Solved

External SSL Email Access Stopped Working

Posted on 2013-05-28
15
225 Views
Last Modified: 2013-06-09
SBS2008 server with latest patches as per this weekend.
Suddenly find webmail and SSL external access through the firewall has stopped working.
On the internal network is OK.
Firewall has port redirection for SSL to the correct internal IP and port scan indicates it is open.
And yet, no response from external IP now. This has worked for years. What's wrong? Is it a recent patch?
0
Comment
Question by:ajmcqueen
  • 9
  • 6
15 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Extremely unlikely. The fact that it is working internally tells me the server is fine and responding, as it is not trivial to configure it to allow internal but block external. All it knows is that it receives a request, and it responds to that request. Since it is clearly receiving and responding internally, one can (usually) safely conclude that it is working as expected.

Which leaves the firewall. If SSL management is enabled, any port-open test will report that the port is open (because it is) but it can't/doesn't test that SBS is the one that is responding. It only knows that "something" seems to be there. Which would be the firewall.

It could also be that outbound traffic is not being returned. So SBS receives the request, responds, and the firewall is dropping the response. Again, depending on how you are testing that the port is open, this can result in a successful test, but the actual legitimate response is never forthcoming.

It could even be your ISP blocking traffic. This happens on residential connections if the ISP "discovers" a business is abusing their residential pricing.

I'd consider all of those far more likely than SBS being the issue, given that things work internally.

-Cliff
0
 

Author Comment

by:ajmcqueen
Comment Utility
Cliff

Yes, I came to more-or-less the same conclusion earlier today - that it isn't the server. As it happens I patched the firewall at the weekend as well as the server. I also made a minor change to a permanent IPSEC VPN set up between this firewall and another. The trouble is I can't find anything wrong with the firewall and its logs indicate it is getting the SSL request. I am chasing the providers for support - hopefully hear tomorrow. The fact that firewall logs indicate SSL traffic is arriving really takes the connection out of the equation (it's a leased line - business connection anyway).

Is there an easy way of logging whether SSL traffic is reaching IIS 7.x on the server?
0
 

Author Comment

by:ajmcqueen
Comment Utility
Your note about SSL management - it is open on the firewall but on port 441 instead of 443. I have 6 firewalls all configured the same way and they work fine, except this one (which did work fine before the weekend). The permanent IPSEC tunnel to another site is exclusive to this firewall....
0
 

Author Comment

by:ajmcqueen
Comment Utility
Note that when I turn off port forwarding of SSL traffic on the firewall, the port scan says SSL not open. The reverse is also true.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Use something that can actually view the HTTP requests and responses. IE developer tools or Firefox firebug. See what is being sent and coming back.
0
 

Author Comment

by:ajmcqueen
Comment Utility
Using Firebug (never come across it before): Cookies accepted from another similar site but not the problem one. Does say "connected to " at one point but nothing else comes back
0
 

Author Comment

by:ajmcqueen
Comment Utility
Eventually "The connection to the server was reset while the page was loading." appears
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Definitely sounds like your firewall is interfering.  If you *really* want to peer into the server's traffic, the best tool (in my opinion) is the free MS download "NetMon" which creates log files that can be opened in WireShark. WireShark itself is a great tool as well, but to capture packets it installs its own component into the network stack that is not as stable on Windows as I prefer. So I use a combination of the two. Netmon to capture, and then WireShark to view. You will see the actual packets coming in and leaving if the firewall is not interfering.
0
 

Author Comment

by:ajmcqueen
Comment Utility
OK. So netmon on the server behind the firewall?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
If you want a clear picture of what your server is receiving and sending, yes. IIS logs don't really do that. They are meant more for analytics and don't give the level of detail you'll want for troubleshooting.

For the record and to be clear, I don't think this will go very far. I think you'll find that either the server isn't receiving packets. Or is receiving and responding. Since everything is working inside. I'm still putting the firewall as the prime suspect. You said you patched it this weekend, and while you have others in production, patches can go sideways.

And no, there isn't dual logic here. Yes, Windows patches go sideways too. If your website stopped working altogether, inside and out, I'd say you had a windows patch go sideways...because...it does happen. But right now I'm focusing on what would be different internally vs externally...and that is the use of the firewall.

So yes, Netmon on the SBS server. Turn on capture. Hit the server from outside. Wait for the timeout. Turn off capture. View the log and filter out the other traffic. It is a lot of work, but it will at least confirm that the server is working as expected so you can 100% focus your efforts elsewhere.
0
 

Author Comment

by:ajmcqueen
Comment Utility
OK. Looking at the firewall logs, it is logging lots of 443 requests, but not mine (I have a public IP).
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
So either the request is never reaching the firewall (ISP issue) or the firewall is dropping the traffic somewhere in its stack before it reaches the point where it gets logged as traffic. Depending on the firewall architecture, that could be by design if it has decided your request is to be blocked for malicious reasons (which may get logged elsewhere) or it may be an issue with the firewall itself.
0
 

Author Comment

by:ajmcqueen
Comment Utility
Loaded netmon on the server and can see 443 traffic arriving from my public IP and replies going back. So does that mean the reply is failing on the firewall?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
Yep. That would be my guess.
0
 

Author Closing Comment

by:ajmcqueen
Comment Utility
The problem was the firewall! Now sorted. Thanks for your help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now