Exchange 2013 using ARR reverse proxy OWA options won't open

Similar Messages

• Exchange 2013 pre-authentication & Reverse Proxy Options

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,
  How about IIS ARR?
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Exchange 2013 // Error 500 when login OWA through ARR2.5 or other reverse proxy solution

  We install a new Exchange 2013 server with CU2 in our Exchange organization with a single Exchange 2007 server. We use a reverse proxy solution for publishing Outlook WebApp and sync. Internal Outlook WebApp works fine, but when we login from internet,
  we get the error:
  ":-( Something went wrong"
  In the address bar, we see the following URL:
  https://webmail.company.com/owa/auth/errorfe.aspx?httpCode=500
  When we try to login on https://webmail.company.com/ecp, it works fine. But OWA fails.
  Login on legacy mailboxes works fine. When we login on the new Outlook WebApp URL, we automatically forwarded to the legacy URL.
  We try the following reverse proxy solutions:
  Citrix Secure Gateway 3.3 on a Windows 2008 server
  ISS ARR on a Windows 2012 server (http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx)
  Is there anyone that knows how I can troubleshoot this problem?

  Hi
  Mostly looks like this is host (A) issue.You can check the below things
  Just check of the mail host (A) record is created on internal DNS server and ensure its pointed to new Exchange 2013 server.
  If the mail host (A) record is pointing to old exchange 2007 server just modify it and make it to point to new Exchange 2013 server
  Check the DWS directory in edit binding if loopback 127.0.0.1 is added if not add them
   Please mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you.
  Regards,
  Sathish

• SSL for Exchange 2013 with ARR

  Hi,
  Need advice on the number of SSL i would need to purchase.
  I know that I require to have a SSL with example: mail.domain.com & autodiscover.domain.com
  How about the ARR server that I will be setting up. Refer to http://social.technet.microsoft.com/Forums/exchange/en-US/fe8d1aae-a3c9-432a-a139-7b770cb07576/new-exchange-2013-setup-vmware?forum=exchangesvrdeploy
  do i need to have a SSL cert for the ARR server?
  Thanks in advance!

  Hi,
  Just like all above saying, we do not need to generate a new certificate for IIS ARR server. We can configure
  all protocols (OWA, ECP, EWS etc) published with the mail.domain.com
  namespace.
  When install IIS, we can export the Exchange certificate (from a CAS) and import the certificate to the local machine certificate store on the IIS Reverse Proxy, together with any required root or intermediate certificates. For more information
  about it, here is a detailed article we can refer to:
  Reverse Proxy for Exchange Server 2013 using IIS ARR
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• My environment is 99% of the way there, but my ARR reverse proxy doesnt seem to be forwarding lyncdiscover properly. Can someone help?

  I recently cut over from lync 2010 with an apache reverse proxy to a lync2013 deployment using microsoft ARR as the reverse proxy.
  Last night i cut over to the new ARR reverse proxy but our lync 2013 mobility tests didnt go well. I also cant get the DIALIN.CONTOSO.COM page to show up externally. Only the https://MEET.CONTOSTO.COM site shows up properly from an external browser. I have
  a feeling that the lync ARR server is only handling meet.contoso.com for some reason, although i followed the LYNC setup guides exactly. Please see the screenshots of my setup. Does anyone have an idea of why everything might be taken over by the MEET.CONTOSO.COM
  Server Farm in ARR?
  As you can see, the lyncdiscover.contoso.com server farm has no hits.
  When I fire up the lync mobility app, the MEET.CONTOSO.COM server farm in ARR receives the hits. (and failures)
  I followed the configuration exactly, here are my rewrite rules:
  Any Ideas?

  Hello All,
  I had a professional service with Microsoft to fix the many issues with my Lync environment. It turns out that there were 2 major causes of the problem i was having. For one, I DID have the wrong cert set on the lync2013 FE server's external web interface.
  I didn't realize this because there seems to be some sort of bug in the LYNC SERVER 2013 DEPLOYMENT WIZARD. 
  First, it is badly designed. There is actually a drop down that i didnt realize was a dropdown when deploying my environment that expands and shows the external web services certificate.
  After I found that, i tried updating it to my godaddy cert but it left a BLANK in the deployment wizard. So i had to go into the IIS management console to update the bindings.
  Once the FE server's external website certificate was installed properly, we moved on the the reverse proxy. We scrapped ALL of the ARR servers and rewrite rules and started from scratch. Instead of creating 4 server farms and using lync.contoso.com, meet.contoso.com
  etc... we created one server farm that points at the IP ADDRESS of the lync front end server. We changed the PATTERN to (.*) using regular expressions and the HTTP_HOST rule to (lync.contoso.com|lyncdiscover.contoso.com|meet.contoso.com|dialin.contoso.com)
  After this, we still had a problem with lync mobility for android 2013.
  Our public DNS has a record *.contoso.com to capture all traffic and route it to our website. This was capturing lyncdiscoverinternal.contoso.com and the android devices were getting a certificate error. We now have lyncdiscoverinternal.contoso.com pointed
  to the reverse proxy's external IP address to resolve that issue. The android lync mobility client also checks for an exchange record which isn't documented http://contoso.com/ews because of an autodiscover record, so our android clients still get a certificate
  error once during the initial setup of the application. Our IOS devices don't show this error so we called the issue resolved.
  Good luck all!

