Solved

SBS 2011 OWA not working from external adresses

Posted on 2014-01-31
36
1,621 Views
Last Modified: 2016-10-27
Hi folks,

i'm giving up, 2 days and still no light in my brain.
So, SBS 2011, latest SP's and updates, OWA, default config.
Dynamic DNS via No-IP.
Ports 80 and 443 on the FW are redirected to the Exchange server.
From the intranet everything's working fine, i can see my IIS7 welcome site as well as the http:\\local_server_name\owa site, which redirects me to https:\\local_server_name\owa, asks for the certificate and so on. I'm also able to see http:\\dyndns_entry and the http:\\dyndns_entry\owa (redirect to https as well, confirming cert etc.).
From the internet i can see my IIS7 welcome site under http:\\dyndns_entry. But the adress http:\\dyndns_entry\owa forwards me to https:\\dyndns_entry\owa and DOESN'T ask for any cert or stuff, just bringing "The connection was reset".
If i disable SSL for OWA, it works just fine from the internet. But it wasn't my plan to do so.

I guess it's an easy call for an expert, but i really become desperate...
Thanks in advance!
0
Comment
Question by:bubu12345
  • 19
  • 8
  • 8
  • +1
36 Comments
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 39826362
Having a mail server on a dynamic IP is NOT recommended. Except maybe in a lab environment.

Are you using a smart host to deliver the mail? Because if you are delivering directly to DNS/MX and your IP address keeps changing then you are going to get blacklisted as a spammer real quick. Not to mention that many dynamic IP blocks are already blacklisted from the get go. Plus many servers do a reverse lookup and make sure the IP resolves to your hostname. I can't imagine being on a dynamic block, your ISP would be willing to add reverse entries for you every time your IP changes.

I would get a static IP. Otherwise this is going to be a constant source of troubleshooting, blacklisting and problems.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39826425
My personal preference for my customers is to make them directly enter https, rather than relying on IIS to do the redirection because then port 80 does not have to be open on the router.  Port 80 is the single most attacked port.

Did you use the Set up my Internet address wizard on the server to configure IIS?  Do you have a valid SSL certificate?
0
 

Author Comment

by:bubu12345
ID: 39826503
Hi Cris,
yes, i used the wizard.
When i access the OWA from the intranet, i get asked if i accept the certificate.
If i do, i'm on the OWA.
See attached pic for my certificate.
Thx.
Cert screenshot
So it looks like a policy problem for external accesses.
Just an assumption.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39826647
Are you using the Self Signed Cert?
You should never be asked to accept the Cert
You may want to consider a 3rd Party Trusted Cert.
0
 

Author Comment

by:bubu12345
ID: 39826842
Yes, it's a self signed one. It works on like 25 other SBS servers.
Accepting the certificate is no problem, most of the time i use OWA for smartphones which only ask for it once.
But like i said, it only works from the intranet.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39826865
Did you re-run the "set my internet address" wizard and set the correct suffix in Advanced on the page where you set your domain name?
Apart from using a pemanent IP you'd have to talk to DynDNS of how you can have the request being answered by their server and have these requests forward to your SBS server.
http:\\dyndns_entry\owa needs to forward to https://remote.your domain/owa
Does it work (Can you get to web outlook ) just using https://remote. your domain
Olaf
As Cris said: A paid (like GoDaddy cert )should work too.
0
 

Author Comment

by:bubu12345
ID: 39826884
Hi Olaf,

yes, i already rerun the wizard.
http://remote.ourdomain.com does work from the internet and shows the II7 welcome page. https:// doesn't, but SSL is disabled for the default web site. If i enable SSL for the default web site, it stops to work. Same eggs with /owa, it works for external access without SSL, but it doesn't with SSL enabled.
Any ideas?
Thx.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39826976
Run the SBS BPA version 1.5 just to look for SBS issues?
http://support.microsoft.com/kb/2673284
Can you get a permanent IP?
Olaf
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39827042
This is not a case of needing a permanent IP
First off.. if you are getting the message when attempting to go to https://remote.domainname.com/owa about whether to continue to the site, then the certificate is not properly installed on the remote computer and you should take the following steps.  http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

To enable http redirect, you must go to IIS, Expand the  Default web site.  Click on owa.  In the right hand side find HTTP Redirect.   Right click > Open Feature  check the box to redirect requests to this destination  enter https://remote.domainname.com/owa

You can do the same for remote.

Restart the server

Now why do you think this is not enabled by default?
0
 

Author Comment

by:bubu12345
ID: 39827351
@Olaf:
BPA sees no problems.
I already obtained a permanent IP, which doesn't change anything.

