OWA not accessible using Internet domain name on internal LAN
Hi, In our office network we have a Microsoft Windows Server 2008 Standard SP2 installation running Microsoft Exchange Server 2007. Up until recently, Outlook Web Access (OWA) could be accessed over the Internet and on computers within the local area network using the server's external FQDN exchange.alluremedia.com.au. Recently, when attempting to access OWA from within the local area network using https://exchange.alluremedia.com.au/owa, Internet Explorer presents the error "Internet Explorer cannot display the webpage". When attempting to visit this address using a computer that is not connected to the local area network, OWA loads without issue. I'm not sure why this problem appeared all of a sudden, or what can be done to resolve it. Any help would be appreciated. Thank you.
September 29th, 2010 7:47pm

Are the two computers using different DNS servers (the internal domain and non-domain joined computer)? For the pc not working, can you ping the external fqdn from internal? If so, does it resolve to the right IP address? What IP does the non-domain joined pc return? Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 8:51pm

Hi, Thank you for your reply. Pinging the external FQDN from a domain-joined PC on the LAN returns 203.206.210.72. Pinging the external FQDN from a PC not on the domain and not on the LAN returns the same IP: 203.206.210.72.
September 29th, 2010 9:25pm

You mentioned that this just started happening. Have you changed anything with your internal DNS servers? Have you pointed your internal clients to different DNS servers? Have you implemented split brain DNS? This is when you create a DNS zone on your internal DNS servers for your external namespace. You should create a zone for the external namespace if you have not already done so. Configure an A record for exchange.alluremedia.com.au and point it to the internal IP address of your Exchange CAS server.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 9:39pm

There is not currently an A record for exchange.alluremedia.com.au on our internal DNS, but I'm fairly sure that there was not one in the past. It is possible that the internal clients are not using the correct DNS server. Can you offer any advice on how best to check this? Thank you for your suggestion of creating a zone for the external namespace. I just read some info on split-brain DNS. I have a feeling that will work but I am hesitant to try it as a first measure, because I am fairly sure we had a working configuration without such a zone in place, so there may be a simpler fix available. I will definitely keep it in mind. If there are any useful resources you know of that would assist in configuring this then please let me know.
September 29th, 2010 10:12pm

So what DNS server are your clients using? AD DNS servers? Same as your Exchange server? You clients are going to have an issue if they are using an external IP address and they are sitting on the internal network. I don't think your firewall is going to allow this type of traffic that is looping. To test, why don't you create a HOST file that has the internal IP address of your CAS server that resolves to the external FQDN of your OWA. Flush the local DNS cache and test it. Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 10:24pm

I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed. 192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange) 203.0.178.191 (this is the DNS of our ISP) 8.8.8.8 (this is a Google DNS) The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it. When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa.
September 29th, 2010 11:16pm

Why is your internal client pointing to Exchange for DNS? Is your Exchange server also a DC/DNS server? You shouldn't have your client pc's using external DNS servers as this will cause issues with AD functionality if it tries to use them. Your AD DNS servers will resolve external DNS by using Root Hints or you can configure forwarders on the DNS servers. I would point your clients to your internal AD servers for DNS only.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2010 11:27pm

Hello, What type of router do you have? Have any of the router rules changed recently? Make sure there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN) are looped back to the LAN. Another workaround is to config internal DNS so that the IP ADDRESS returned when you ping the FQDN is the Server's internal LAN address. ex: Pinging the external FQDN from a domain-joined PC on the LAN returns 192.168.1.5 (or whatever internal address it is) Pinging the external FQDN from a PC not on the domain and not on the LAN returns the same IP: 203.206.210.72. Cheers Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
September 29th, 2010 11:42pm

Yes, there is just one Windows server in the LAN, and it has DNS and Active Directory roles, as well as Exchange. I removed the record in the hosts file and tried forcing a client to use only the internal DNS IP address 192.168.10.1. When I ping exchange.alluremedia.com.au, I get the same external IP address 203.206.210.72, and unfortunately cannot load OWA. I also tried removing the external DNS records that were configured in the DHCP server so that the server's internal IP is the only one that is returned, and saw the same results. I feel like we're getting closer to an answer though. Thank you for your continued assistance!
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 12:22am

