Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2044
  • Last Modified:

SBS 2011 OWA not working from external adresses

Hi folks,

i'm giving up, 2 days and still no light in my brain.
So, SBS 2011, latest SP's and updates, OWA, default config.
Dynamic DNS via No-IP.
Ports 80 and 443 on the FW are redirected to the Exchange server.
From the intranet everything's working fine, i can see my IIS7 welcome site as well as the http:\\local_server_name\owa site, which redirects me to https:\\local_server_name\owa, asks for the certificate and so on. I'm also able to see http:\\dyndns_entry and the http:\\dyndns_entry\owa (redirect to https as well, confirming cert etc.).
From the internet i can see my IIS7 welcome site under http:\\dyndns_entry. But the adress http:\\dyndns_entry\owa forwards me to https:\\dyndns_entry\owa and DOESN'T ask for any cert or stuff, just bringing "The connection was reset".
If i disable SSL for OWA, it works just fine from the internet. But it wasn't my plan to do so.

I guess it's an easy call for an expert, but i really become desperate...
Thanks in advance!
0
bubu12345
Asked:
bubu12345
  • 19
  • 8
  • 8
  • +1
1 Solution
 
Gareth GudgerCommented:
Having a mail server on a dynamic IP is NOT recommended. Except maybe in a lab environment.

Are you using a smart host to deliver the mail? Because if you are delivering directly to DNS/MX and your IP address keeps changing then you are going to get blacklisted as a spammer real quick. Not to mention that many dynamic IP blocks are already blacklisted from the get go. Plus many servers do a reverse lookup and make sure the IP resolves to your hostname. I can't imagine being on a dynamic block, your ISP would be willing to add reverse entries for you every time your IP changes.

I would get a static IP. Otherwise this is going to be a constant source of troubleshooting, blacklisting and problems.
0
 
Cris HannaCommented:
My personal preference for my customers is to make them directly enter https, rather than relying on IIS to do the redirection because then port 80 does not have to be open on the router.  Port 80 is the single most attacked port.

Did you use the Set up my Internet address wizard on the server to configure IIS?  Do you have a valid SSL certificate?
0
 
bubu12345Author Commented:
Hi Cris,
yes, i used the wizard.
When i access the OWA from the intranet, i get asked if i accept the certificate.
If i do, i'm on the OWA.
See attached pic for my certificate.
Thx.
Cert screenshot
So it looks like a policy problem for external accesses.
Just an assumption.
0
 
Cris HannaCommented:
Are you using the Self Signed Cert?
You should never be asked to accept the Cert
You may want to consider a 3rd Party Trusted Cert.
0
 
bubu12345Author Commented:
Yes, it's a self signed one. It works on like 25 other SBS servers.
Accepting the certificate is no problem, most of the time i use OWA for smartphones which only ask for it once.
But like i said, it only works from the intranet.
0
 
Olaf De CeusterCommented:
Did you re-run the "set my internet address" wizard and set the correct suffix in Advanced on the page where you set your domain name?
Apart from using a pemanent IP you'd have to talk to DynDNS of how you can have the request being answered by their server and have these requests forward to your SBS server.
http:\\dyndns_entry\owa needs to forward to https://remote.your domain/owa
Does it work (Can you get to web outlook ) just using https://remote. your domain
Olaf
As Cris said: A paid (like GoDaddy cert )should work too.
0
 
bubu12345Author Commented:
Hi Olaf,

yes, i already rerun the wizard.
http://remote.ourdomain.com does work from the internet and shows the II7 welcome page. https:// doesn't, but SSL is disabled for the default web site. If i enable SSL for the default web site, it stops to work. Same eggs with /owa, it works for external access without SSL, but it doesn't with SSL enabled.
Any ideas?
Thx.
0
 
Olaf De CeusterCommented:
Run the SBS BPA version 1.5 just to look for SBS issues?
http://support.microsoft.com/kb/2673284
Can you get a permanent IP?
Olaf
0
 
Cris HannaCommented:
This is not a case of needing a permanent IP
First off.. if you are getting the message when attempting to go to https://remote.domainname.com/owa about whether to continue to the site, then the certificate is not properly installed on the remote computer and you should take the following steps.  http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

To enable http redirect, you must go to IIS, Expand the  Default web site.  Click on owa.  In the right hand side find HTTP Redirect.   Right click > Open Feature  check the box to redirect requests to this destination  enter https://remote.domainname.com/owa

You can do the same for remote.

Restart the server

Now why do you think this is not enabled by default?
0
 
bubu12345Author Commented:
@Olaf:
BPA sees no problems.
I already obtained a permanent IP, which doesn't change anything.

