ZBI-IT
asked on
ActiveSync / RPC HTTPS / OWA not working
We've had ActiveSync / RPC HTTPS / OWA all in place for a while. Certificates are valid for another 3+ years.
Issue started around 4 AM EST. Logs are all clean of anything related. Suspect it's our firewall (NSA 2400) but checked the config and all is the same as it has been. RPC HTTPS and OWA ultimately aren't causing any restrictions we can't workaround for our remote users but without ActiveSync working, I have a couple dozen users not getting email to their phones so it make this a bit more urgent / sensitive. I'm at a loss.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Ran an SSL check and it returns 'No SSL certificates were found. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.'
Any help figuring out what may be going on here would be greatly appreciated.
Thanks.
Issue started around 4 AM EST. Logs are all clean of anything related. Suspect it's our firewall (NSA 2400) but checked the config and all is the same as it has been. RPC HTTPS and OWA ultimately aren't causing any restrictions we can't workaround for our remote users but without ActiveSync working, I have a couple dozen users not getting email to their phones so it make this a bit more urgent / sensitive. I'm at a loss.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Ran an SSL check and it returns 'No SSL certificates were found. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.'
Any help figuring out what may be going on here would be greatly appreciated.
Thanks.
ASKER
Services are not working internally or externally. Does not resolve and times out.
Clarification on logs being clean... server logs are clean.
Just found these in the firewall logs from right around the time this all started.
4/2/2015 3:07 609 - Security Services - Alert - 10.0.0.12, 25, X0 - 89.145.108.222, 45694, X1 - IPS Prevention Alert: INFO SMTP Relay Denied, SID: 521, Priority: Low
4/2/2015 3:44 609 - Security Services - Alert - 96.27.254.98, 1295, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 4:16 609 - Security Services - Alert - 66.76.199.244, 44912, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 6:18 609 - Security Services - Alert - 176.61.137.147, 2415, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 6:17 1369 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - src: 143.127.136.95:443 dst: 10.1.1.79:1580
4/2/2015 6:17 1371 - Firewall Settings - Warning - Possible TCP Flood on IF X0 - src: 10.0.0.12:139 dst: 10.1.1.74:3326 - rate: 1691/sec continues
4/2/2015 6:18 1370 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with TCP packet rate of 63/sec has ceased
4/2/2015 7:07 609 - Security Services - Alert - 10.0.0.12, 25, X0 - 89.145.108.222, 49408, X1 - IPS Prevention Alert: INFO SMTP Relay Denied, SID: 521, Priority: Low
4/2/2015 8:21 609 - Security Services - Alert - 50.77.153.14, 4904, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 8:53 1369 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - src: 10.0.0.11:445 dst: 10.1.1.79:2463
4/2/2015 8:53 1371 - Firewall Settings - Warning - Possible TCP Flood on IF X0 - src: 10.0.0.12:139 dst: 10.1.1.75:4362 - rate: 1045/sec continues
4/2/2015 8:53 1370 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with TCP packet rate of 1/sec has ceased
4/2/2015 9:04 905 - Firewall Settings - Alert - Possible FIN Flood on IF X0 - src: 10.0.0.106:49534 dst: 216.58.217.130:80
4/2/2015 9:04 909 - Firewall Settings - Warning - Possible FIN Flood on IF X0 - src: 10.0.0.106:49555 dst: 54.213.9.162:80 - rate: 334/sec continues
4/2/2015 9:04 907 - Firewall Settings - Alert - Possible FIN Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with FIN rate of 45/sec has ceased
4/2/2015 9:57 609 - Security Services - Alert - 213.135.239.118, 62239, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 9:58 609 - Security Services - Alert - 213.135.239.118, 51879, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
Clarification on logs being clean... server logs are clean.
Just found these in the firewall logs from right around the time this all started.
