OWA not accessible using Internet domain name on internal LAN
Hi,
In our office network we have a Microsoft Windows Server 2008 Standard SP2 installation running Microsoft Exchange Server 2007.
Up until recently, Outlook Web Access (OWA) could be accessed over the Internet
and on computers within the local area network using the server's external FQDN exchange.alluremedia.com.au.
Recently, when attempting to access OWA from within the local area network using https://exchange.alluremedia.com.au/owa, Internet Explorer presents the error "Internet Explorer cannot display the webpage". When attempting to visit this address using a computer
that is not connected to the local area network, OWA loads without issue.
I'm not sure why this problem appeared all of a sudden, or what can be done to resolve it. Any help would be appreciated.
Thank you.
September 29th, 2010 7:47pm
Are the two computers using different DNS servers (the internal domain and non-domain joined computer)? For the pc not working, can you ping the external fqdn from internal? If so, does it resolve to the right IP address? What IP does
the non-domain joined pc return? Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 8:51pm
Hi,
Thank you for your reply.
Pinging the external FQDN from a domain-joined PC on the LAN returns 203.206.210.72.
Pinging the external FQDN from a PC not on the domain and not on the LAN returns the same IP: 203.206.210.72.
September 29th, 2010 9:25pm
You mentioned that this just started happening. Have you changed anything with your internal DNS servers? Have you pointed your internal clients to different DNS servers? Have you implemented split brain DNS? This is when you
create a DNS zone on your internal DNS servers for your external namespace. You should create a zone for the external namespace if you have not already done so. Configure an A record for exchange.alluremedia.com.au and point it to the internal
IP address of your Exchange CAS server.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 9:39pm
There is not currently an A record for exchange.alluremedia.com.au on our internal DNS, but I'm fairly sure that there was not one in the past. It is possible that the internal clients are not using the correct DNS server. Can you offer any advice on how
best to check this?
Thank you for your suggestion of creating a zone for the external namespace. I just read some info on split-brain DNS. I have a feeling that will work but I am hesitant to try it as a first measure, because I am fairly sure we had a working configuration
without such a zone in place, so there may be a simpler fix available. I will definitely keep it in mind. If there are any useful resources you know of that would assist in configuring this then please let me know.
September 29th, 2010 10:12pm
So what DNS server are your clients using? AD DNS servers? Same as your Exchange server? You clients are going to have an issue if they are using an external IP address and they are sitting on the internal network. I don't think
your firewall is going to allow this type of traffic that is looping. To test, why don't you create a HOST file that has the internal IP address of your CAS server that resolves to the external FQDN of your OWA. Flush the local DNS cache and
test it. Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 10:24pm
I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed.
192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange)
203.0.178.191 (this is the DNS of our ISP)
8.8.8.8 (this is a Google DNS)
The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it.
When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa.
September 29th, 2010 11:16pm
Why is your internal client pointing to Exchange for DNS? Is your Exchange server also a DC/DNS server? You shouldn't have your client pc's using external DNS servers as this will cause issues with AD functionality if it tries to use them.
Your AD DNS servers will resolve external DNS by using Root Hints or you can configure forwarders on the DNS servers. I would point your clients to your internal AD servers for DNS only.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 11:27pm
Hello,
What type of router do you have? Have any of the router rules changed recently?
Make sure there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN) are looped back to the LAN.
Another workaround is to config internal DNS so that the IP ADDRESS returned when you ping the FQDN is the Server's internal LAN address.
ex:
Pinging the external FQDN from a domain-joined PC on the LAN returns 192.168.1.5 (or whatever internal address it is)
Pinging the external FQDN from a PC not on the domain and not on the LAN returns the same IP: 203.206.210.72.
Cheers
Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
September 29th, 2010 11:42pm
Yes, there is just one Windows server in the LAN, and it has DNS and Active Directory roles, as well as Exchange.
I removed the record in the hosts file and tried forcing a client to use only the internal DNS IP address 192.168.10.1. When I ping
exchange.alluremedia.com.au, I get the same external IP address 203.206.210.72, and unfortunately cannot load OWA. I also tried
removing the external DNS records that were configured in the DHCP server so that the server's internal IP is the only one that is returned, and saw the same results.