• Exchange 2013 cros site blank page OWA/ECP

  Hello,
  I have an issue with a fresh installation of Exchange 2013 SP1.
  The are two AD site in different cities, connected by WAN link (site-to site VPN organized by Cisco ASA).
  I installed two Exchange servers in Site A (MBX1 and MBX2, both with MBX+CAS roles), and one Exchange server MBX3 in Site B (also both with MBX+CAS roles).
  Each Exchange hosts its own mailbox database (DB1, DB2, DB3 respectively), there are no DAG.
  Users spread over all databases. For example, user1 has mailbox in DB1, user2 - in DB2, user3 in DB3.
  When user1 opens OWA/ECP on CAS server MBX1 or MBX2, he successfully get into his mailbox.
  But, if user1 opens OWA/ECP on CAS server MBX3, he get blank page (no error at all).
  And vise versa:
  When user3 opens OWA/ECP on CAS server MBX3, he successfully get into his mailbox.
  But, if user3 opens OWA/ECP on CAS server MBX1 or MBX2, he get blank page (no error at all).
  I know, that Exchange 2013 is able to proxy request cross site.
  Where are no custom redirects set on IIS.
  Also I check IIS (Back End Site) for right certificate.
  There are no error in Windows Event log and IIS event Log.
  All ports are allowed between sites.
  Everything looks good.
  What I did wrong? May be I need to enable cross-site OWA proxy in Exchange somewhere?
  Or it is a CISCO ASA misconfiguration?
  Any help would be appreciated!
  Thank You!
  Pavel

  Hi,
  Firstly, I’d like to confirm if all your Exchange server are internet facing servers.
  We can try to clear the Forms based authentication on the non-internet facing server.
  And here is a similar thread you can refer to:
  http://social.technet.microsoft.com/Forums/exchange/en-US/85983a21-3922-46f4-b64a-d53c0a2271a7/issues-with-crosssite-cas-redirect-of-owa-users?forum=exchange2010
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN

  Hi there,
  I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
  What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
  Thanks,
  Paul.

  Hi Paul,
  It is generally considered more secure to have a reverse proxy in front of RDG.  I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP.  Whether
  or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies.  Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
  to provide an extra layer of protection.
  -TP

• My free apps purchased using my cousin's apple id won't open anymore on my iphone but apps donwloaded using my own apple id still works. Why is it like that and how can I make apps purchased using my cousin's apple id work on my iphone? Help!

  My free apps purchased using my cousin's apple id won't open anymore on my iphone but apps donwloaded using my own apple id still works. Why is it like that and how can I make apps purchased using my cousin's apple id work on my iphone? Help!

  Welcome to the Apple Community.
  Delete the apps purchased by your cousin and purchase your own.

• Using ARR to forward OWA requests to Exchange (On Premises) gives Server Error 502

  I have been struggling to configure a Windows Essentials Experience and Exchange On Premises system for our company.  
  I have two hyper-v guest servers running Server 2012 R2, one with the Windows Essentials Experience role installed and one with Exchange 2013.  After weeks of trying to get various parts of the configuration installed, following the various Microsoft
  guides, I thought I had finally managed to do it but have failed, again, at the final hurdle.
  Exchange is working and users can connect to OWA from inside the domain using the same URL as the external URL.  However when accessed from the internet we get "502 - Web server received an invalid response while acting as a gateway or proxy server."
  I have tried to do some tracing in IIS but don't seem to get any results.  Can anyone shed any light on how to resolve this issue so I don't have to tear any more of my hair out!
  Thanks in advance

  Hi RicoE,
  On current situation, please go to
  Microsoft Remote Connectivity Analyzer and run a test, then monitor the result.
  In addition, please refer to Post-installation tasks section in following article, then check if correctly
  set up an on-premises server that is running Exchange Server on a Windows Server Essentials network.
  Integrate an On-Premises Exchange Server
  with Windows Server Essentials
  Please also refer to following KB and check if can help you.
  FIX: ARR does not route requests correctly when you use the
  ARR module in IIS 7.0
  By the way, please use the
  Configuration Troubleshooter tool that Robert created to check IIS and Certificates.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• IIS ARR reverse proxy..can someone explain how traffic goes?

