Solved

Cannot connect to our sbs2008 server using OWA

Posted on 2014-12-09
27
198 Views
Last Modified: 2014-12-11
We have a single Windows sbs2008 server running exchange, which is working fine. We can connect to our server using remote desktop, but when we try to use OWA for e-mail and a remote session to our users desktops, we get the page cannot be displayed, and the logon page never appears.

I have checked that all the ports 25, 80, 443, 987, 3389 are all redirected to our server, so I dont know what has gone wrong to prevent this part from working.

the address https://remote.domainname.co.uk works locally, but not from an external system.

This used to work fine, but I just dont know how to diagnose and trap the problem.
Can anyone help?

Many thanks
0
Comment
Question by:nigelbeatson
  • 15
  • 9
  • 3
27 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40488855
If https://remote.domainname.co.uk/remote doesn't work remotely it sounds like you don't actually have port 443 open and forwarded properly.

What Firewall / Router do you have installed as it may be using port 443 for the remote management of the firewall / router and not forwarding it.  If it is - you just need to change the management port to something else and that will allow port 443 through the firewall.

To test, you can visit www.canyouseeme.org on the SBS server and test port 443.  You should see SUCCESS if the port is working properly.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40488881
Thanks Alan.

I have tried the website check recommended and it completes with "SUCCESS".

As I said, this did use to work, but now does not.

Any other suggestions??

Thanks
0
 
LVL 1

Expert Comment

by:ldrose537
ID: 40488926
Nigelbeatson,

If I am understanding correctly, access to OWA (https://remote.domainname.co.uk/owa) is no longer working externally; however it works internally - do I have that right?

Has anything changed recently that you can think of?

Does the "remote.domainname.co.uk" resolve correctly externally. In other words, does the A or CNAME record point to the correct public IP?

You can try using nslookup to determine if the information is correct and up to date.

Those are what I can think of off the top of my head.

Linda
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40488974
Then your best bet is to re-run the Connect To The Internet and Fix My Network Wizards, then test again.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40488998
Also worth noting - you shouldn't keep port 3389 open and forwarded to the server as this is a massive target for hackers to try and abuse.  If you do leave it open - if you can restrict access via a Firewall Rule to specific IP's then that would prevent hackers from trying to abuse your server.  Failing that, please close the port or at least setup a redirect rule on your firewall to redirect a random port e.g., 9876 to internal port 3389.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40488999
yes Linda, you understand correctly.

Not made any changes recently, that I can think of, but we dont use this very often, so I am not certain exactly when this stopped working.

remote.domainname.co.uk resolves correctly locally using nslookup and when run externally it does point to the correct public ip address.

when we lookup the mx record it points to mail.domainname.co.uk, but mail is arriving ok, as this too points to the correct public ip.

remote.domainname.co.uk also works fine when we enter it in to the microsoft remote desktop software.

I cannot see a A or CNAME in our local DNS, which points to our public IP, if thats what you are asking??

Any ideas??


Many thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40489005
Thanks Alan, I will make suitable changes once we have this working OK.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40489016
Please re-run the wizards as per my last but one comment (in case you missed it with me rambling on about port 3389!).

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40489066
Thanks Alan. I have tried running the 2 wizards, the first (internet) completed correctly. The second (network) identified an error - A network component is not configured properly (component ID 4), but on completion it reported it to be fixed.

On trying the access again, unfortunately, it still failed.

Any other suggestions?

Many thanks for your assistance
0
 
LVL 1

Expert Comment

by:ldrose537
ID: 40489072
Nigelbeatson,

I am asking about an external (public) either A or CNAME record that would tell the outside world how to find your webmail service. Based on what you have indicated, the MX records are correct (tells the world where to deliver mail)

Which ever entity manages your external DNS records (whether ISP or webhosting company like GoDaddy), you want to make sure there is an A or CNAME record that explains how to find the OWA server.

remote.domainname.co.uk <mapped to> public IP
mail.domainname.co.uk <mapped to> public IP

As you know, when users access OWA, it is usually done with either https://remote.domainname.co.uk/owa or, if modified to use "mail", https://mail.domainname.co.uk/owa - so an external record is needed to resolve that FQDN to the correct public IP.

Linda
0
 

Author Comment

by:nigelbeatson
ID: 40489096
Thankyou Linda.

Yes, we have an A record in our ISP DNS which hosts our domain name and this does point to the correct public IP address. On using remote desktop this does resolve ok and mxtoolbox also indocates it points to the correct public IP.