I feel like we're getting closer to an answer though. Thank you for your continued assistance!
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 12:22am
Hi Falcon,
The router is a Belkin F1PI242eNau. The recent changes to the router have been related to my attempts to resolve these issues. I have opened TCP ports 636 and 135.
A while ago there were some changes to DNS as we were experiencing other issues but it seems like this issue appeared a few weeks after that.
September 30th, 2010 12:34am
Hi Luke,
So it appears that that if I try and resolve exchange.alluremedia.com.au from the internet it is connecting to ns1.theplanet.com and ns2.theplanet.com. I assume these are hosted DNS servers that contain all the DNS records for alluremedia.com.au that
you want the world to know about (such as www a records, mx records etc) and have nothing to do with your internal AD\DNS which is good.
From the internet I resolve exchange.alluremedia.com.au to an external IP address and then connect to it over https (443). I assume this IP address isn't the actual IP of your exchange server but rather a router or firewall and that you then forward
that port through to the internal LAN IP of the exchange server. Is that correct?
If that is the case then when you resolve exchange.alluremedia.com.au to the external IP from your LAN, you are asking your client to loop out through the firewall and back in to get to exchange.
Try placing exchange.alluremedia.com.au into the hosts file on your machine and get it to resolve to the internal IP address of the Exchange server. If that works then you know what the problem is and it'll be a case of sorting out split brain DNS to get
this working for all clients. Or as Falcon mentioned making sure "there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN) are looped back to the LAN".
Hope this helps,
Mark.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:33am
Yes, there is just one Windows server in the LAN, and it has DNS and Active Directory roles, as well as Exchange.
I removed the record in the hosts file and tried forcing a client to use only the internal DNS IP address 192.168.10.1.
Yes, make sure there are no static entries in teh hosts file of the workstations.
1. Change the A record or C Name in your internal DNS from the public IP address to the private address.
2. Right click on the DNS server and select clear cache
3. From a workstation CMD prompt, type IPCONFIG /flushdns
4. From a workstation CMS prompt, type NSLOOKUP and you should get address 192.168.10.1*
5. type exchange.alluremedia.com.au and it should resolve to your private address
Miguel
* If this is the address of Server, what's the address of your router? .254?Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:12am
Hi Falcon,
The router is a Belkin F1PI242eNau. The recent changes to the router have been related to my attempts to resolve these issues. I have opened TCP ports 636 and 135.
A while ago there were some changes to DNS as we were experiencing other issues but it seems like this issue appeared a few weeks after that.
Please close theese ports, they will increase your attack surface area. OWA needs inbound port 80 and/or 443 only. Exchange needs port 25 SMTP and any other open port is optional due to a specific service running.Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 8:16am
I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed.
192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange)
203.0.178.191 (this is the DNS of our ISP)
8.8.8.8 (this is a Google DNS)
The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it.
When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa.
What happens if: from a Workstation you try
https://192.168.10.1/exchange
What happens if: from a workstation you telnet 192.168.10.1 443 ? Blank or timeout?
Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:20am
I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed.
192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange)
203.0.178.191 (this is the DNS of our ISP)
8.8.8.8 (this is a Google DNS)
The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it.
When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa.
What happens if: from a Workstation you try
https://192.168.10.1/exchange
What happens if: from a workstation you telnet 192.168.10.1 443 ? Blank or timeout?
Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
When I try https://192.168.10.1/exchange, I see: "There is a problem with this website's security certificate." I can then click "Continue to this website" and I see: "The webpage cannot be found"
When I try https://192.168.10.1/owa, I see: "There is a problem with this website's security certificate." I can then click "Continue to this website" and I see the OWA logon screen.
When I type telnet 192.168.10.1 443, Telnet runs and there is a blank screen with a blinking cursor.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:29pm
Hi Mark,
From the internet I resolve exchange.alluremedia.com.au to an external IP address and then connect to it over https (443). I assume this IP address isn't the actual IP of your exchange server but rather a router or firewall and that you then forward
that port through to the internal LAN IP of the exchange server. Is that correct?
