Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA through a NAT/webserver.

Status
Not open for further replies.
Albion

Albion

IS-IT--Management
Aug 8, 2000
517
US
I have two servers. The first is 64bit Windows Server 2003 R2 running Exchange 2007 with all of the latest MS updates. The second is a Linux Router/Firewall/NAT running Apache on ports 80 and 443 for our company web site and sendmail on port 25 to relay email to the Exchange server. (I like the sendmail relay because it offers extra spam and virus protections before the email even gets to exchange.)

I need to allow my remote users to access Exchange without having to connect through a VPN. I.E. they want to use smart phones and we don't have the cash flow to invest in the software right now. So I figured I'd just forward port 1492 on my Linux server to port 443 on my exchange server.

From inside of our network I have no problems connecting to OWA using our intranet domain or the IP address works great. It first shows an AD login box and then once the user logs in it displays an OWA login box (I don't like the redundancy but...). When I attempt to connect to OWA from outside of our network (Internet) I get the AD login box but once the user logs into that the browser displays "Internet Explorer cannot display this web page."

Can I port forward OWA from a Linux box that's already running servers on 443, 80 and 25? Does OWA require extra ports to work? Do I need a special certificate on the clients in order for them to even see the logon page? Any ideas would be helpful.

thanks
-Al
 
Sort by date Sort by votes
they want to use smart phones and we don't have the cash flow to invest in the software right now.
Click to expand...
What software? Exchange ActiveSync is built into Exchange.

OWA doesn't require extra ports. Only 443. If you have multiple public IP addresses, just forward another one to the Exchange box for 443. Ideally, though, you'd put it behind a reverse proxy like ISA/TMG/UAG.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
I was talking about the Blackberry Enterprise Server. It's a bit out of our cost range right now.

The problem I have is that I cannot redirect port 443 from the Linux server to the Exchange server because 443 is already being used by Apache on the Linux server. When I try to forward port 1492 on the Linux server to port 443 on the Exchange server it doesn't work. I am finding that there are redirects going on somewhere and the redirect tries to use port 443, not port 1492. Thus "Internet Explorer cannot display this page." The only way I have been able to get it to work is to disable SSL on my Apache server and then forward port 443 to port 443.

-Al
 
Upvote 0 Downvote
I was talking about the Blackberry Enterprise Server. It's a bit out of our cost range right now.
Click to expand...

I figured that's what you were alluding to =]

If it helps, you can get your Exchange email on your BB, using OWA as well. You just need to give it your OWA address.

But as for calendars and stuff like that, you can't have that pushed to your BB, you'd have to sync using the BB desktop software and Outlook.

At least that is how I've gotten around this problem. Feel free to correct me =]
 
Upvote 0 Downvote
I am finding that there are redirects going on somewhere and the redirect tries to use port 443, not port 1492
Click to expand...

When I attempt to connect to OWA from outside of our network (Internet) I get the AD login box but once the user logs into that the browser displays "Internet Explorer cannot display this web page."
Click to expand...

What about when you use
 
Upvote 0 Downvote
What about when you use
Click to expand...

Same problem. When I try it in chrome I see that it is trying to connect to the internal domain name of that server on port 443, not to the internet domain name on port 1492.

This is the error I get in Chrome.

"The webpage at might be temporarily down or it may have moved permanently to a new web address."

My internal DNS uses <server.company_name.domain> as the FQDN of my internal servers. ".domain" is the literal TLD for my internal network.

It seems like the initial connection to or /owa tries to redirect to an internal hostname on port 443. As you might imagine, this will not work from a computer that is outside of my internal domain. But, if I disable SSL on Apache and port forward from 443 on the linux server to port 443 on the Exchange server everything works fine.

-Al
 
Upvote 0 Downvote
If it helps, you can get your Exchange email on your BB, using OWA as well. You just need to give it your OWA address.
Click to expand...
That's a pain. Not only does it hit your server with a on of traffic, but as soon as the user changes their domain password, they have to change it in BIS or mailflow stops.

Unless you're pushing custom apps to the blackberry devices, you're wasting money. Exchange Active Sync devices (including the iPhone) add ZERO additional IOPS to the server, ZERO extra layers of management/configuration, etc. Even if you used something like Astrasync on the Blackberry devices you'd be better off.

Just remember that if you do get OWA redirection to work correctly by using another port, you're likely going to run into problems with other things that use 443 in Exchange, like EAS, Outlook Anywhere, autodiscover, etc. The best solution would be a dedicated IP with 443 as the SSL port.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
If you don't have that many users, you can get BlackBerry Enterprise Server Express, which is free and covers two users. Additional licenses are $99 or something like that.


Otherwise I agree with Pat: there are so many phones out there that support ActiveSync--iPhones, Droid, etc.

Also, probably 85% of the Windows Small Business Servers out there allow direct access on 443 to the Exchange server for ActiveSync/OWA, etc. Have you seriously considered just using an additional public IP and routing 443 directly to the Exchange server? When Microsoft stopped shipping ISA with SBS 2008, they basically admitted to the fact that it wasn't a critical security need to be proxying 443, and in my many years I've seen quite a few compromised SBS boxes, but never as a result of an IIS hack on 443. Usually it comes down to weak passwords.

Dave Shackelford MVP
ThirdTier.net
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
1K
microsGuy16
microsGuy16
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
1K
ponoodle
ponoodle
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove &quot;✉&quot; icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher
Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
1K
Satishkumar007
Satishkumar007
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
1K
david jackson
david jackson

Part and Inventory Search

Sponsor

Back
Top