Outlook Anywhere fails outside of my network
-
I'm trying to get Outlook Anywhere set up to work outside of my network, and I'm having some problems. I've used the connectivity tester at https://testconnectivity.microsoft.com, and it's giving me a somewhat vague error. It looks like this:
Attempting to ping RPC proxy mail.contoso.org. RPC Proxy can't be pinged. An unexpected network-level exception was encountered. Exception details: Message: The remote server returned an error: (404) Not Found. Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
(Yeah, I know contoso is a placeholder) That 404 error makes me think that IIS isn't configured correctly. But I just did a
Set-OutlookAnywhere
, which I understand is supposed to go into the IIS configuration to set things. This is what myGet-OutlookAnywhere
looks like:RunspaceId : 77b0ab52-27fb-4f06-b609-d41612f2b96d ServerName : SRVR1 SSLOffloading : False ExternalHostname : mail.contoso.org InternalHostname : mail.contoso.org ExternalClientAuthenticationMethod : Ntlm InternalClientAuthenticationMethod : Ntlm IISAuthenticationMethods : {Ntlm} XropUrl : ExternalClientsRequireSsl : True InternalClientsRequireSsl : True MetabasePath : IIS://SRVR1.contoso.org/W3SVC/1/ROOT/Rpc Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc ExtendedProtectionTokenChecking : None ExtendedProtectionFlags : {} ExtendedProtectionSPNList : {} AdminDisplayVersion : Version 15.0 (Build 1156.6) Server : SRVR1 AdminDisplayName : ExchangeVersion : 0.20 (15.0.0.0) Name : Rpc (Default Web Site) DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=SRVR1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=org Identity : SRVR1\Rpc (Default Web Site) Guid : 2e082b4c-b7c2-456b-9af0-5f7343ab1f16 ObjectCategory : contoso.org/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory} WhenChanged : 4/22/2016 12:00:07 PM WhenCreated : 2/9/2015 3:25:30 AM WhenChangedUTC : 4/22/2016 7:00:07 PM WhenCreatedUTC : 2/9/2015 11:25:30 AM OrganizationId : Id : SRVR1\Rpc (Default Web Site) OriginatingServer : DC01.contoso.org IsValid : True ObjectState : Changed
Ping @polygeekery
-
@Captain I am heading in to a very busy weekend (most of them are during the summer, which is why you have not seen me on much on weekends), but what does a tracert look like to that server from outside of the network?
-
@Polygeekery tracert connected fine from the other side of the country.
traceroute to 173.164.80.201 (173.164.80.201), 30 hops max, 40 byte packets 1 core-87-router (128.112.128.2) 0.768 ms 0.784 ms 0.444 ms 2 border-87-router (128.112.12.142) 0.586 ms 0.419 ms 0.402 ms 3 te0-0-1-1.204.rcr12.phl03.atlas.cogentco.com (38.122.150.1) 4.997 ms 3.247 ms 2.307 ms 4 te0-0-1-3.rcr22.phl01.atlas.cogentco.com (66.28.4.233) 3.018 ms 3.543 ms 5.669 ms 5 te0-8-0-2.ccr42.dca01.atlas.cogentco.com (154.54.42.101) 9.294 ms te0-8-0-2.ccr41.dca01.atlas.cogentco.com (154.54.42.89) 9.478 ms te0-8-0-2.ccr42.dca01.atlas.cogentco.com (154.54.42.101) 20.928 ms 6 be2113.ccr42.atl01.atlas.cogentco.com (154.54.24.222) 20.741 ms 18.288 ms be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158) 18.318 ms 7 be2789.ccr22.atl02.atlas.cogentco.com (154.54.24.250) 18.636 ms be2847.ccr41.atl04.atlas.cogentco.com (154.54.6.102) 18.294 ms be2789.ccr22.atl02.atlas.cogentco.com (154.54.24.250) 19.021 ms 8 comcast.atl02.atlas.cogentco.com (154.54.10.234) 18.465 ms 50.248.117.45 (50.248.117.45) 18.580 ms 18.714 ms 9 hu-0-3-0-1-cr02.56marietta.ga.ibone.comcast.net (68.86.86.61) 20.414 ms hu-0-3-0-2-cr02.56marietta.ga.ibone.comcast.net (68.86.87.221) 21.520 ms hu-2-1-0-1-cr02.56marietta.ga.ibone.comcast.net (68.86.86.17) 20.169 ms <some more skipped to avoid doxxing myself> Done
-
@Captain Next thing next, is the Exchange server open to the public or behind another firewall? And, follow-up question, if you do a dig or nslookup from public DNS servers, does it resolve to the correct address?
