Exchange 2016 external access to owa stopped working recently.

The external OWA access to Exchange 2016 stopped working over the weekend.

We are running a small internal Exchange 2016 installation with 25 users.  The external owa site has been working until recently - last 5 days. The owa and outlook access are working internally within the local environment,  but not from the internet.  The exchange server claimed to have issues with ldap access to the adcontroller in the event log, but shows connections to ldap with the netstat command.

The IIS shows the site being active with the correct certificate attached.   Again, nothing changed.

I have rebooted the AD controller (first) and the exchange server (second)  with no change in connectivity.  We have not installed any updates or new software in the last month. The firewall on the exchange server has been turned off for testing.  

The wan access firewall (Sonic wall) has also been rebooted, and has all other access working.

Internal connections work, external do not. I suspect it is related to LDAP/IIS/OWA but do not know how to proceed next.

Thank you, in advance,
Jim
Member_2_6365802Lead EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
run the microsoft connectivity analyzer and see the results. you can go to the below URL to access the analyzer.

https://testconnectivity.microsoft.com

this should be able to help find where the failure is happening.
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Hi

What errors are showing in the application log on the exchange server? Did any updates apply in the background that could have broken something?
0
Member_2_6365802Lead EngineerAuthor Commented:
Edward,
Thank you for your reply.
Good question.

I checked and Microsoft Exchange 2016 cu4 installed on the 27th at 530pm CDT.  I did not initiate it, but it installed anyway.
 It may be the issue. It appears that the ldap complaints started shortly after the cu4 install.

Question - Is it safe to back it out or update it to the current cu?
How would you recommend to proceed?

Jim
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Did .net 4.7.2 perhaps also install?
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
You can update to the latest but I prefer to always stick to 1. Erosion behind the latest
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Sorry autocorrect on my phone 😀, stick to 1 version behind the latest
0
Member_2_6365802Lead EngineerAuthor Commented:
Tim,
Thank you for the information. I tried this test earlier tonight from a client machine attached to the internet. It failed right away with the client being unable to log in via the OWA interface immediately.  
When I tested internally from a local network desktop, the OWA interface works perfectly.  Outside via the internet, OWA and I suspect the ActiveSync access via https, is not working.
Thanks,
Jim
0
Member_2_6365802Lead EngineerAuthor Commented:
Edward,
I do not see any dot net 4.72 installed under programs on any date listed. I agree with being on the leading but not bleeding edge of software distribution.
Should I try to install the dot.net 4.72 patch?
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
No don't install it just making sure you didn't have it as it breaks exchange
0
MichelangeloConsultantCommented:
Can you provide any error message you get when accessing owa=? and also, details on the errors you find in eventlog regarding ldap?
0
Michael B. SmithExchange & Active Directory ExpertCommented:
To restate, if you attempt to access OWA externally do you get a 404 (not found) or a different error? If it's a different error, what is it?

I suspect someone in your network team may have messed with DNS or your firewall.
0
Member_2_6365802Lead EngineerAuthor Commented:
To all,

dot net 4.72 was installed.  I removed it, but did not reboot. Do I need to reinstall 4.61 dot net or reboot and reinstall 4.61?

All microsoft exchange services are running, but I did get an error in the application log related to the owa interface.

Source:        MSExchange OWA
Date:          8/28/2018 1:40:34 AM
Event ID:      139
Task Category: Wac
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Mail.lhmlaw.local
Description:
There was an error setting up WacConfiguration. Wac will be disabled. The WacUrlHostName was invalid. Expected a valid Uri. Actual value was ''. Value read from 'OrganizationConfig'
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchange OWA" />
    <EventID Qualifiers="49152">139</EventID>
    <Level>2</Level>
    <Task>10</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-28T06:40:34.439558300Z" />
    <EventRecordID>6199628</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Mail.lhmlaw.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The WacUrlHostName was invalid. Expected a valid Uri. Actual value was ''. Value read from 'OrganizationConfig'</Data>
  </EventData>
</Event>

Please advise.

Thanks, in advance

Jim
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Reboot and then you can update to .net 4.7.1 which is supported, just make sure you on the right CU. Check Microsoft's documentation
0
Michael B. SmithExchange & Active Directory ExpertCommented:
WAC is the old name for Office Web App Servers. Unless you have an Office Web App Server (unlikely for SMB) you can ignore that particular error.
0
Member_2_6365802Lead EngineerAuthor Commented:
Tim,
I tested using the connectivity tool and it fails upon login with an unknown error. I will retest and see if it gives a particular error number.

MichelAngelo,
I will test again and report the error that I obtain.

Michael,
I will test again, and see if what error I obtain from my web browser and post.

I will ignore the WAC error.

Edward,

Plan
Reinstall dotnet 4.7.1
reboot
Upgrade from cu 4 to cu 9
reboot
check all services running
check event log
check connectivity from inside and outside
check with connectivity tool
confirm with end users
??? any other suggestions....

Thanks to all,

Jim
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Sounds good
0
Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Sounds good
0
Member_2_6365802Lead EngineerAuthor Commented:
To all:
I installed dotnet 4.71 and cu 9 and rebooted several times after each installation - per the plan listed earlier.

System is functioning as before - inside access to owa is working, outside access is not.

No change.


I captured a sniffer trace from this server and others operating through firewall. Other servers work, this one, does not.  Sniffer trace of outside web owa access shows no response to the syn packet.  The owa is not getting out to the internet for some reason.

Comment please, on next steps?
0
Michael B. SmithExchange & Active Directory ExpertCommented:
I'm going to repeat my comment from yesterday: To restate, if you attempt to access OWA externally do you get a 404 (not found) or a different error? If it's a different error, what is it?

I suspect someone in your network team may have messed with DNS or your firewall.
0
Member_2_6365802Lead EngineerAuthor Commented:
To all:

Resolved!

Thank you for all of your inputs. It guided me to the correct solutions.

We had 2 issues that had to be mitigated.

1. Unanticipated upgrade from cu3 to cu4 - This was resolved by upgrading dotnet to 4.71 and Exchange to cu9.  After this was done, all of the errors stopped exhibiting in the event viewer and all services were started normally.  Internal owa worked (always did) but external still not functional. (Edward hint)

2.  Unknown upstream firewall change by internet provider. W discovered that external address of owa worked from WITHIN the local subnet/site, but did not from external or remote sites. We control the SonicWall firewall and no changes were implemented, and as part of the internet service installation, explicity set the dsl unit to allow all traffic unaltered. (Michael hint)

I had to put an Ethernet sniffer to observe the traffic between the two firewalls, to discover the root cause.  

Eventually discovered that the ATT UVerse unit had the firewall turned on (it was previously turned off and set to pass-thru) and also had a rule in it that was blocking access to the external nat address of the OWA service.  

We did not do this, ATT claims that they did not alter it, but they DID upgrade the code on the unit the day before the issue was reported.

 To resolve, we turned off the dsl firewall (again) and placed an explicit rule to allow traffic to this address.  Curious that this was the ony address that was explicitly altered - we have four other addresses that continued to work.  Now there are two rules, so hopefully if one is turned off the other will also allow the OWA and active-sync traffic.

Thanks to all, again, for the input and guidance. We really appreciated your help!

Best regards,

Jim
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_6365802Lead EngineerAuthor Commented:
Edward, Tim, Michael, and Michelangelo,

Thank you, all, for your insight and knowledge.  
I outlined in my solution and how your information and comments guided me to resolve two root issues that were preventing full functionality.
Again, the information and the support is excellent and  is greatly appreciated.

Take care,

Jim
0
timgreen7077Exchange EngineerCommented:
it's good you got it working.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.