none
Cannot get to OWA from within the LAN

    Question

  • mail.company.com points to W.X.Y.Z according to a DNS zone we have access to at the ISP

    W.X.Y.Z is the external IP of our Fortigate FW.

    Outside of the LAN (ie at home), I can get to https://mail.company.com/owa

    But within the LAN,  I cannot get to it using https://mail.company.com/owa.  I can however get to it using https://exch2010/owa.

    Any ideas why?

    I'd imagine if i create a company.com zone on our internal DNS servers on the LAN and point "mail" to the internal IP of the exchange server, it would work?  But this is not something I want.

    Friday, December 07, 2012 9:39 PM

Answers

  • Hello ccslai

    Yes you are right... In order to access https://mail.company.com/owa internally within your LAN, you have to create a internal DNS record pointig to your CAS server. Im not sure why you does not opt to do this... any reasons ?

    Friday, December 07, 2012 10:43 PM
  • Some ISPs will block you from accessing your own external network from inside your network, which means that users would be unable to access the public IP of your mail server, which is what mail.company.com points to. You may also have a firewall configuration that prevents you from doing so. You are correct in assuming that if you had a company.com zone on your internal DNS and pointed mail to the CAS server, you could connect.

    I would look through your firewall configuration to see if it's blocking internal traffic from accessing the Public IP for your mail server. If not, contact your ISP and ask them about it as well. The only other alternative would be to deploy a host file entry that set mail.company.com to your internal mail address to your domain computers.


    To clarify, on your internal network, when you go to mail.company.com, the DNS servers your computers use will return that with the public IP address of your mail server, rather than the internal one. When you connect with exch2010 internally, it uses the internal DNS servers to resolve that name to the internal IP address for the server. If you attempt to connect to mail.company.com inside your network, you're basically trying to connect to your external IP from inside your network, which can result in your firewall seeing an access attempt to that IP's address *from* the same address. Most firewalls will block that, and many ISPs do the same, since it's a sign of a malicious attack.
    Friday, December 07, 2012 10:45 PM

All replies

  • Hello ccslai

    Yes you are right... In order to access https://mail.company.com/owa internally within your LAN, you have to create a internal DNS record pointig to your CAS server. Im not sure why you does not opt to do this... any reasons ?

    Friday, December 07, 2012 10:43 PM
  • Some ISPs will block you from accessing your own external network from inside your network, which means that users would be unable to access the public IP of your mail server, which is what mail.company.com points to. You may also have a firewall configuration that prevents you from doing so. You are correct in assuming that if you had a company.com zone on your internal DNS and pointed mail to the CAS server, you could connect.

    I would look through your firewall configuration to see if it's blocking internal traffic from accessing the Public IP for your mail server. If not, contact your ISP and ask them about it as well. The only other alternative would be to deploy a host file entry that set mail.company.com to your internal mail address to your domain computers.


    To clarify, on your internal network, when you go to mail.company.com, the DNS servers your computers use will return that with the public IP address of your mail server, rather than the internal one. When you connect with exch2010 internally, it uses the internal DNS servers to resolve that name to the internal IP address for the server. If you attempt to connect to mail.company.com inside your network, you're basically trying to connect to your external IP from inside your network, which can result in your firewall seeing an access attempt to that IP's address *from* the same address. Most firewalls will block that, and many ISPs do the same, since it's a sign of a malicious attack.
    Friday, December 07, 2012 10:45 PM