  I'm building a reverse proxy server from the ground up, and I'm using IIS ARR. 
  I'm following this awesome guide to do it: 
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  I'm having a hard time grasping this IIS stuff and I was wondering if someone could explain something.
  Am I supposed to use the external IP of the reverse proxy in external DNS, or the external IP of the edge server?
  Are my simple URLs (I'm using lws, meet, dialin, and lyncdiscover in IIS ARR) supposed to externally resolve to the reverse proxy, and then my accessedge URLS resolving to the external IP of the edge? 
  I'm trying to figure out what to ask to have added to external DNS, and I was thinking that all these requests would come into the Edge, and then the edge would push it up to the reverse proxy for port translation, and then down to the front end, or something. 
  Thanks!
  Brandon
  Edit: I think I might have figured it out... Is the external IP of the reverse proxy the "Lync Web Services External IP"? If that's the case, I got confused in my validator.

  You beat me to it.  Yes, you'd communicate with the edge directly.  The reverse proxy is for Lync Web Services such as your external web services URL, meet, lyncdiscover, dialin, etc.  It's just a method of publishing your front ends
  to the Internet.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Connect to Exchange 2013 using IMAP/SMTP from the Internet

  Hello,
  I would like to enable connectivity to my exchange server using imap and smtp. my exchange server is using the default configuration for imap and smtp which are port 143 and 25 respectively. I have two exchange servers both with CAS and MB roles
  installed. I also have an edge server on my DMZ. I have also published my OWA using IIS ARR module. I wonder where I should direct my traffic from my firewall to enable IMAP connectivity taking into considerations my two servers with CAS and MB roles are inside
  my network. I also wonder how I can enable redundancy for IMAP connections. Thanks a lot.
  Regards,
  Pooriya
  Pooriya Aghaalitari

  Hi Pooriya,
  When you install Microsoft Exchange Server 2013, IMAP4 client connectivity isn't enabled. We can do the following steps to configure it:
  1. Start two IMAP services: the Microsoft Exchange IMAP4 service and the Microsoft Exchange IMAP4 Backend service.
  Set-service msExchangeIMAP4 -startuptype automatic
  Start-service msExchangeIMAP4
  Set-service msExchangeIMAP4BE -startuptype automatic
  Start-service msExchangeIMAP4BE
  2. Make sure there is an valid certificate which is assigned with IMAP service. Also confirm the Published Exchange server name (For example: mail.domain.com) has been included in this certificate:
  Get-ExchangeCertificate | FL
  3. Configure the external IMAP connection settings:
  Set-ImapSettings -ExternalConnectionSetting {mail.domain.com:993:SSL}
  4. Configure SMTP settings:
  Get-ReceiveConnector "*\client Frontend*" | Set-ReceiveConnector -AdvertiseClientSettings $true -Fqdn mail.domain.com
  5. You must restart IIS service (running IISReset /noforce from the Command Prompt window) after applying all settings.
  For more information about IMAP in Exchange 2013, please refer to:
  http://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Lync 2013 edge-no reverse proxy question

  I deployed lync 2013 edge server and no reverse proxy yet.I am trying to connect from my windows 7 machine with no luck and I can see a top reset on the firewall,my question is is reverse proxy required for the normal client to connect and do basic IM?
  Plz confirm.thx

  *****Update**********
  now when i am trying to test connevity using microsoft connecvitry analyer i am getting error realted to the external certifictare stating that " certificate couldn't be validated because SSL negotiation
  wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation." with UC troubleshotter i am getting the same.any idea?
  PS certificate is from Digi
  cert and i have checked the installation with thier tool and all was green
  regards
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with
  the certificate installation.

• Exchange 2013 ECP redirects to 2010 OWA still

  I have a new Exchange 2013 SP1 server on a 2012 R2 OS where I've installed both Mailbox and Client Access roles in an existing Exchange 2010 environment.  Initially ran into some DNS issues that caused errors installing the Client Access server, but
  I fixed those, removed Exchange 2013 and reinstalled with no errors.  In every scenario so far, trying to access the ECP redirects you to the 2010 OWA.  I have been scouring threads for hours and tried everything I've seen, but to no avail.  I
  have tried:
  1) Using the https://<Exchange_2013_CAS_FQDN>/ecp?ExchClientVer=15 URL, which still
  redirects to the 2010 OWA
  2) Creating a new user account with all of the same rights as the domain admin but has no mailbox, which redirects to the 2010 OWA and throws an error that there is no mailbox.
  3) Setting the domain in IIS authentication settings for the ECP on both the 2013 and 2010 server.
  Does anyone have any ideas here on what to try next?