@Chris: it's not about the warning about the certificate, i'd know how to import it on the clients. I DON'T get the warning on the external clients! The HTTP redirect works as well,
client's browser shows the URL https://our_IP/OWA/ in the adress bar. And stops the with the message "connection reset...." As soon as i connect via VPN to our gateway, OWA works fine from the same client.
So like i said it seems to be a policy problem of an external SSL access, since external HTTP access works fine.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39827389
Did you remove DynDNS completely?
And changed your external DNS settings for remote. to look at that IP? How long ago.
Need to do an A record and Mx record for your mail too.
And rerun the internet address wizard again when the new DNS records are active?
Olaf
0
 

Author Comment

by:bubu12345
ID: 39827435
I removed all DynDNS entries.
A record was already there, Mx record is not needed, the SBS only collects mails via POP3 from our provider.
I rerun the wizard.
http://remote.our_domain.com points now to http://_our_permanent_IP and shows me externaly the IIS7 welcome page.
https://remote.our_domain.com/owa points to https://our_permanent_ip/owa, the browser tries to open the URL.
But still the same result as before.
It only works from the intranet.
0
 

Author Comment

by:bubu12345
ID: 39827436
How can I increase the points now? :)
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39827506
So you have an external DNS entry for remote.external domain.
That's what you used in the internet address wizard (don't use the IP)?
From outside world you try to access https://remote. your domain correct?
You don't get the logon screen of RWW? Can you get to OWA from there.
Make sure you run a flushDNS before trying again.
See if an NSlookup of remote. points at the correct IP
Olaf
Sorry don't get  involved in points much.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39827620
If, from a remote client, you enter https://remote.domainname.com/owa (notice that we're going directly to https not a redirect) do you get the logon screen? Do you get any warning about certificate ?
0
 

Author Comment

by:bubu12345
ID: 39827623
NSlookup points to the right ip.
I either get the logon screen of RWW nor the one of the OWA.
Was just joking about the points. :)
0
 

Author Comment

by:bubu12345
ID: 39827630
@Cris: nope. Same message as if i enter https://our_ip/owa or if i entered https://our_dyndns/owa before i deleted it.
It just looks like i'm not able to access any https site from external.
OWA and RWW on http works just fine.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39828176
Is perhaps port 443 being used by a Router / Modem?
Can you change all (wan and lan access in router or modem ) to lets say 4443 and try again.
Or is the ISP blocking port 443?
Olaf
Need to do some tests from outside world but need your domain to do this.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:bubu12345
ID: 39828255
Our IP is 195.71.200.182, http://germandoc.no-ip.org (our old DynDNS entry) as well as http://remote.germandoc.com are pointing to the IP.
443 is forwarded to the Exchange just like port 80, which works fine.
I can't recognize anything using 443 on the server side.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39828258
You may wish to check your bindings for the default website
Here's what they should look like for the Default website
bindings.jpg
0
 

Author Comment

by:bubu12345
ID: 39828269
@Cris: that's exactly my screenshot.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39828271
Actually something really weird is going on with your DNS records
when I go to mxtoolbox.com and put in remote.germandoc.com I get this
A       remote.germandoc.com      46.252.18.63
but you're telling us that it should point to

A      remote.germandoc.com    195.71.200.182?
0
 

Author Comment

by:bubu12345
ID: 39828276
Chris, it's a http forward. So http://remote... gets redirected to 195.71.200.182.
I'm not able to place a DNS-entry on the provider side, only a forward.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39828326
When I try http://remote.germandoc.com/owa   I get 404 error....page cannot be displayed
I get the same thing when attempting  http://germandoc.no-ip.org/owa
0
 

Author Comment

by:bubu12345
ID: 39828331
Both URLs redirect me to https://same_adress, which they should.
Kinda strange...
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39828406
If I do it without OWA or remote...then I get the IIS seven web page with an IP address instead of the URL.   I think there in lies the issue...SBS 2011 won't work with an IP address for SSL
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39828470
Not necessarily related but:
That redirection is not working properly.
The fact that access to https://remote.germandoc.com translates to http://195.71.200.182/ after certificate leads me to believer the IIS 7 splashscreen you are seeing might not be yours?


Also :Did you flush DNS on your server too? Any strange entries in there?
What router /Modem are you using?
Olaf
0
 

Author Comment

by:bubu12345
ID: 39828966
@Cris
Well, there's no HTTP-redirection konfigured in the IIS, as soon as i enable SSL OWA request gets redirected to HTTPS. No idea, why it redirect to the IP instead of the domain entry.

Is there a way to reset the IIS?
0
 

Author Comment

by:bubu12345
ID: 39828982
@Olaf
195.71.200.182 is definitly our IP and there's only one web server in our network.
I edited the welcome.png just to test it, it's really our wwwroot.
We're using a Draytek Vigor 2860.
DNS is flushed, nothing strange to me, but i'm not a DNS guru.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39829200
So Draytec is not using 443 on Lan or Wan?
Olaf
0
 

Author Comment

by:bubu12345
ID: 39829227
No.
0
 

Author Comment

by:bubu12345
ID: 39829281
I have an 2 month old Acronis image of the server. I didn't test it then, but maybe it would've worked.
Any way i can restore IIS setting from a non IIS specific backup?
Thx.
0
 

Accepted Solution

by:
bubu12345 earned 0 total points
ID: 39837344
Ok, i got it.
The very new Draytek generation offers SSL-VPN, which is enabled by default!!! and uses port 443.
I had no clue, sorry, a pretty strange default config.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39840522
Hi Bubu,
That's what I was elouding to twice in this tread?
Olaf
0
 

Author Comment

by:bubu12345
ID: 39841248
I know. Sorry for that, like i said, the usual NAT section looked fine, but SSL-VPN settings are placed in a separate section which is new, bad placed and not really noticeable.
Thanks for your effort!
0
 

Author Closing Comment

by:bubu12345
ID: 39846835
It actually wasn't a SBS issue, my firewall used the port 443 for SSL-VPN.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Junk folder 23 109
outlook, calendar 21 41
Exchange 2013 Update Issue CU7 to CU13 5 32
SBS 2011 6 10
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now