Hi Falcon, The router is a Belkin F1PI242eNau. The recent changes to the router have been related to my attempts to resolve these issues. I have opened TCP ports 636 and 135. A while ago there were some changes to DNS as we were experiencing other issues but it seems like this issue appeared a few weeks after that.
September 30th, 2010 12:34am

Hi Luke, So it appears that that if I try and resolve exchange.alluremedia.com.au from the internet it is connecting to ns1.theplanet.com and ns2.theplanet.com. I assume these are hosted DNS servers that contain all the DNS records for alluremedia.com.au that you want the world to know about (such as www a records, mx records etc) and have nothing to do with your internal AD\DNS which is good. From the internet I resolve exchange.alluremedia.com.au to an external IP address and then connect to it over https (443). I assume this IP address isn't the actual IP of your exchange server but rather a router or firewall and that you then forward that port through to the internal LAN IP of the exchange server. Is that correct? If that is the case then when you resolve exchange.alluremedia.com.au to the external IP from your LAN, you are asking your client to loop out through the firewall and back in to get to exchange. Try placing exchange.alluremedia.com.au into the hosts file on your machine and get it to resolve to the internal IP address of the Exchange server. If that works then you know what the problem is and it'll be a case of sorting out split brain DNS to get this working for all clients. Or as Falcon mentioned making sure "there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN) are looped back to the LAN". Hope this helps, Mark.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:33am

Yes, there is just one Windows server in the LAN, and it has DNS and Active Directory roles, as well as Exchange. I removed the record in the hosts file and tried forcing a client to use only the internal DNS IP address 192.168.10.1. Yes, make sure there are no static entries in teh hosts file of the workstations. 1. Change the A record or C Name in your internal DNS from the public IP address to the private address. 2. Right click on the DNS server and select clear cache 3. From a workstation CMD prompt, type IPCONFIG /flushdns 4. From a workstation CMS prompt, type NSLOOKUP and you should get address 192.168.10.1* 5. type exchange.alluremedia.com.au and it should resolve to your private address Miguel * If this is the address of Server, what's the address of your router? .254?Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:12am

Hi Falcon, The router is a Belkin F1PI242eNau. The recent changes to the router have been related to my attempts to resolve these issues. I have opened TCP ports 636 and 135. A while ago there were some changes to DNS as we were experiencing other issues but it seems like this issue appeared a few weeks after that. Please close theese ports, they will increase your attack surface area. OWA needs inbound port 80 and/or 443 only. Exchange needs port 25 SMTP and any other open port is optional due to a specific service running.Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 8:16am

I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed. 192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange) 203.0.178.191 (this is the DNS of our ISP) 8.8.8.8 (this is a Google DNS) The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it. When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa. What happens if: from a Workstation you try https://192.168.10.1/exchange What happens if: from a workstation you telnet 192.168.10.1 443 ? Blank or timeout? Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:20am

I ran ipconfig /all on one of the internal clients, and there are 3 DNS servers listed. 192.168.10.1 (this is an internal IP address of the Windows Server that runs Exchange) 203.0.178.191 (this is the DNS of our ISP) 8.8.8.8 (this is a Google DNS) The Windows server has 127.0.0.1 as its DNS server when I run ipconfig /all on it. When I add the following to the hosts file of a PC on the LAN, OWA can successfully be loaded through https://exchange.alluremedia.com.au/owa. What happens if: from a Workstation you try https://192.168.10.1/exchange What happens if: from a workstation you telnet 192.168.10.1 443 ? Blank or timeout? Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site When I try https://192.168.10.1/exchange, I see: "There is a problem with this website's security certificate." I can then click "Continue to this website" and I see: "The webpage cannot be found" When I try https://192.168.10.1/owa, I see: "There is a problem with this website's security certificate." I can then click "Continue to this website" and I see the OWA logon screen. When I type telnet 192.168.10.1 443, Telnet runs and there is a blank screen with a blinking cursor.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:29pm