  Try creating a mailbox for the administrative account on the Exchange 2013 server or moving the existing mailbox.
  I've seen issues like you're experiencing in various forms before myself, though not exactly as you've reported.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2013 - RCA reports RPC Proxy can't be pinged (404)

  Hi, I've searched extensively and spent hours trying to fix my problem and nothing in the forums has addressed yet. 
  I have a new exchange server 2013 SP1 and Outlook 2013 clients can't connect. Outlook states Exchange Server is Unavailable. 
  This led me to Microsoft RCA. RCA reported that the RPC Proxy can't be pinged with a 404 error. But I CAN visit the server RCA references a step or two above and am treated to a white page, no 404. (
  https://xch.domain.com/rpc/rpcproxy.dll?xch.domain.com:6002 )
  I have set ExternalAuthenticatoin to Negotiate and internal to NTLM, I have set outlookProvider to 
  [PS] C:\Windows\system32>Get-Outlookprovider
  Name                          Server                        CertPrincipalName             TTL
  EXCH                                                        msstd:*.domain.com       1
  EXPR                                                        msstd:*.domain.com       1
  WEB                                                                          
              1
  The SSL Certificate is a trusted one, the External URL is set properly in the server settings via ECP as well.
  Any ideas would be greatly appreciated. I'm tired and incapable of listing all of the steps I've tried, but if you know of any tips for troubleshooting and fixing RPC Ping issues, I would love to hear them. 
  Thanks!

  Hi,
  How about OWA, does it works well?
  1. If OWA doesn't work, please check wether the Outlook Anywhere has been enabled.
  It seems you have configured Outlook Anywhere as below. If not, please change the configuration.
  Does the whole error message like this:
  Attempting to ping RPC proxy mail.contoso.co.nz.
  RPC Proxy can't be pinged.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
  Please make sure the configuration as below:
  Set-OutlookAnywhere
  ExternalClientAuthenticationMethod : Negotiate
  InternalClientAuthenticationMethod : NTLM
  IISAuthenticationMethods : {basic, ntlm, negotiate}
  Set-OutlookProvider
  Name                       Server                      CertPrincipalName            TTL
  EXCH                                                       
  msstd:*.contoso.co.nz     1
  EXPR                                                       
  msstd:*.contoso.co.nz      1
  WEB                                                                                                1
  More details in the following link:
  Exchange 2013 Outlook Anywhere (RPC) Settings
  http://infused.co.nz/2013/05/13/exchange-2013-outlook-anywhere-rpc-settings/
  Disclaimer:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
  that you completely understand the risk before retrieving any suggestions from the above link.
  2. If the method 1 doesn't help, please collect some related error message in App Log without sensitive information for the further troubleshooting.
  3. If OWA works well, just Outlook doesn't work, I suggest try to run 'Test-OutlookConnectivity' command in EMS to verify the connectivity between Exchange server and Outlook client. Please paste the details without sensitive information if there is any
  abnormal.
  4. Please also run 'Test E-mail AutoConfiguration' on Outlook to verify whether there is anything abnormal.
  Thanks
  Mavis
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• Migrating from 2010 windows nlb cas array to exchange 2013 using netscaler for HLB

  i currently have exchange 2010 sp3 setup as follows
  2 cas/ht using windows nlb for array.internal.com as the nlb name
  2 mailbox servers using 1 dag for replication between them.
  I would like to stand up 2 new CAS 2013 sp1 servers(2012 r2) and use our netscaler hlb to load balance and do ssl offloading.
  id like to use the hlb to load balance and ssl offload all possible traffic not just owa, i.e. activesync etc.
  the netscaler is running version 10.5.
  does anyone have any thoughts on how to perform such a migration?
  id like to make this as seamless as possible for the user, so no owa name change or anything like that.
  thx in advance for any help.

  Exchange 2013 CAS cannot be managed effectively without an Exchange 2013 mailbox server since the CAS won't run the Exchange 2013 management tools without it.  Your Exchange 2013 servers should simply have both roles.  There are few cases where
  splitting the roles has any business value.
  If what you're planning to do is within the same forest and organization, then it's a "transition", not a "migration".  What you are asking to do is easy.  Build the Exchange 2013 servers, configure load balancing, test
  access, and then switch the DNS records to point to them.
  Personally, I would skip the SSL offloading.  It's my opinion that it makes the solution more difficult to troubleshoot without providing any real benefit.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."