071
Using Firebug (never come across it before): Cookies accepted from another similar site but not the problem one. Does say "connected to " at one point but nothing else comes back
0
 

Author Comment

by:ajmcqueen
ID: 39203074
Eventually "The connection to the server was reset while the page was loading." appears
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39203079
Definitely sounds like your firewall is interfering.  If you *really* want to peer into the server's traffic, the best tool (in my opinion) is the free MS download "NetMon" which creates log files that can be opened in WireShark. WireShark itself is a great tool as well, but to capture packets it installs its own component into the network stack that is not as stable on Windows as I prefer. So I use a combination of the two. Netmon to capture, and then WireShark to view. You will see the actual packets coming in and leaving if the firewall is not interfering.
0
 

Author Comment

by:ajmcqueen
ID: 39203113
OK. So netmon on the server behind the firewall?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39203126
If you want a clear picture of what your server is receiving and sending, yes. IIS logs don't really do that. They are meant more for analytics and don't give the level of detail you'll want for troubleshooting.

For the record and to be clear, I don't think this will go very far. I think you'll find that either the server isn't receiving packets. Or is receiving and responding. Since everything is working inside. I'm still putting the firewall as the prime suspect. You said you patched it this weekend, and while you have others in production, patches can go sideways.

And no, there isn't dual logic here. Yes, Windows patches go sideways too. If your website stopped working altogether, inside and out, I'd say you had a windows patch go sideways...because...it does happen. But right now I'm focusing on what would be different internally vs externally...and that is the use of the firewall.

So yes, Netmon on the SBS server. Turn on capture. Hit the server from outside. Wait for the timeout. Turn off capture. View the log and filter out the other traffic. It is a lot of work, but it will at least confirm that the server is working as expected so you can 100% focus your efforts elsewhere.
0
 

Author Comment

by:ajmcqueen
ID: 39203139
OK. Looking at the firewall logs, it is logging lots of 443 requests, but not mine (I have a public IP).
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39203188
So either the request is never reaching the firewall (ISP issue) or the firewall is dropping the traffic somewhere in its stack before it reaches the point where it gets logged as traffic. Depending on the firewall architecture, that could be by design if it has decided your request is to be blocked for malicious reasons (which may get logged elsewhere) or it may be an issue with the firewall itself.
0
 

Author Comment

by:ajmcqueen
ID: 39206118
Loaded netmon on the server and can see 443 traffic arriving from my public IP and replies going back. So does that mean the reply is failing on the firewall?
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39206148
Yep. That would be my guess.
0
 

Author Closing Comment

by:ajmcqueen
ID: 39232985
The problem was the firewall! Now sorted. Thanks for your help.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This video discusses moving either the default database or any database to a new volume.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question