4/2/2015 3:07 609 - Security Services - Alert - 10.0.0.12, 25, X0 - 89.145.108.222, 45694, X1 - IPS Prevention Alert: INFO SMTP Relay Denied, SID: 521, Priority: Low
4/2/2015 3:44 609 - Security Services - Alert - 96.27.254.98, 1295, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 4:16 609 - Security Services - Alert - 66.76.199.244, 44912, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 6:18 609 - Security Services - Alert - 176.61.137.147, 2415, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 6:17 1369 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - src: 143.127.136.95:443 dst: 10.1.1.79:1580
4/2/2015 6:17 1371 - Firewall Settings - Warning - Possible TCP Flood on IF X0 - src: 10.0.0.12:139 dst: 10.1.1.74:3326 - rate: 1691/sec continues
4/2/2015 6:18 1370 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with TCP packet rate of 63/sec has ceased
4/2/2015 7:07 609 - Security Services - Alert - 10.0.0.12, 25, X0 - 89.145.108.222, 49408, X1 - IPS Prevention Alert: INFO SMTP Relay Denied, SID: 521, Priority: Low
4/2/2015 8:21 609 - Security Services - Alert - 50.77.153.14, 4904, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 8:53 1369 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - src: 10.0.0.11:445 dst: 10.1.1.79:2463
4/2/2015 8:53 1371 - Firewall Settings - Warning - Possible TCP Flood on IF X0 - src: 10.0.0.12:139 dst: 10.1.1.75:4362 - rate: 1045/sec continues
4/2/2015 8:53 1370 - Firewall Settings - Alert - Possible TCP Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with TCP packet rate of 1/sec has ceased
4/2/2015 9:04 905 - Firewall Settings - Alert - Possible FIN Flood on IF X0 - src: 10.0.0.106:49534 dst: 216.58.217.130:80
4/2/2015 9:04 909 - Firewall Settings - Warning - Possible FIN Flood on IF X0 - src: 10.0.0.106:49555 dst: 54.213.9.162:80 - rate: 334/sec continues
4/2/2015 9:04 907 - Firewall Settings - Alert - Possible FIN Flood on IF X0 - from machine xx:xx:e1:b4:07:60 with FIN rate of 45/sec has ceased
4/2/2015 9:57 609 - Security Services - Alert - 213.135.239.118, 62239, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
4/2/2015 9:58 609 - Security Services - Alert - 213.135.239.118, 51879, X1 - 10.0.0.12, 25, X0 - IPS Prevention Alert: SMTP ylmf-pc Brute Force Attack, SID: 3795, Priority: Low
I don't see any HTTPS (443) traffic in those logs being blocked which is what Activesync and OWA would be using.
ASKER
Yeah, nothing major there. All low priority items. I'm simply at a loss so I'm digging for whatever I can find.
Everything is checking out with our Exchange server. Other statics from our ISP are working fine but haven't confirmed with Comcast that there isn't an issue with the one in question. Don't see how that would affect connectivity of OWA internally. My main priority is getting ActiveSync functioning again.
I'm thinking that something, somehow, got screwed up in the Firewall. Just haven't been able to track down exactly what yet. That's why I've resorted to EE.
Everything is checking out with our Exchange server. Other statics from our ISP are working fine but haven't confirmed with Comcast that there isn't an issue with the one in question. Don't see how that would affect connectivity of OWA internally. My main priority is getting ActiveSync functioning again.
I'm thinking that something, somehow, got screwed up in the Firewall. Just haven't been able to track down exactly what yet. That's why I've resorted to EE.
ASKER
Can't access OWA with internal IP or external IP. Can't access via server/owa. OWA won't open on Exchange server itself via IE or IIS browse.
I can telnet on 443 internally using the internal IP, public IP, server name, fqdn.
I can telnet on 443 externally using the public IP or fqdn.
I can telnet on 443 internally using the internal IP, public IP, server name, fqdn.
I can telnet on 443 externally using the public IP or fqdn.
If you can't open OWA internally either then it is a problem with the Exchange server. Did you make sure all the services are started? When you go in to IIS Manager, is the site started? Do you have a host header defined for the site? Make sure that the DNS name you are entering to access OWA resolved to the correct IP internally. Make sure you varify it against the bindings for the web site in IIS Manager.
Since OWA isn't working then it would make sense that Activesync wouldn't work either. They are both just virtual directories off of the same default web site in IIS. Once you get OWA working internally I am sure that ActiveSync will work. It also isn't likely firewall related since it doesn't work internally.