Yes that is correct.
If that is the case then when you resolve exchange.alluremedia.com.au to the external IP from your LAN, you are asking your client to loop out through the firewall and back in to get to exchange.
Try placing exchange.alluremedia.com.au into the hosts file on your machine and get it to resolve to the internal IP address of the Exchange server.
I have placed 192.168.10.1 exchange.alluremedia.com.au in the hosts file and this does make OWA work correctly on that terminal.
If that works then you know what the problem is and it'll be a case of sorting out split brain DNS to get this working for all clients. Or as Falcon mentioned making sure "there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN)
are looped back to the LAN".
There is no zone for alluremedia.com.au in our internal DNS server at the moment, only for corp.alluremedia.com.au, so it makes me wonder if there was one before and it got removed somehow, or maybe there could have been a rule on the router like Falcon mentioned
that allows WAN-routed requests to loop back to the LAN. Is this a common feature of routers? What kind of key words should I look for in the router setup screens? Is it something that can be set up in Windows Server alternatively?
Hope this helps,
Mark.
Thank you!
September 30th, 2010 7:42pm
1. Change the A record or C Name in your internal DNS from the public IP address to the private address.
Are you are referring to an A record or C Name that resolves exchange.alluremedia.com.au on our internal DNS? There isn't actually one of those at the moment - there is no zone set up for alluremedia.com.au, only for corp.alluremedia.com.au. I believe alluremedia.com.au
is handled by theplanet's DNS.
* If this is the address of Server, what's the address of your router? .254
Yes that's correct, it's .254.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:52pm
How about this:
Create a DNS A record in your internal DNS server for mail.corp.alluremedia.com.au that points to 192.168.10.1 and then add a host header file in IIS for mail.corp.alluremedia.com.au and that should get you on to OWA from the inside by typing the followmg
URL from the inside:
https://mail.corp.alluremedia.com/au/OWA
MiguelMiguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:41pm
I think we have something like that at the moment. OWA can be loaded if I type https://freya.corp.alluremedia.com.au/owa, where freya is the server's name. We get a certificate error in that case, but can choose to ignore it and proceed. I'd still like
to be able to use the external domain exchange.alluremedia.com.au as that's what we have done successfully in the past and using two different addresses depending on whether you're internal or external probably isn't the best end user experience.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 9:22pm
Perfect. Here's how to narrow the problem down:
In your internal DNS, change the A record for freya.corp.alluremedia.com.au from an internal local address to the public IP address. If it stops working, then you know that it's the router not providing loopback.
I am not familiar with Belkin routers. lease contact them about creating a packet filter rule.
Also, you can get rid of the certificate error by accepting the cert and saving it in the root certificates store.Miguel Fra /
Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
October 1st, 2010 9:43am
I changed the A record for freya.corp.alluremedia.com.au to 203.206.210.72
and tried to load https://freya.corp.alluremedia.com.au/owa, which did not work.
If the Belkin router doesn't support loopback, is it something that could have been configured in Windows Server Routing?
On the certificate error, are you referring to the root certificate store on the client PC?
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2010 9:45pm
Hi Luke,
I would look at spilt-brain DNS if I were you. Have a look at "Steps To Assembling The Perfect Split-Brain DNS System For Your Active Directory" in the folowing article to start you off:
http://www.minasi.com/newsletters/nws0301.htm.
This way, since it appears you have the mail.corp.alluremedia.com.au certificate in the Exchange servers IIS you would be able to use the same url internally and externally without your clients moaning about not trusting the certificate.
And from an Exchange perspective, I would recommend you take a look at http://www.amset.info/exchange/singlenamessl.asp. This artcile talks about setting up Exchange using a single name
certificate as opposed to a SAN certificate (aka unified communications certificate).
Thanks,
Mark.
October 6th, 2010 3:24am
Hi Mark,
Thank you for the information. Thanks to Tim for suggesting this initially also. I have gone with the split DNS solution and it has worked perfectly.
Thanks to everyone for your help!
Luke
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2010 8:00pm