@Chris: it's not about the warning about the certificate, i'd know how to import it on the clients. I DON'T get the warning on the external clients! The HTTP redirect works as well,
client's browser shows the URL https://our_IP/OWA/ in the adress bar. And stops the with the message "connection reset...." As soon as i connect via VPN to our gateway, OWA works fine from the same client.
So like i said it seems to be a policy problem of an external SSL access, since external HTTP access works fine.
0
 
Olaf De CeusterCommented:
Did you remove DynDNS completely?
And changed your external DNS settings for remote. to look at that IP? How long ago.
Need to do an A record and Mx record for your mail too.
And rerun the internet address wizard again when the new DNS records are active?
Olaf
0
 
bubu12345Author Commented:
I removed all DynDNS entries.
A record was already there, Mx record is not needed, the SBS only collects mails via POP3 from our provider.
I rerun the wizard.
http://remote.our_domain.com points now to http://_our_permanent_IP and shows me externaly the IIS7 welcome page.
https://remote.our_domain.com/owa points to https://our_permanent_ip/owa, the browser tries to open the URL.
But still the same result as before.
It only works from the intranet.
0
 
bubu12345Author Commented:
How can I increase the points now? :)
0
 
Olaf De CeusterCommented:
So you have an external DNS entry for remote.external domain.
That's what you used in the internet address wizard (don't use the IP)?
From outside world you try to access https://remote. your domain correct?
You don't get the logon screen of RWW? Can you get to OWA from there.
Make sure you run a flushDNS before trying again.
See if an NSlookup of remote. points at the correct IP
Olaf
Sorry don't get  involved in points much.
0
 
Cris HannaCommented:
If, from a remote client, you enter https://remote.domainname.com/owa (notice that we're going directly to https not a redirect) do you get the logon screen? Do you get any warning about certificate ?
0
 
bubu12345Author Commented:
NSlookup points to the right ip.
I either get the logon screen of RWW nor the one of the OWA.
Was just joking about the points. :)
0
 
bubu12345Author Commented:
@Cris: nope. Same message as if i enter https://our_ip/owa or if i entered https://our_dyndns/owa before i deleted it.
It just looks like i'm not able to access any https site from external.
OWA and RWW on http works just fine.
0
 
Olaf De CeusterCommented:
Is perhaps port 443 being used by a Router / Modem?
Can you change all (wan and lan access in router or modem ) to lets say 4443 and try again.
Or is the ISP blocking port 443?
Olaf
Need to do some tests from outside world but need your domain to do this.
0
 
bubu12345Author Commented:
Our IP is 195.71.200.182, http://germandoc.no-ip.org (our old DynDNS entry) as well as http://remote.germandoc.com are pointing to the IP.
443 is forwarded to the Exchange just like port 80, which works fine.
I can't recognize anything using 443 on the server side.
0
 
Cris HannaCommented:
You may wish to check your bindings for the default website
Here's what they should look like for the Default website
bindings.jpg
0
 
bubu12345Author Commented:
@Cris: that's exactly my screenshot.
0
 
Cris HannaCommented:
Actually something really weird is going on with your DNS records
when I go to mxtoolbox.com and put in remote.germandoc.com I get this
A       remote.germandoc.com      46.252.18.63
but you're telling us that it should point to

A      remote.germandoc.com    195.71.200.182?
0
 
bubu12345Author Commented:
Chris, it's a http forward. So http://remote... gets redirected to 195.71.200.182.
I'm not able to place a DNS-entry on the provider side, only a forward.
0
 
Cris HannaCommented:
When I try http://remote.germandoc.com/owa   I get 404 error....page cannot be displayed
I get the same thing when attempting  http://germandoc.no-ip.org/owa
0
 
bubu12345Author Commented:
Both URLs redirect me to https://same_adress, which they should.
Kinda strange...
0
 
Cris HannaCommented:
If I do it without OWA or remote...then I get the IIS seven web page with an IP address instead of the URL.   I think there in lies the issue...SBS 2011 won't work with an IP address for SSL
0
 
Olaf De CeusterCommented:
Not necessarily related but:
That redirection is not working properly.
The fact that access to https://remote.germandoc.com translates to http://195.71.200.182/ after certificate leads me to believer the IIS 7 splashscreen you are seeing might not be yours?


Also :Did you flush DNS on your server too? Any strange entries in there?
What router /Modem are you using?
Olaf
0
 
bubu12345Author Commented:
@Cris
Well, there's no HTTP-redirection konfigured in the IIS, as soon as i enable SSL OWA request gets redirected to HTTPS. No idea, why it redirect to the IP instead of the domain entry.

Is there a way to reset the IIS?
0
 
bubu12345Author Commented:
@Olaf
195.71.200.182 is definitly our IP and there's only one web server in our network.
I edited the welcome.png just to test it, it's really our wwwroot.
We're using a Draytek Vigor 2860.
DNS is flushed, nothing strange to me, but i'm not a DNS guru.
0
 
Olaf De CeusterCommented:
So Draytec is not using 443 on Lan or Wan?
Olaf
0
 
bubu12345Author Commented:
No.
0
 
bubu12345Author Commented:
I have an 2 month old Acronis image of the server. I didn't test it then, but maybe it would've worked.
Any way i can restore IIS setting from a non IIS specific backup?
Thx.
0
 
bubu12345Author Commented:
Ok, i got it.
The very new Draytek generation offers SSL-VPN, which is enabled by default!!! and uses port 443.
I had no clue, sorry, a pretty strange default config.
0
 
Olaf De CeusterCommented:
Hi Bubu,
That's what I was elouding to twice in this tread?
Olaf
0
 
bubu12345Author Commented:
I know. Sorry for that, like i said, the usual NAT section looked fine, but SSL-VPN settings are placed in a separate section which is new, bad placed and not really noticeable.
Thanks for your effort!
0
 
bubu12345Author Commented:
It actually wasn't a SBS issue, my firewall used the port 443 for SSL-VPN.
0
  • 19
  • 8
  • 8
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now