No External access to Outlook Web Access

supps · #1 (**permalink**) 01-18-2004, 08:11 PM

Hi,

I am using Astaro v 2. (I know its old, we will be upgrading it soon), we use to have Outlook Web Access working fine externally, however it has stopped working. No settings have changed on the firewall and OWA works fine internally.

Any ideas on how I can test what the problem is? We use NAT to change the internal Exchange address to a public address

Many thanks

Scott

SecApp · #2 (**permalink**) 01-19-2004, 12:48 AM

When you say "stops working", you mean no page is rendered in the browser at all? You have DNAT for 443 (https)? Have you tried telnetting to port 443 from the Internet? (telnet OWA_host 443; see if the screen paints blank for a connection, or if you just get an hourglass and then a socket timeout...)

supps · #3 (**permalink**) 01-19-2004, 09:09 AM

Hi,

Sorry I didn't have the full information. When we try to get to the website we get no page rendered at all. We have also tried to telnet into the to ip address using both 80 and 443, but we only use port 80 before, and the response is just a timeout.

SecApp · #4 (**permalink**) 01-19-2004, 10:30 AM

Should be using 443;

well, working with what you had, if the DNAT for http is still in place, I suspect it's an intermediary routing issue. Check that the gateway for the external interface is set correctly; then telnet from a hub or crossover cable directly connected to the external interface...

supps · #5 (**permalink**) 01-19-2004, 12:36 PM

Thanks for your help.

On the firewall the DNAT is setup as

Pre DNAT: external IP address with service HTTP and then Post DNAT internal IP address with service HTTP.

I cannot see anything in the packet filter log that is blocking the connection ??

SecApp · #6 (**permalink**) 01-19-2004, 12:41 PM

Can you telnet 80 from just outside the interface? (change a workstation to the ip of the external gateway, and connect with a crossover cable or through a hub). I want to see if it's the firewall or an intermediary router...

supps · #7 (**permalink**) 01-19-2004, 12:56 PM

I will give it a go, but I can only use the IP address of the router, so I will have to try it after work when it is quiet.

However, our external ip address is actually an internal IP adress of our ISP, they then convert this address to a external ip address. They have tried to telnet into "our" external IP address using port 80 but no luck.

I have tried a TCP connect from the frewall network tools page and it says 80 (www) : Connection timed out
sent 0, rcvd 0.

supps · #8 (**permalink**) 01-20-2004, 03:28 PM

I have tried to telnet in to port 80 on the firewall, but the connection just times out. We can telnet into port 25 for email though!

Hope someone can help, as I am getting desperate.

SecApp · #9 (**permalink**) 01-21-2004, 08:27 AM

Now look at the log for the time you do it (I don't know how good the logging was in 2X!)

If you are coming in from just outside the interface, and there is nothing in the log, then there is a tear in the fabric of the univerese and Astaro will have to explain. Or if you need this fixed fast, just take the plunge and upgrade...

Are you sure all your gateways are right?
Does the OWA server use a gateway of Astaro?
And the DNAT rule was not changed??

supps · #10 (**permalink**) 01-21-2004, 08:43 PM

Thanks for your help.

I have downloaded Astaro V4 to trial.

Thanks