I am going on the assumption that your internal DNS resolves to the internal IP of your CAS server and the external DNS resolves to the public IP of your firewall. If you are referencing your EXTERNAL IP for your CAS server on your INTERNAL DNS then that would likely point to the firewall being the issue and you would need to make sure your firewall is allowing traffic from the LAN to loop back and talk to your CAS server.
Since OWA isn't working then it would make sense that Activesync wouldn't work either. They are both just virtual directories off of the same default web site in IIS. Once you get OWA working internally I am sure that ActiveSync will work. It also isn't likely firewall related since it doesn't work internally.
I am going on the assumption that your internal DNS resolves to the internal IP of your CAS server and the external DNS resolves to the public IP of your firewall. If you are referencing your EXTERNAL IP for your CAS server on your INTERNAL DNS then that would likely point to the firewall being the issue and you would need to make sure your firewall is allowing traffic from the LAN to loop back and talk to your CAS server.
ASKER
Yes, all services are started and the site is started in IIS Manager. Both were one of the first things I checked ~6 hours ago. I restarted those services and the site as well. No host header defined for the site. DNS resolves to correct IP. The bindings are set to All Unassigned.
When you say the "correct IP", what IP is that? The IP of the firewall or the IP of the CAS server?
ASKER
IP of the server.
Have you confirmed that the Windows firewall is not stopping the traffic?
ASKER
Turned it off and tested and no difference.
Are there any warnings or errors in the Application and System logs on your email server?
If the web services and Exchange services are all started, the web site in IIS is started and the certificate is installed and configured in the binding correctly then you should be able to access OWA internally.
Bring up the EMS and type "get-ExchangeCertificate" and paste the results here. You can adjust the server names if you like to keep it anonymous.
For the certificate bound to the web service (indicated by the W in the output), send a screenshot of that so we can verify the name on the certificate and validity period. Obfuscate the private details as best as you can so we can still see what we need to see.
Then type "get-OwaVirtualDirectory" in the EMS and paste those results here too.
You can also paste the results of "get-exchangeserver | fl"
That will be enough for now.
If the web services and Exchange services are all started, the web site in IIS is started and the certificate is installed and configured in the binding correctly then you should be able to access OWA internally.
Bring up the EMS and type "get-ExchangeCertificate" and paste the results here. You can adjust the server names if you like to keep it anonymous.
For the certificate bound to the web service (indicated by the W in the output), send a screenshot of that so we can verify the name on the certificate and validity period. Obfuscate the private details as best as you can so we can still see what we need to see.
Then type "get-OwaVirtualDirectory" in the EMS and paste those results here too.
You can also paste the results of "get-exchangeserver | fl"
That will be enough for now.
ASKER
Those were the logs I referred to earlier. Nothing in the Application logs. The system logs have two things - WinRM service warning 10149 and Schedule error 7901, both way after this issue started and I don't see a connection to the issue for either.
All web services and Exchange services are started. The web site in IIS is started. Certificate is installed with a private key that corresponds and is valid until 9/8/2018. I verified nothing changed with the name and validity ~10 hours ago.
Can't bring up the EMS because this is an Exchange 2003 install.
All web services and Exchange services are started. The web site in IIS is started. Certificate is installed with a private key that corresponds and is valid until 9/8/2018. I verified nothing changed with the name and validity ~10 hours ago.
Can't bring up the EMS because this is an Exchange 2003 install.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had to wait until most of our office staff left to restart this server, but it appears that it has resolved the issue.
I just wish I knew what caused it so I can possibly prevent it from happening again.
Thanks for all of your time today rgorman.
I just wish I knew what caused it so I can possibly prevent it from happening again.
Thanks for all of your time today rgorman.
When you ping your external FQDN from an external source, is it resolving to the correct address? If the Microsoft Connectivity Analyzer is not connecting to your system it is either that the system is not resolving the DNS names connectly from the outside, or your firewall is not forwarding traffic to your mail server correctly, or your mail server is not responding as it should.
If you can connect to those services internally on your network then I would suspect the mail server is fine and would look at the firewall and your external DNS and possibly a routing issue to your site over the Internet (ISP issue).