OWA "Page cannot be displayed" from outside, 2nd server

[frazierr]

I've got "old" exchange server 2003 on existing server with IIS (and Domain controller). Have added "new" exchange server and moved most mailboxes. Inside network, users on new server can open browser window and type old\exchange\ or new\exchange and get OWA window just fine (URL changes to new\exchange). All servers are running server 2003 SP2, both exchange servers running exchange 2003 sp2 in regular domain (not mixed).

From outside, user types mydomain.com\exchange and if user has mailbox on old server, all works fine. However, if user has mailbox on new server, after entering the username and password, the generic "the page cannot be displayed" page is displayed in the browser. Everything works fine up until the password is entered and user hits enter... (it knows if password or username is wrong and gives user opportunity to fix either, etc.).

I really want to see OWA working for the new server before I move the last few mailboxes to it (and the public folders, etc.,) before shutting down exchange on the old server. I'm a bit gun shy about moving the last couple of boxes and trying to decommission the old exchange without seeing OWA work first... (currently have big boss traveling and wouldn't want to lock him out.) Old server will continue as alternate DC and IIS server, just moving Exchange to dedicated server for exchange only.

Any ideas why it works fine inside but not outside for the users on new server, and how I can fix it?


Thanks
-_Rick

 

[58sniper]

Because on the inside, you have a network path to the new server. On the outside, you don't. It's working as expected, and as designed.

Internally, when you access oldserver\owa, it just redirects you to the new server. Since there is no path to the new server through your firewall, this doesn't work on the outside.

Move the rest of the mailboxes, and change the firewall to point to the new box.

Pat Richard
Microsoft Exchange MVP

 

[frazierr]

This doesn't seem to be a firewall issue...

The primary problem is that both of these servers need to be accessed from outside (though not necessarily by the same URL. Right now, users on old server can go to mydomain.com/exchange from outside and all works well. With a virtual directory set up in IIS for mydomain.com/new that would work for the users, but alas, my attempts at having that work have not yielded positive results.

Withour the virtual directory in place, though not referenced in the Address line, what appears to be happening is that the user goes to mydomain.com/exchange, gets the ID/Password box, fills it out, and is redirected to new.inside.mydomain.com, which is not routable from the outside world, as outside nameservers only resolve as far as the mydomain.com part of the address. Internal tests all work fine, but the URL does indicate the user has been redirected to new.inside.mydomain.com. Trying any of a variety of internal names all work because the internal machines can get IP resolution from our inside DNS server.
As I don't control the ISP nameservers, I can't add inside.mydomain.com or new.inside.mydomain.com to the outside DNS so it will resolve properly.

I tried to put a virtual directory in IIS called new, so the user could go to mydomain.com/new, and though this works inside (probably because the inside DNS provides the correct IP), it isn't actually working like I'd expect a virtual directory to work. That is, IIS seems to merely send the user to the internal link (that's what appears on a browser run inside the network, which works fine), and using either an internal ip.ip.ip.ip/exchange or fully qualified domain name just doesn't route from outside... I would have expected IIS to forward requests/pages and not use the virtual directory like a referral page. I'm probably missing something here, but everything I've tried using virtual directory in IIS works great from inside, but won't route from outside... I'd like to use a \\new\sharename to try that mechanism, but can't figure out where \\.BackofficeStorage\mydomain.com\MBX is on the new server. This is the local path shown in the Virtual directory for exchange (mydomain.com\exchange). If I could find that folder and make it a share, perhaps I could have the virtual directory work...

Unless I puzzle something out using redirect for IIS, is there another way to have both exchange machines work for OWA?

Thanks
--Rick

 

[58sniper]

Sure - configure another A record to another public IP address, configure it through your firewall, and have users on the new server use that. Hmmm...imagine that - a firewall task.

Pat Richard
Microsoft Exchange MVP

 

[frazierr]

Yep, thought of that, but have a couple of issues.
1) all external (public) IPs already in use.
2) users are not able to remember IP address to access via
a new IP. Well, this not so bad because if I had an extra public IP, I would have tried to map the new exchange server to it (ports 80 and 443 only), then used IIS virtual directory to point to external.ip.address\exchange so the users didn't have to remember the IP. Probably would have worked, but still have issue 1...

Thanks
--Rick

 

[58sniper]

They you're essentially out of luck. You're spending all this time trying to find a temporary solution to a problem that really isn't there.

Unless you're going to build front end servers for Exchange, it's not worth the time and effort to try to work around this.

How many users do you still need to move? If it's working fine from the inside of your environment, then moving the rest of the users isn't going to cause an OWA problem for the outside.

Pat Richard
Microsoft Exchange MVP