As I said this used to work, so I just dont get it. I have tried https://remote.domainname.co.uk/owa & /remote but none bring up the logon page.

Very frustrating.

Any other suggestions?

Many thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40489106
I forgot to add that I have also tried it for mail.domainname.co.uk etc and that too fails.

Thanks
0
 
LVL 1

Expert Comment

by:ldrose537
ID: 40489131
Have you tried the external IP in the url?

What is the error that displays when you make the attempts?

Have you tried the BPA?

Can you check on the status of the Certs? (may seem weird, but you'd be surprised)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:nigelbeatson
ID: 40489178
Using the IP address does not make any difference ie https://123.123.123.123/owa

There was an expired SSL certifficate shown on the IIS Manager -  server certifficates page, which I deleted. There is a current one indicated, but I dont know how to verify that it is active?

I can confirm that the canyouseeme.org utility indicates it can see the service, so I would have hoped that confirms it is installed and active.

However, if anyone thinks I need to do more to verify this, I would be happy to do the work required.

Other than that, I still cannot get to the OWA logon page.

Any ideas?

Many thanks
0
 

Author Comment

by:nigelbeatson
ID: 40489192
BPA does not indicate anything relevant.

The error just says that :-

Internet Explorer cannot display the webpage.

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40489317
Can you please download and run the SBS 2008 BPA from here:

http://www.microsoft.com/en-gb/download/details.aspx?id=6231

Then run and see what it reports.

Thanks

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40491898
I have completed the BPA as requested. I have run this in the past, and I dont see anything in this that has not been present for some time, ie some legacy warnings remaining after the migration, which we have not yet got round to clearing. But please take a look and let me know if you feel that something is relevant to this problem.

I would be delighted if you did spot something as we really need to resolve the OWA problem.

I have attached the file for your inspection.

I have also attached a screenshot of the failure of the OWA connection.

Please let me know if you need any further information.

Many thanks
SBSBPA.201412101655122113.data.xml
screenshot.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40491925
Can't read the XML file unfortunately (not in any intelligent way).

When I browse using port 80 to the IP Address that resolves to the domain name posted in the 2nd image I get the following login screen:

Screen Shot
What is this and could it be this that is getting in the way of your SSL connection?

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40491946
how strange that it differs from what I see??

the interface you see is related to our security cameras which were installed a few months ago.

not sure why owa would bring that up?? that looks like the port is redirecting to the camera IP??

I thought I had checked all the redirections but I will take another look.

if you still want the Bpa I will try to upload it in a different way.

any other comments?

thanks alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40491956
Bear in mind that was port 80 not 443, but worth checking redirections / port forwarding.

Can you post a screen-shot of the BPA results?

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40493383
here is the bpa results.

As I said previously, most of these relate to a 2003 migration which we have not fully cleared down yet.

If you see something relative to our problem, I would be delighted to hear from you.

Many thanks.
screenshotbpa.png
0
 

Author Comment

by:nigelbeatson
ID: 40493388
One other point, when I access the router locally, we have to use https://192.168.16.1:9443 to get to the login screen. Would this cause any issues for OWA?

Thanks
0
 

Author Comment

by:nigelbeatson
ID: 40493393
Here is a screenshot of our port redirection under the NAT section of our Draytek router.

I can see that port 80 has been redirected to our camera, but 443 is directed to our local server IP.

Does this help?
screenshotports.jpg
0
 

Author Comment

by:nigelbeatson
ID: 40493407
OK - Sorted it!

The Draytek SSL VPN section of this router had been set to 443, so conflicted with 443 that we used with HTTPS.

What a pain!

Many thanks for your assistance.

Can anyone advise how I handle the points?  

Many thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40493464
Ah!  The more recent SSL VPN section of the Drayteks!  That is only slightly annoying but the info is available on the Downloads page of their website advising about the changes!  I did ask about the router in my first comment and as a Draytek Reseller could probably have pointed you to the fix a bit quicker.

Oh well - glad you got there in the end.

In terms of points - they are yours to do with as you please.  If you found the solution, then accept your own comment as the solution and if you want to award points to any helpful comments, then you can.

Alternatively you can select one or more Expert comments as the Solution(s) and award all / a share of the points to the comment or comments.

Whatever you do is fine with me and hopefully the other experts too.  What's important is your problem is fixed.

Best wishes

Alan
0
 

Author Closing Comment

by:nigelbeatson
ID: 40493474
Many thanks to all.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40493482
Thank you.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now