Outlook Web Access & External Access

excalibur1814

Hello all

I have a feeling that this has been mentioned a few times out there on the web

Ok, we have owa setup and working from outside the company via Exchange 2003 and now I've just setup an Exchange 2007 box at our branch over the shores.

The 443 https port is open and pointed at the server, the firewall has port 443 enabled, local address set to the correct ip etc... nope. Not happening. Internally, i can get to owa by typing

https://exchangeMP/owa

Now, I've noticed that within the Exchange management section, owa, that the 'external' address is blank and after trying a few possible's, I'm on here asking fof help! (Surely I should be able to leave that blank as I'm not really accessing owa i think MS intended?)

Any pointers?

blargoe

What error are you getting in IE? Page could not be displayed, 403 unauthorized, etc?

Is your external DNS set up correctly? How are you trying to access from the outside, is that hostname registered in the DNS lookup zone for the domain and pointing to the correct external IP?

Check your IIS logs and see if you see connections from outside IP's to your OWA site, that might give you clue as to whether clients are actually connecting and the server is refusing them, or if they are not making it to the server at all.

excalibur1814

Hello, thanks for the quick reply there

Our public facing ip address is used, something like this:

https://86.**.*.128/owa
the firewall then forwards port 443 to the exchange server (Pretty much the exact same way as I've done for Exchange 2003)

The page eventually falls to the standard search dialog box, could not be found etc. Will start checking those logs, along with the firewall logs first thing tomorrow morning.

Claymoore

excalibur1814 wrote: »

Now, I've noticed that within the Exchange management section, owa, that the 'external' address is blank and after trying a few possible's, I'm on here asking fof help! (Surely I should be able to leave that blank as I'm not really accessing owa i think MS intended?)

Any pointers?

No, you can't leave the external url blank. (And please don't call me Shirley.) You need to have the External URL attribute filled in with the correct address for OWA to respond to external requests. Pick a name, create an external DNS entry and fill in the External URL with the correct address. You will eventually want to have a SAN cert that contains that name to prevent certificate errors, but you can ignore the errors for testing.

excalibur1814

I have a habit of calling people Shirley, must stop that

So, ok, the 'proper' way of getting this to work would be the following?:
- Call my isp and order a nice shiny new domian name like http://shinyrabbits.com (or https://shinyrabbits.com)?
- Get them to point that address to my forward facing public ip
- Firewall routes that page through to the Exchange server
- Have an entry within dns so the system knows whats going on
- Enter the domain name ordered into the external Exchange console

Done
or, the way I'm doing it,
- https://externalfirewallipaddress/owa
- dns reference to the above address
- Exchange management external owa as above

Claymoore

You don't need a whole new domain, just a new host.

Old OWA - webmail.company.com/exchange
New OWA - owa.company.com/owa
Create host record with IP address
Configure firewall rules
Add owa.company.com as the ExternalURL on the OWA virtual directory

Ideally, you would publish OWA through Forefront or another reverse proxy to handle both the SSL offload and keep your CAS server away from the internet. When you are ready to move production mailboxes, 2007 OWA can act like a 2003 front-end and proxy the 2003 mailboxes. Redirect the old OWA address to the new server IP and change the ExternalURL to the old address. That way you don't have to give your users a new URL, or worse, two URLs to remember.
You Had Me At EHLO... : How Exchange Server 2007 CAS Proxying works for Outlook Web Access (OWA)

That article includes the following note which explains why you need the ExternalURL:

Note: InternalURL is configured automatically during Exchange 2007 Setup. For Client Access servers that do not have an Internet presence, the ExternalURL property should be set to $null

Paul Boz

For one you should probably try to restrict having to append paths to the URL. For example, you should configure mail.yourdomain.com instead of yourdomain.com/owa. There is a significant difference in end-user look and feel.

as another poster said, you should also consider using reverse proxy through UAG, ISA, or IAG. This will protect your internal environment from being overly exposed. You should also heavily test the security of the implementation once its set up. Verify that only the correct ports are exposed through the firewall, that account lockouts are sufficient to mitigate dictionary / brute force attacks against the portal. There's a cross-site scripting vulnerability in the URL string of OWA 2003 and OWA 2007 that is only fixable by applying the SP1 to OWA2k7. I would ensure that Exchange and whatever external listener is fully patched and hardened.