Cannot access OWA from outside our network - Windows Server 2016 DC and a Windows Server 2016 with Exchange 2016

We are testing and deploying a Windows 2016 DC with a separate Windows 2016 Exchange server 2016.

The Windows DC has the Windows Server Essentials role installed for our external people. The DC is working fine and we can remote connect to RWW no problem

The issue is with our Exchange Server. We have installed everything OK - we can send and receive email through exchange to internal and external contacts.
The problem we are having is accessing OWA from outside our network - which is a critical part of the deployment.

Internally we can access web-mail with the URL https://kits-exchange/owa however we cannot reach Exchange 2016 OWA from outside network.

Looking at the issue we can see that our DC's IIS is hosting the default website giving us access to RWW via port 443 however on our Exchange server this is hosting its own default website and Exchange-Backend website on its IIS - this is on port 444 and 81

Question is - How do we reach OWA / webmail from outside out domain network.

Additional Info:
We have a configured Domain Name that points to the fixed IP of the broadband connection
We have a valid SSL Certificate bound to our DC for HTTPS remote access
We have followed the principle the Exchange should be installed on a separate server
We are IT Proficient and understand IT!

Thank you
Andy
Paul EvansAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
HI Paul,
If its working from inside it will work from outside if NAT is correct.
Please open http://www.canyouseeme.org/ and check port 443 is open.
If the port is not open please configure firewall properly.
Please make sure OWA virtula directory is configured as well. Below is the command to check.
Get-OwaVirtualDirectory | select name,internalurl,externalurl

Open in new window


Thanks
MAS
0
DP230Network AdministratorCommented:
What is your exact domain name? something like mail.domain.com?

Did you try MXtookbox to check your Mail server?

Can you access Exchange ECP?
0
Paul EvansAuthor Commented:
Hi MAS (MVE)
Thank you for the help.
Port 443 is already open and configured as we can access RWW (on our DC) from outside the network - Exchange OWA is on port 444 (Which is open also and pointing to the IP of our exchange server) - which is on a different internal IP than the DC - i.e. DC is on 192.168.16.2 and Exchange is on 192.168.16.3 - so port 443 is pointing to 192.168.16.2 - DC.

DP230 - thank you
Typical - mxtoolbox is down - states it unavailable.
We have a number of 'A' records set-up - Mail is one and points to the fixed IP of our Broadband connection - but that only resolves to our DC as this is whats at the end of the broadband connection

Yes we can access Exchange ECP - inside our network.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
-->Exchange OWA is on port 444 (Which is open also and pointing to the IP of our exchange server)
Exchange is using port 443 by default. Can you please change port forwarding (of port 443) to 192.168.16. 3 for testing in firewall and try?
0
matrix8086Commented:
Your configuration is odd. By default a browser will make a request to the port 443. On the inside you have 2 private IPs: 1 for DC, and 1 for the OWA and you make 2 separate requests for 2 separates IPs and the IIS of the OWA make a port  translation from 443 to 444.

From the outside, by default, the browser make the request on the port 443 and the firewall redirects to the DC IIS private IP.

You will be able, probably, to access the OWA if your broadband equipment (router, firewall, etc) have a port redirection of 444 to the private IP of OWA, but you must specify in the browser the port 444 explicit: https://your-domain.com:444.

If you want to access OWA from outside without 444 explicit, you have to define the OWA site in the DC IIS (with URL and port configured according with your actual settings of OWA)

Best regards
0
Paul EvansAuthor Commented:
Hi MAS - sorry for the delay in replying

Ref: -
Exchange is using port 443 by default. Can you please change port forwarding (of port 443) to 192.168.16. 3 for testing in firewall and try?

According to IIS on our Exchange box - it is using Port 444 for HTTPS and port 81 for HTTP.

We can/have change it to 443, point our firewall to the Exchange IP box and we can access for outside our network - however this makes RWW inaccessible (Appreciate it was a test)
1
Paul EvansAuthor Commented:
Hi matrix8086 - Thank you and sorry for the delay in replying

I am not sure there is much wrong with the setup - IIS on our DC has the RWW website and IIS on our exchange server has Exchange and OWA websites - that seems by design.

Explicitly typing port 444 into the URL is not the way to go for our external staff and I am not sure mobile devices are going to be able to configure correctly their Exchange email accounts.

Your comment -
If you want to access OWA from outside without 444 explicit, you have to define the OWA site in the DC IIS (with URL and port configured according with your actual settings of OWA)

This sounds the way to go forward - do you know how we would do this please as we have limited knowledge in configuring and defining sites in IIS.
Thank you
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Exchange 2016 uses port 443 by default. Below is the screenshot of port binding in IIS. You may try forwarding from 444 to 443 and try opening OWA like this https://mail.domain.com:444/owa.  Which I didn't try.
test.JPG
1
Paul EvansAuthor Commented:
MAS
My apologies - I was looking at the Exchange-Backend IIS website that is using port 444 - clearly this is because the default website on this server is using port 443 as you correctly point out.

This still doesn't resolve my issue.

Redirecting to the Exchange Server IIS Default website FROM our DC seems to be the way to go forward with this.

Do you have experience that can be shared on this please
Thank you
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Please do not forget your  OWA, Actievsync, Outlookanywhere, Addressbook download etc require port 443 to work properly.

If you have only one IP you can use some proxy server in between to workaround this which will do the port redirection and proxying.
0
matrix8086Commented:
Unfortunatly I can explain you as a principle model, I have myself low experience with IIS.

You have to define in the external DNS a new website for the OWA, for example webmail.domain.com

You have to declare this website in the IIS of the DC and set a reverse proxy, or a rewrite rule, where the requests for webmail.domain.com to be redirected to the private IP of OWA on port 444.

Looking at the IIS setting of OWA may be helpfull.

Also maybe this link can help you https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/

Best regards
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
One correction. Port 444 should not be used as it is used by backend/exchange.  Please try another port and try rewriting.
0
kevinhsiehCommented:
It sounds like you have 1 public IP address, which you are trying to use for both RWW and Exchange. This is difficult as both expect clients to use port 443 for secure communication.

The standard solution is to have multiple public IP addresses, and NAT or port forward each server to a different public IP.  Contact the ISP to get additional static IP addresses. There is usually a nominal monthly charge.

The other option is to configure reverse proxy on the domain controller so it can forward connections to RWW or Exchange, depending upon the URL the client is using.

Since this seems like a small deployment, why have Exchange on premise at all instead of using O365? By the time hardware, software, spam filtering, backups, etc. are taken into account, on premise installations typically cost as much as many years worth of O365.
0
Michael B. SmithExchange & Active Directory ExpertCommented:
This is a Server Essentials configuration issue. I don't have Essentials in my lab, but it's not properly configured for an on-premises Exchange Server. See this article: https://docs.microsoft.com/en-us/windows-server-essentials/manage/integrate-an-on-premises-exchange-server-with-windows-server-essentials and jump down to the section named "Enable on-premises Exchange Server integration on Windows Server Essentials".
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul EvansAuthor Commented:
The solution provided by Michael B. Smith was spot-on.

The article he referred to - specifically the "Enable on-premises Exchange Server integration on Windows Server Essentials" was exactly the solution required and IS the solution for single IP address users who set-up two Servers - one a DC with Essentials installed and the second as an Exchange Server.

Everything is working perfectly.

Thank you all for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.