Also, Outlook Anywhere works properly inside the network, but not externally? Are you certain that you are using OA inside the network? That seems like an odd use case if so. Or, did you just do it for testing?
-
Plays For Sure
-
mail.contoso.org
resolves to the building's IP address. Exchange server is behind a firewall. I opened ports 443 and 80, and they're pointing at the mail server. I can log in to the Outlook Web App and admin controls just fine.I'm pretty sure we're using Outlook Anywhere inside the network, since email broke for a minute when I changed an OA setting... ;-)
-
@Captain said in Outlook Anywhere fails outside of my network:
I'm pretty sure we're using Outlook Anywhere inside the network, since email broke for a minute when I changed an OA setting...
Exchange can break for any, or no reason.
Let's back up for a second...you work for a NFP, correct? Why are you hosting your own email? Exchange is a total bastard to support. Office365 and Google Apps are both free for NFPs.
-
@Polygeekery we're hosting it because we have been hosting it. The plan is to migrate to Office 365, but to do that, we have to get Outlook Anywhere working so Microsoft can slurp up our data.
-
@Captain said in Outlook Anywhere fails outside of my network:
The plan is to migrate to Office 365, but to do that, we have to get Outlook Anywhere working so Microsoft can slurp up our data.
Gotcha. Good plan. I am about to go out to dinner with the wife. If I get time later, I will look over this thread some more.
-
@Captain said in Outlook Anywhere fails outside of my network:
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}Now that I think about it, shouldn't the ExternalClientAuthenticationMethod be "negotiate" and IISAuthenticationMethod be "NTLM, basic, negotiate"?
-
Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.
So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).
-
@izzion said in Outlook Anywhere fails outside of my network:
Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.
Yeah, that's my understanding too. I didn't even "really" change a setting, but the server's identity changed, and all the clients had to trash their profiles. Not ideal, but not totally awful.
So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).
Yes, OWA works externally. I think. I'll try it from home tonight (but yeah, I'm 95% sure it does).
I'd be open to an OWA-based migration.
-
Is there a budget for migration? If you're open to investigating something, I'd be happy to give you my contact information and put you in touch with one of our sales guys and/or one of my teammates that works with O365 migrations all the time. I'm more in the MSP/server side, so I can't speak to technical details other than "it wurkz gud"
And if you want further help with troubleshooting OA, let me know and I'll be happy to help too. Certainly don't want to just barge in here, drop a business card, and leave :)
-
404 Not Found is a code returned by your web server, or by an intermediate device. Have you looked at log files to see if any requests are being made to the OA endpoint, at all?
Are there any intermediate firewalls which might block the request because they don't understand the payload of your request? For example, if you have an old ISA server in your set-up this could block OA because it doesn't understand all the funkyness going on.
Microsoft has a Remote Connectivity Analyser which might be able to help you out?
-
@AlexMedia Not wasting any time reading the OP, I see.
-
@Captain Still need help?
-
@Polygeekery: I'm going to try a thing first, but yeah, probably. :-)
-
@Captain Hit me up if I can be of assistance.
-
I think I actually cracked it. I'm not sure which specific change I made fixed it, but the connectivity tester works, and Exchange 365 is able to reach in and poke around. I will set off a migration tonight, and let email be somebody else's problem and save thousands of dollars on the migration for the kiddos and be a hero.
Plus it will take like 100 interruptions per week of my plate.
-
@Captain said in Outlook Anywhere fails outside of my network:
it will take like 100 interruptions per week of my plate.
So much yes.