none
OWA - External access not working via different dns routes - Cert Issue? RRS feed

  • Question

  • Hi, My environment is: 2003 single AD Domain. Exchange 2003 enterprise. Servers/Exchange are up to date with all Service Packs and patches. I have an issue with SSL Certificates and OWA. I have a SAN cert from Godaddy which has been working fine for the last 5 years until now. The Certificate is configured with 5 ALT names 'mail1.domain.com', 'mail2.domain.com', 'mail3.domain.com' etc..  I use 2 of the 5 to access owa, mail1 and mail2.domain.com/exchange.

    My OWA works fine internally from 'mail1.domain.com/exchange' and 'mail2.domain.com/exchange'. If I access from an external resource I can get to mail1.domain.com/exchange fine, but not mail2.domain.com/exchange. These are separate fibre circuits. Port forwarding is in place and working correctly on each circuit, as is public DNS to the correct IPs.

    I can modify a host file on an external resource so that I can navigate to both mail1 and mail2 to check that the SAN certificate is OK and it does show OK. I've also used 3rd party sites to verify the certificate. When I try and access on https://mail2.domain.com/exchange nothing happens, Internet Explorer just continues to load (the little indicator on the tab bar spins). If I remove the certificate and try both addresses again I do get Internet Explorer cannot display the web page instantly so I know the certificate must be interfering with OWA.

    I've tried - Re-keying the Certificate + http://www.msexchange.org/articles-tutorials/exchange-server-2003/management-administration/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html - with no luck.

    I've been over this KB also which also was working fine - http://support.microsoft.com/kb/817379

    I've run Microsoft RCA and the details are below for both 'https://mail1.domain.com/exchange' and 'https://mail2.domain.com/exchange

    RCA - 'https://mail1.domain.com/exchange' which works fine: The only warning this has is about Windows Mobile devices 5 or earlier, everything else passes

    RCA - 'https://mail2.domain.com/exchange' which shows the below:

    RCA - The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.  
      The Exchange ActiveSync test failed.
       Test Steps
       Attempting to resolve the host name mail2.domain.com in DNS.
      The host name resolved successfully.
       Additional Details
      IP addresses returned: x.x.x.x

     Testing TCP port 443 on host mail2.domain.com to ensure it's listening and open.
      The port was opened successfully.
     Testing the SSL certificate to make sure it's valid.
      The SSL certificate failed one or more certificate validation checks.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail2.domain.com on port 443.
      The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
       Additional Details
      The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

    The strange thing is that this is working externally via mail1.domain.com/exchange

    I've looked at this for a week flat ;-(

    What other angles can I try? thanks in advance.

     
    • Edited by Viper2e Saturday, June 8, 2013 12:08 AM adjust subject
    Saturday, June 8, 2013 12:07 AM

All replies