Exchange 2016 external access to owa stopped working recently.

Member_2_6365802
Member_2_6365802 used Ask the Experts™
on
The external OWA access to Exchange 2016 stopped working over the weekend.

We are running a small internal Exchange 2016 installation with 25 users.  The external owa site has been working until recently - last 5 days. The owa and outlook access are working internally within the local environment,  but not from the internet.  The exchange server claimed to have issues with ldap access to the adcontroller in the event log, but shows connections to ldap with the netstat command.

The IIS shows the site being active with the correct certificate attached.   Again, nothing changed.

I have rebooted the AD controller (first) and the exchange server (second)  with no change in connectivity.  We have not installed any updates or new software in the last month. The firewall on the exchange server has been turned off for testing.  

The wan access firewall (Sonic wall) has also been rebooted, and has all other access working.

Internal connections work, external do not. I suspect it is related to LDAP/IIS/OWA but do not know how to proceed next.

Thank you, in advance,
Jim
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
run the microsoft connectivity analyzer and see the results. you can go to the below URL to access the analyzer.

https://testconnectivity.microsoft.com

this should be able to help find where the failure is happening.
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
Hi

What errors are showing in the application log on the exchange server? Did any updates apply in the background that could have broken something?
Member_2_6365802Lead Engineer

Author

Commented:
Edward,
Thank you for your reply.
Good question.

I checked and Microsoft Exchange 2016 cu4 installed on the 27th at 530pm CDT.  I did not initiate it, but it installed anyway.
 It may be the issue. It appears that the ldap complaints started shortly after the cu4 install.

Question - Is it safe to back it out or update it to the current cu?
How would you recommend to proceed?

Jim
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
Did .net 4.7.2 perhaps also install?
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
You can update to the latest but I prefer to always stick to 1. Erosion behind the latest
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
Sorry autocorrect on my phone 😀, stick to 1 version behind the latest
Member_2_6365802Lead Engineer

Author

Commented:
Tim,
Thank you for the information. I tried this test earlier tonight from a client machine attached to the internet. It failed right away with the client being unable to log in via the OWA interface immediately.  
When I tested internally from a local network desktop, the OWA interface works perfectly.  Outside via the internet, OWA and I suspect the ActiveSync access via https, is not working.
Thanks,
Jim
Member_2_6365802Lead Engineer

Author

Commented:
Edward,
I do not see any dot net 4.72 installed under programs on any date listed. I agree with being on the leading but not bleeding edge of software distribution.
Should I try to install the dot.net 4.72 patch?
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
No don't install it just making sure you didn't have it as it breaks exchange
MichelangeloSystem Administrator / Postmaster

Commented:
Can you provide any error message you get when accessing owa=? and also, details on the errors you find in eventlog regarding ldap?
Michael B. SmithManaging Consultant

Commented:
To restate, if you attempt to access OWA externally do you get a 404 (not found) or a different error? If it's a different error, what is it?

I suspect someone in your network team may have messed with DNS or your firewall.
Member_2_6365802Lead Engineer

Author

Commented:
To all,

dot net 4.72 was installed.  I removed it, but did not reboot. Do I need to reinstall 4.61 dot net or reboot and reinstall 4.61?

All microsoft exchange services are running, but I did get an error in the application log related to the owa interface.

Source:        MSExchange OWA
Date:          8/28/2018 1:40:34 AM
Event ID:      139
Task Category: Wac
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Mail.lhmlaw.local
Description:
There was an error setting up WacConfiguration. Wac will be disabled. The WacUrlHostName was invalid. Expected a valid Uri. Actual value was ''. Value read from 'OrganizationConfig'
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchange OWA" />
    <EventID Qualifiers="49152">139</EventID>
    <Level>2</Level>
    <Task>10</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-28T06:40:34.439558300Z" />
    <EventRecordID>6199628</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Mail.lhmlaw.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The WacUrlHostName was invalid. Expected a valid Uri. Actual value was ''. Value read from 'OrganizationConfig'</Data>
  </EventData>
</Event>

Please advise.

Thanks, in advance

Jim
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)
Commented:
Reboot and then you can update to .net 4.7.1 which is supported, just make sure you on the right CU. Check Microsoft's documentation
Michael B. SmithManaging Consultant

Commented:
WAC is the old name for Office Web App Servers. Unless you have an Office Web App Server (unlikely for SMB) you can ignore that particular error.
Member_2_6365802Lead Engineer

Author

Commented:
Tim,
I tested using the connectivity tool and it fails upon login with an unknown error. I will retest and see if it gives a particular error number.

MichelAngelo,
I will test again and report the error that I obtain.

Michael,
I will test again, and see if what error I obtain from my web browser and post.

I will ignore the WAC error.

Edward,

Plan
Reinstall dotnet 4.7.1
reboot
Upgrade from cu 4 to cu 9
reboot
check all services running
check event log
check connectivity from inside and outside
check with connectivity tool
confirm with end users
??? any other suggestions....

Thanks to all,

Jim
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
Sounds good
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP & MCT)

Commented:
Sounds good
Member_2_6365802Lead Engineer

Author

Commented:
To all:
I installed dotnet 4.71 and cu 9 and rebooted several times after each installation - per the plan listed earlier.

System is functioning as before - inside access to owa is working, outside access is not.

No change.


I captured a sniffer trace from this server and others operating through firewall. Other servers work, this one, does not.  Sniffer trace of outside web owa access shows no response to the syn packet.  The owa is not getting out to the internet for some reason.

Comment please, on next steps?
Michael B. SmithManaging Consultant

Commented:
I'm going to repeat my comment from yesterday: To restate, if you attempt to access OWA externally do you get a 404 (not found) or a different error? If it's a different error, what is it?

I suspect someone in your network team may have messed with DNS or your firewall.
Lead Engineer
Commented:
To all:

Resolved!

Thank you for all of your inputs. It guided me to the correct solutions.

We had 2 issues that had to be mitigated.

1. Unanticipated upgrade from cu3 to cu4 - This was resolved by upgrading dotnet to 4.71 and Exchange to cu9.  After this was done, all of the errors stopped exhibiting in the event viewer and all services were started normally.  Internal owa worked (always did) but external still not functional. (Edward hint)

2.  Unknown upstream firewall change by internet provider. W discovered that external address of owa worked from WITHIN the local subnet/site, but did not from external or remote sites. We control the SonicWall firewall and no changes were implemented, and as part of the internet service installation, explicity set the dsl unit to allow all traffic unaltered. (Michael hint)

I had to put an Ethernet sniffer to observe the traffic between the two firewalls, to discover the root cause.  

Eventually discovered that the ATT UVerse unit had the firewall turned on (it was previously turned off and set to pass-thru) and also had a rule in it that was blocking access to the external nat address of the OWA service.  

We did not do this, ATT claims that they did not alter it, but they DID upgrade the code on the unit the day before the issue was reported.

 To resolve, we turned off the dsl firewall (again) and placed an explicit rule to allow traffic to this address.  Curious that this was the ony address that was explicitly altered - we have four other addresses that continued to work.  Now there are two rules, so hopefully if one is turned off the other will also allow the OWA and active-sync traffic.

Thanks to all, again, for the input and guidance. We really appreciated your help!

Best regards,

Jim
Member_2_6365802Lead Engineer

Author

Commented:
Edward, Tim, Michael, and Michelangelo,

Thank you, all, for your insight and knowledge.  
I outlined in my solution and how your information and comments guided me to resolve two root issues that were preventing full functionality.
Again, the information and the support is excellent and  is greatly appreciated.

Take care,

Jim
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
it's good you got it working.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial