Exchange 2016 can't access OWA from external?

C Y
C Y used Ask the Experts™
on
Hi Expert,

I have setup ms exchange 2016 in my company environment, done configured SSL and setup all virtual directory internal and external url as exchange.company.com, but I still can't land on https://exchange.company.com/owa when using public network. Is there anything missing in my below configuration?

Currently the network environment is Internet > Link Controller >  Exchange

In internal DNS
- Host A records for Exchange Server pointed to internal IP address (192.X.X.X)
- Host A records for autodiscover.company.com pointed to exchange internal IP (192.X.X.X)
- MX records for exchange.company.com

In external DNS
- Host A records for autodiscover.company pointed to external IP of exchange server
- Host A records for exchange pointed to external IP of exchange server

Using public network i'm able to ping exchange.company.com and autodiscover.company.com that resolve to the external IP of my exchange server.

Any thing else i can check?

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Please try to bypass (in firewall) the loadbalancer and open OWA. If it works you have to check your load balancer settings.
If it doesnt work you have to check your Virtual directories configured in OWA VDs.
Exchange Engineer
Distinguished Expert 2018
Commented:
The external IP for hitting ECP or OWA should be internet > Firewall > Exchange. I would port forward the IP on the Firewall to the exchange server and bypass the load balancer. So if the external IP for exchange is 125.15.11.2, I would port for that IP on the firewall to the internal IP of the exchange server. There is no need to load balance OWA because exchange 2016 is a 1:1 session meaning the user will connect to the exchange server that has the active DB where the mailbox resides.

After you make the changes you can test with https://testconnectivity.microsoft.com
Murat ElmasGeneral Manager, Strategic Planning Director
Commented:
Hello,

Check firewall allows TCP 443

Regards
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

C Y

Author

Commented:
Hi all, firewall rules has allowed TCP 443 as i'm able to telnet the public ip with port 443, connection successful.

My network team told me that they have bypassed the load balancer, however when I tried to capture the network in my exchange server using wireshark and i can see the load balancer IP fowarding network with connection reset error?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
When you bypass the LB did you see OWA page?
C Y

Author

Commented:
Hi MAS,

According to my network teams, they have configure to bypass LB, but i still couldnt see the owa pages.

I checked in my EMC > certificate, noticed my CA has revocation check failed. Does this relate to my error that i cant access externally via public IP?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
DO you have a 3rd party certificate installed?
Your server has access to the 3rd part CA server?

Please post the screenshots of what you see when you open OWA from outside and inside
C Y

Author

Commented:
Hi MAS,

 i resolved the SSL certificate error with netsh winhttp and force it to follow my Internet explorer settings, which use proxy server for internet connection.

Right now, the SSL cert in exchange is valid and active, and yes it is a 3rd party certificate installed from Digicert.

Here attached internal OWA screenshot, for external OWA it just display this page cant be display error message.
ExchangeInternalOWA.JPG
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Yes I know it was an issue with internet access/CA server access.
Anyway glad to know you fixed it.  :))
C Y

Author

Commented:
Hi everyone, after my network team allowed the 443 port and i'm able to land on OWA web pages externally, but no matter what credential i type in, it wont allow me to login into OWA, it state incorrect user account and password!

in my exchange server, i cant login ecp or owa as well..

Urgently need feedback on this.

Thanks!
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Appreciate if you close this question and ask a new question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial