Outlook Anywhere fails outside of my network



  • I'm trying to get Outlook Anywhere set up to work outside of my network, and I'm having some problems. I've used the connectivity tester at https://testconnectivity.microsoft.com, and it's giving me a somewhat vague error. It looks like this:

    Attempting to ping RPC proxy mail.contoso.org. 
    RPC Proxy can't be pinged. An unexpected network-level exception was encountered. Exception details: Message:
    
    The remote server returned an error: (404) Not Found. Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
    

    (Yeah, I know contoso is a placeholder) That 404 error makes me think that IIS isn't configured correctly. But I just did a Set-OutlookAnywhere, which I understand is supposed to go into the IIS configuration to set things. This is what my Get-OutlookAnywhere looks like:

     RunspaceId                         : 77b0ab52-27fb-4f06-b609-d41612f2b96d
     ServerName                         : SRVR1
     SSLOffloading                      : False
     ExternalHostname                   : mail.contoso.org
     InternalHostname                   : mail.contoso.org
     ExternalClientAuthenticationMethod : Ntlm
     InternalClientAuthenticationMethod : Ntlm
     IISAuthenticationMethods           : {Ntlm}
     XropUrl                            : 
     ExternalClientsRequireSsl          : True
     InternalClientsRequireSsl          : True
     MetabasePath                       : IIS://SRVR1.contoso.org/W3SVC/1/ROOT/Rpc
     Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
     ExtendedProtectionTokenChecking    : None
     ExtendedProtectionFlags            : {}
     ExtendedProtectionSPNList          : {}
     AdminDisplayVersion                : Version 15.0 (Build 1156.6)
     Server                             : SRVR1
     AdminDisplayName                   : 
     ExchangeVersion                    : 0.20 (15.0.0.0)
     Name                               : Rpc (Default Web Site)
     DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=SRVR1,CN=Servers,CN=Exchange 
                                          Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First 
                                          Organization,CN=Microsoft 
                                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=org
     Identity                           : SRVR1\Rpc (Default Web Site)
     Guid                               : 2e082b4c-b7c2-456b-9af0-5f7343ab1f16
     ObjectCategory                     : contoso.org/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
     ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
     WhenChanged                        : 4/22/2016 12:00:07 PM
     WhenCreated                        : 2/9/2015 3:25:30 AM
     WhenChangedUTC                     : 4/22/2016 7:00:07 PM
     WhenCreatedUTC                     : 2/9/2015 11:25:30 AM
     OrganizationId                     : 
     Id                                 : SRVR1\Rpc (Default Web Site)
     OriginatingServer                  : DC01.contoso.org
     IsValid                            : True
     ObjectState                        : Changed
    

    Ping @polygeekery


  • Grade A Premium Asshole

    @Captain I am heading in to a very busy weekend (most of them are during the summer, which is why you have not seen me on much on weekends), but what does a tracert look like to that server from outside of the network?



  • @Polygeekery tracert connected fine from the other side of the country.

    traceroute to 173.164.80.201 (173.164.80.201), 30 hops max, 40 byte packets
     1  core-87-router (128.112.128.2)  0.768 ms  0.784 ms  0.444 ms
     2  border-87-router (128.112.12.142)  0.586 ms  0.419 ms  0.402 ms
     3  te0-0-1-1.204.rcr12.phl03.atlas.cogentco.com (38.122.150.1)  4.997 ms  3.247 ms  2.307 ms
     4  te0-0-1-3.rcr22.phl01.atlas.cogentco.com (66.28.4.233)  3.018 ms  3.543 ms  5.669 ms
     5  te0-8-0-2.ccr42.dca01.atlas.cogentco.com (154.54.42.101)  9.294 ms te0-8-0-2.ccr41.dca01.atlas.cogentco.com (154.54.42.89)  9.478 ms te0-8-0-2.ccr42.dca01.atlas.cogentco.com (154.54.42.101)  20.928 ms
     6  be2113.ccr42.atl01.atlas.cogentco.com (154.54.24.222)  20.741 ms  18.288 ms be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158)  18.318 ms
     7  be2789.ccr22.atl02.atlas.cogentco.com (154.54.24.250)  18.636 ms be2847.ccr41.atl04.atlas.cogentco.com (154.54.6.102)  18.294 ms be2789.ccr22.atl02.atlas.cogentco.com (154.54.24.250)  19.021 ms
     8  comcast.atl02.atlas.cogentco.com (154.54.10.234)  18.465 ms 50.248.117.45 (50.248.117.45)  18.580 ms  18.714 ms
     9  hu-0-3-0-1-cr02.56marietta.ga.ibone.comcast.net (68.86.86.61)  20.414 ms hu-0-3-0-2-cr02.56marietta.ga.ibone.comcast.net (68.86.87.221)  21.520 ms hu-2-1-0-1-cr02.56marietta.ga.ibone.comcast.net (68.86.86.17)  20.169 ms
    <some more skipped to avoid doxxing myself>
    Done

  • Grade A Premium Asshole

    @Captain Next thing next, is the Exchange server open to the public or behind another firewall? And, follow-up question, if you do a dig or nslookup from public DNS servers, does it resolve to the correct address?

    Also, Outlook Anywhere works properly inside the network, but not externally? Are you certain that you are using OA inside the network? That seems like an odd use case if so. Or, did you just do it for testing?


  • Trolleybus Mechanic

    Plays For Sure ™



  • @Polygeekery

    mail.contoso.org resolves to the building's IP address. Exchange server is behind a firewall. I opened ports 443 and 80, and they're pointing at the mail server. I can log in to the Outlook Web App and admin controls just fine.

    I'm pretty sure we're using Outlook Anywhere inside the network, since email broke for a minute when I changed an OA setting... ;-)


  • Grade A Premium Asshole

    @Captain said in Outlook Anywhere fails outside of my network:

    I'm pretty sure we're using Outlook Anywhere inside the network, since email broke for a minute when I changed an OA setting...

    Exchange can break for any, or no reason.

    Let's back up for a second...you work for a NFP, correct? Why are you hosting your own email? Exchange is a total bastard to support. Office365 and Google Apps are both free for NFPs.



  • @Polygeekery we're hosting it because we have been hosting it. The plan is to migrate to Office 365, but to do that, we have to get Outlook Anywhere working so Microsoft can slurp up our data.


  • Grade A Premium Asshole

    @Captain said in Outlook Anywhere fails outside of my network:

    The plan is to migrate to Office 365, but to do that, we have to get Outlook Anywhere working so Microsoft can slurp up our data.

    Gotcha. Good plan. I am about to go out to dinner with the wife. If I get time later, I will look over this thread some more.


  • Grade A Premium Asshole

    @Captain said in Outlook Anywhere fails outside of my network:

    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Ntlm}

    Now that I think about it, shouldn't the ExternalClientAuthenticationMethod be "negotiate" and IISAuthenticationMethod be "NTLM, basic, negotiate"?



  • @Captain

    Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.

    So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).



  • @izzion said in Outlook Anywhere fails outside of my network:

    @Captain

    Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.

    Yeah, that's my understanding too. I didn't even "really" change a setting, but the server's identity changed, and all the clients had to trash their profiles. Not ideal, but not totally awful.

    So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).

    Yes, OWA works externally. I think. I'll try it from home tonight (but yeah, I'm 95% sure it does).

    I'd be open to an OWA-based migration.



  • Is there a budget for migration? If you're open to investigating something, I'd be happy to give you my contact information and put you in touch with one of our sales guys and/or one of my teammates that works with O365 migrations all the time. I'm more in the MSP/server side, so I can't speak to technical details other than "it wurkz gud"

    And if you want further help with troubleshooting OA, let me know and I'll be happy to help too. Certainly don't want to just barge in here, drop a business card, and leave :)



  • 404 Not Found is a code returned by your web server, or by an intermediate device. Have you looked at log files to see if any requests are being made to the OA endpoint, at all?

    Are there any intermediate firewalls which might block the request because they don't understand the payload of your request? For example, if you have an old ISA server in your set-up this could block OA because it doesn't understand all the funkyness going on.

    Microsoft has a Remote Connectivity Analyser which might be able to help you out?



  • @AlexMedia Not wasting any time reading the OP, I see.


  • Grade A Premium Asshole

    @Captain Still need help?



  • @Polygeekery: I'm going to try a thing first, but yeah, probably. :-)


  • Grade A Premium Asshole

    @Captain Hit me up if I can be of assistance.



  • @Polygeekery

    I think I actually cracked it. I'm not sure which specific change I made fixed it, but the connectivity tester works, and Exchange 365 is able to reach in and poke around. I will set off a migration tonight, and let email be somebody else's problem and save thousands of dollars on the migration for the kiddos and be a hero.

    Plus it will take like 100 interruptions per week of my plate.


  • Grade A Premium Asshole

    @Captain said in Outlook Anywhere fails outside of my network:

    it will take like 100 interruptions per week of my plate.

    So much yes.


Log in to reply