v-gzwang
Wed Jun 25 03:41:30 PDT 2008
Hello Pessable,
Thank you for your post and thanks for Joe's great help.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
You can not access OWA with 404 error.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
Please contact your firewall/router's manufacturer at first to confirm that
port forward settings is correct. And make sure certificate will not be
blocked by the firewall.
And I would like to recommend you to follow the steps below:
1. Re-configure the CEICW:
a. On the Connection Type page, click Broadband, and then click Next.
b. On the Broadband Connection page, under My server uses, click A local
router device with an IP address, and then click Next.
c. On the Router Connection page, next to Preferred DNS server and next to
Alternate DNS server, type the IP addresses that are provided by your ISP.
In the Local IP address of router box, type the IP address of the router
that the server uses to connect to the router.
d. Click to select the My server uses a single network connection for both
Internet access and the local network check box, and then click Next.
e. A message may appear that warns that the firewall that is provided
cannot be configured. You are offered a chance to view information about
configuration settings for an existing firewall device.
f. On the Network Connection page, click Server Local Area Connection
under the Connection Name.
g. Click Next.
h. Complete the Configure E-mail and Internet Connection Wizard.
i. Run the command: iisreset and test again.
Based on my experience, access RWW by using FQDN in SBS internal network is
not supported by default. Please use NETBIOS name instead of FQDN. And you
do not need to modify the security settings for virtual directories.
2. Try to access OWA by using https://mail.name.com/remtoe or
https://mail.name.com/exchange from external.
3. If you are using ISA, please go to ISA management console, and navigate
to Firewall Policy. Find a policy named as "SBS OWA Web Publish Rule",
enable it. And double click it to check the configuration is correct.
I hope the above information is helpful to you. If we cannot resolve the
issue after we perform the above steps, please help me collect some
information for further investigation:
Information Need
==============
1. If it is convenient, would you please email me the FQDN and IP address
of your server? I will perform a test at my side. If you could provide a
test account, it will be appreciated. My email is v-gzwang@microsoft.com
2. Please help me capture screenshots of all error messages you encountered
and send them to me so that I can make a further research.
To capture the image, we can perform the steps below:
(a) When the error message appears, press the Print Screen key several
times (this key is located to the right of the F12 key on the keyboard)
(b) Open Paint ['start' => 'All Programs' => 'Accessories' => 'Paint'].
(c) Click Edit (menu) -> Paste or press Ctrl + V.
(d) Click File (menu) -> Save. Save it as a .jpg or .gif file and send it
to me as an attachment.
3. Gather MPS network report on SBS:
a. Download MPSrepot_network from
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE
b. Run MPSRPT_NETWORK.exe.
c. Try to access OWA from outside, wait until the error occurs.
d. The tool will automatically collect the information. This procedure will
take 10~15 minutes.
e. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\
f. Send the .cab file directly to me at v-gzwang@microsoft.com .
Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Date: Tue, 24 Jun 2008 19:48:27 +0100
| From: Joe <joe@jretrading.com>
| User-Agent: Mozilla-Thunderbird 2.0.0.14 (X11/20080509)
| MIME-Version: 1.0
| Subject: Re: Configuring SBS2003 for OWA and RWW
| References:
<723d1e4d-90d3-4276-8e98-6119d15873d1@34g2000hsf.googlegroups.com>
| In-Reply-To:
<723d1e4d-90d3-4276-8e98-6119d15873d1@34g2000hsf.googlegroups.com>
| Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| Content-Transfer-Encoding: 7bit
| Message-ID: <u$kLlri1IHA.4164@TK2MSFTNGP03.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: jretradingltd.demon.co.uk 80.177.211.93
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:112902
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Pessable wrote:
| > I've tried to setup Outlook Web Access to operate on an SBS2003
| > server, but failed. I've read all I can find online and in my 2 SBS
| > books. This is the process I've gone through:
| >
| > - Created a domain record for e.g. mail.name.com to forward to the
| > external IP address (this is also used for incoming smtp)
| > - Run CEICW
| > + Single NIC via Router to Internet (so No Firewall)
| > + Selected OWA and RWW as the only 2 web services
| > + Created a certificate for mail.mydomainname.com
| > - Edited the directory security for the default website to allow all
| > IP addresses (why doesn't the wizard do this?)
|
| Have you got ISA running? The standard SBS is OK by default.
|
| > - Created Port Forwards from the external IP address to the server
| > internal IP address:
| > + 25, 80, 443, 444, 1723, 4125, 3389
|
| OWA uses 443 only, RWW needs 443 and 4125. 80 and 3389 are unnecessary,
| and not recommended as they are common targets for crackers. 1723 is
| used only by PPTP VPN, and then it must be accompanied by IP protocol
| 47, so it's no use at all on its own.
|
| >
| > When I use
http://mail.name.com externally, I get the Welcome page.
| > This has options for:
| >
| > 1- My Company's Internal Website (
http://companyweb/)
| > 2- Network Configuration Wizard (
http://mail.name.com/ConnectComputer)
| > 3- Remote Web Workplace (
http://mail.name.com/Remote)
| > 4- Information & Answers (
http://mail.name.com/ClientHelp)
| >
| > When I click on 3 I get an "Internet Explorer cannot display the
| > webpage" error in IE7. I've turned off friendly error messages in the
| > IE7 client.
| >
| > On the server itself, if I use the full domain name I get "There is a
| > problem with this website's security certificate." If I click
| > continue to website I get a 404 error.
| >
| > If I use the NETBIOS name internally it works fine, so I think it must
| > be something to do with security settings somewhere.
| >
| > Any assistance is most welcome...
| >
|
| There are two certificate issues: one arises if your certificate is not
| trusted by the web browser, and if you've generated it yourself with the
| CEICW, then outside the domain it won't be. The answer to that is to
| either import the server's root certificate, which is a bit of a
| nuisance, or to tell IE to trust and import the one it's being offered.
| With IE7 you need administrative privileges to do that, which is pretty
| daft in a domain situation.
|
| The other issue is the exact name. The point of server certificates is
| to guarantee that the server is indeed the one corresponding to the URL
| you typed, and the browser is supposed to complain if it isn't. The
| problem if you use the web services from both inside and outside the
| network is that the certificate is created for only one URL. The usual
| answer is to bodge the DNS system so the users on the LAN can reach the
| web page by typing the external URL. Most routers won't allow that
| directly, so you probably need a DNS record mapping the external name to
| the internal IP address. You are always offered the option of using the
| web site anyway, even if the certificate doesn't match, so it won't
| actually prevent access, though you may have to hit IE7 quite hard to
| get it to see sense.
|
| Try using Firefox from outside to
http://mail.name.com/exchange, which
| should give you OWA. It will allow you to override the certificate
| issues. Microsoft finally got the message about browser security, but
| they went a bit over the top, which only encourages people to disable
| the security features. Persuading IE7 to do something it doesn't want to
| is not always intuitive. Firefox won't do RWW, as that requires an
| ActiveX control and therefore IE6 or 7. You may also need to kick it to
| get it to allow an ActiveX installation.
|
| If you do have ISA, there's another issue. ISA controls access to OWA
| and RWW by the URL typed, in addition to any other restrictions which
| are configured. By default, it only allows access to the URL named in
| the certificate, and unlike certificate mismatches, that *will* stop you
| from reaching the page. If you set up the certificate for the public
| URL, and use DNS so that also works from inside, that will also get you
| around the ISA problem.
|