Announcement

Collapse
No announcement yet.

Can't connect to OWA/ActiveSync from Internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't connect to OWA/ActiveSync from Internet

    Hello, all: I've got a WS03-functional domain, 3xWS03 DCs/GCs (one is an Exch03 Server). I've installed a WS08R2 member and prepped AD for MSExch2010, installed MSExch2010 and moved 1 mailbox to it. It sends and receives, coexisting with MSEx03. I can use an internal URL to get to OWA. However, after making necessary changes in the firewall and anti-spam hardware, I'm unable to reach OWA from the Web, and smartphones no longer sync (of course). I'm attempting to determine methods of testing how/why this failure is occurring. Any suggestions are greatly appreciated. If I have left out pertinent information, please let me know and I'm glad to provide. Thanks in advance for any help.
    Best regards,
    Jim Graue, MCP (WXP, WS03)

  • #2
    Re: Can't connect to OWA/ActiveSync from Internet

    what error message do you get
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Can't connect to OWA/ActiveSync from Internet

      From outside the LAN, it's as though I'm not redirecting to the appropriate server: "Internet Explorer cannot display the webpage." I've redirected the protocol for HTTPS to the correct internal IP; the DNS server(s) in our network all have a MX record and an A record for the system in question (maybe I need an SRV record?). I would expect, at least, a certificate error (the cert on the Exchange 2010 system doesn't match its name. I'll fix that, soon). All systems are in the same subnet (10.0.x.x, SNM 255.255.0.0). Internally, I can reach the Exchange 2010 and use the OWA to acquire access to the one mailbox on that system. I can ping the Exchange 2010 server from the firewall's ping utility. I can ping the firewall from the Internet (I have the feature turned on for troubleshooting). When the HTTPS protocol is directed toward the Exchange 2003 system in our network, there is no problem. It responds as expected and ActiveSync functions, too.
      Best regards,
      Jim Graue, MCP (WXP, WS03)

      Comment


      • #4
        Re: Can't connect to OWA/ActiveSync from Internet

        For ActiveSync, it will only work for mailboxes that are on the Exchange 2010 server. Any mailboxes on the 2003 server won't be able to connect via EAS.


        On the Exchange 2010 server can you access the Internet? Does it have the proper gateway and subnet mask configured?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Can't connect to OWA/ActiveSync from Internet

          I was able to get OWA working. There was a misconfigured setting for the NIC in the Exchange 2010 system. The gateway was incorrect (there are several around here). However, ActiveSync still is non-functional. And, I cannot get OWA for Exchange 2010 pass requests for Exchange 2003-homed mailboxes. But, I'm getting closer to being able to move all mailboxes to Exchange 2010. As soon as ActiveSync is functional, I can move mailboxes.
          Best regards,
          Jim Graue, MCP (WXP, WS03)

          Comment


          • #6
            Re: Can't connect to OWA/ActiveSync from Internet

            See my above post as this addresses your ActiveSync question.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Can't connect to OWA/ActiveSync from Internet

              +Jeremy: Thank you for your reply. The behavior you mention is expected. The mailbox on the Exchange 2010 system is not able to use EAS, which is somewhat unexpected. I need to resolve the issue, as given by ExRCA, below:

              Attempting to resolve the host name autodiscover.mydomain.com in DNS.
              The host name resolved successfully
              Testing TCP port 443 on host autodiscover.mydomain.com to ensure it's listening and open.
              The specified port is either blocked, not listening, or not producing the expected response
              A network error occurred while communicating with the remote host.

              It should be noted that OWA to this system is functional. The local firewall is, temporarily, off, for testing. The edge-of-network firewall is functioning properly and 443 is directed to this system; otherwise OWA wouldn't work, right?
              Best regards,
              Jim Graue, MCP (WXP, WS03)

              Comment


              • #8
                Re: Can't connect to OWA/ActiveSync from Internet

                Have you setup the autodiscover records in DNS? Can you try ExRCA without using Autodiscover and see if EAS is working?
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Can't connect to OWA/ActiveSync from Internet

                  I was able to resolve the issue by following the directive(s) in ExRCA: I used ADUC (dsa.msc) to change the settings for my test user object so permissions are inheritable. I changed some settings in DNS on my DC and added an alias on the third-party DNS server to find autodiscover.mydomain.com. My last issue is the cert error the test user receives every time Outlook is opened. This is due to a mismatch in internal name and external name, something I was not aware of when I installed Exchange 2010 to the WS08R2 system. I think I'm going to have to split DNS, which I've never done, before. Alternatively, I could probably purchase a different cert and replace the one on Exchange 2010, but that would also make me change the name all the way around for slightly less than 100 users. I hadn't considered trying ExRCA without using AutoDiscover, because I didn't know it was possible. The cert error is buggin'. I'll see if I can clear that up...
                  Best regards,
                  Jim Graue, MCP (WXP, WS03)

                  Comment


                  • #10
                    Re: Can't connect to OWA/ActiveSync from Internet

                    Keep us posted and let us know if you have any questions.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Can't connect to OWA/ActiveSync from Internet

                      Regarding cert error: We have mail.mydomain.com on a third-party domain registrar where we can edit our host list to redirect to static, routable IPs we have on-site. We have exch03.mydomain.com (internally, 10.0.0.10, snm 255.255.0.0) that is the system from which we are migrating, and exch10.mydomain.com (10.0.100.15) that is the system to which we are migrating. Externally, when I switch the internal IP for https from 10.0.0.10 to 10.0.100.15) and then adjust DNS on our DC to have CNAME point to exch10.mydomain.com, I continue to get cert errors every time testuser opens Outlook. Outlook is using exch10.mydomain.com, in the LAN, and it won't allow a change (well, it allows the change, but defaults to the first setting of exch10.mydomain.com).

                      Do I need to buy a replacement cert that has mail.mydomain.com AND exch10.mydomain.com? Or, is there somewhere on the client system that I can make Outlook use the CNAME version of this Exchange 2010 server?
                      Best regards,
                      Jim Graue, MCP (WXP, WS03)

                      Comment


                      • #12
                        Re: Can't connect to OWA/ActiveSync from Internet

                        To answer my question: Whereas, it *may* have been possible to make do with the original cert, it was MUCH easier to purchase a new one with the hostnames involved.
                        Best regards,
                        Jim Graue, MCP (WXP, WS03)

                        Comment

                        Working...
                        X