Hi Mark, From the internet I resolve exchange.alluremedia.com.au to an external IP address and then connect to it over https (443). I assume this IP address isn't the actual IP of your exchange server but rather a router or firewall and that you then forward that port through to the internal LAN IP of the exchange server. Is that correct? Yes that is correct. If that is the case then when you resolve exchange.alluremedia.com.au to the external IP from your LAN, you are asking your client to loop out through the firewall and back in to get to exchange. Try placing exchange.alluremedia.com.au into the hosts file on your machine and get it to resolve to the internal IP address of the Exchange server. I have placed 192.168.10.1 exchange.alluremedia.com.au in the hosts file and this does make OWA work correctly on that terminal. If that works then you know what the problem is and it'll be a case of sorting out split brain DNS to get this working for all clients. Or as Falcon mentioned making sure "there is a rule so that LAN hosts seeking access to SERVER via the WAN(FQDN) are looped back to the LAN". There is no zone for alluremedia.com.au in our internal DNS server at the moment, only for corp.alluremedia.com.au, so it makes me wonder if there was one before and it got removed somehow, or maybe there could have been a rule on the router like Falcon mentioned that allows WAN-routed requests to loop back to the LAN. Is this a common feature of routers? What kind of key words should I look for in the router setup screens? Is it something that can be set up in Windows Server alternatively? Hope this helps, Mark. Thank you!
September 30th, 2010 7:42pm

1. Change the A record or C Name in your internal DNS from the public IP address to the private address. Are you are referring to an A record or C Name that resolves exchange.alluremedia.com.au on our internal DNS? There isn't actually one of those at the moment - there is no zone set up for alluremedia.com.au, only for corp.alluremedia.com.au. I believe alluremedia.com.au is handled by theplanet's DNS. * If this is the address of Server, what's the address of your router? .254 Yes that's correct, it's .254.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 7:52pm

How about this: Create a DNS A record in your internal DNS server for mail.corp.alluremedia.com.au that points to 192.168.10.1 and then add a host header file in IIS for mail.corp.alluremedia.com.au and that should get you on to OWA from the inside by typing the followmg URL from the inside: https://mail.corp.alluremedia.com/au/OWA MiguelMiguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
September 30th, 2010 8:41pm

I think we have something like that at the moment. OWA can be loaded if I type https://freya.corp.alluremedia.com.au/owa, where freya is the server's name. We get a certificate error in that case, but can choose to ignore it and proceed. I'd still like to be able to use the external domain exchange.alluremedia.com.au as that's what we have done successfully in the past and using two different addresses depending on whether you're internal or external probably isn't the best end user experience.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 9:22pm

Perfect. Here's how to narrow the problem down: In your internal DNS, change the A record for freya.corp.alluremedia.com.au from an internal local address to the public IP address. If it stops working, then you know that it's the router not providing loopback. I am not familiar with Belkin routers. lease contact them about creating a packet filter rule. Also, you can get rid of the certificate error by accepting the cert and saving it in the root certificates store.Miguel Fra / Falcon ITS Computer & Network Support, Miami, FL Visit our Knowledgebase Sharepoint Site
October 1st, 2010 9:43am

I changed the A record for freya.corp.alluremedia.com.au to 203.206.210.72 and tried to load https://freya.corp.alluremedia.com.au/owa, which did not work. If the Belkin router doesn't support loopback, is it something that could have been configured in Windows Server Routing? On the certificate error, are you referring to the root certificate store on the client PC?
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2010 9:45pm

Hi Luke, I would look at spilt-brain DNS if I were you. Have a look at "Steps To Assembling The Perfect Split-Brain DNS System For Your Active Directory" in the folowing article to start you off: http://www.minasi.com/newsletters/nws0301.htm. This way, since it appears you have the mail.corp.alluremedia.com.au certificate in the Exchange servers IIS you would be able to use the same url internally and externally without your clients moaning about not trusting the certificate. And from an Exchange perspective, I would recommend you take a look at http://www.amset.info/exchange/singlenamessl.asp. This artcile talks about setting up Exchange using a single name certificate as opposed to a SAN certificate (aka unified communications certificate). Thanks, Mark.
October 6th, 2010 3:24am

Hi Mark, Thank you for the information. Thanks to Tim for suggesting this initially also. I have gone with the split DNS solution and it has worked perfectly. Thanks to everyone for your help! Luke
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2010 8:00pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics