0

I am unable to access my Exchange server from my laptop when outside the LAN using exquilla plugin through Thunderbird.

The Exchange server is in the internal network and a NAT rule port forwards traffic to the Exchange server.

When I use just the FQDN without /owa, the request times out. If I add /owa, I get:

404 Not Found

nginx

This happens only when I use a remote connection. If I am connected to the LAN and connect to the Exchange server using the FQDN, I am able to use all those resources without problem. I have already tested from my smartphone and both mail and web are working fine.

<updated>This website is online from a web test that I have made. I can access through 4G in my smartphone.<updated>

I really cannot understand what is happening.

Network specs:

  • Draytek 2830
  • Windows Server 2008
  • Windows Exchange 2007

Laptop client specs:

  • Windows 10
  • Chrome
  • Thunderbird (Exquilla)
  • Macos
  • Mail app

Smartphone client specs:

  • Android
  • Gmail

UPDATE:

Cannot access from two private networks, both with different carriers. I can only access through a third carrier in my smartphone connected directly to 3/4G. I have test with this laptop with windows, MacOS and with my smart phone.

UPDATE 2:

There is a NAT rule to forward from public port 443 to private server x at port 443. There is no ACLs and proxys config in this router.

I forgot to say that this uplink to this company (from the carrier is a fiber) is in a subnet (255.255.255.252) with a dedicated IP where there is also in the subnet, the subnet ID, gateway and broadcast. I think that maybe there is a proxy in the gateway of my ISP.

UPDATE 3:

I was thinking that nginx was my webservice but it seems that its not, I have search for it and nothing. Even in terminal using nginx -h and I have even telnet locahost 80 (prntscr.com/ekqeox). Sorry for the bad assumption! This webservice came by default with Exchange I believe. This installation was not made by me.

UPDATE 4:

I have changed my router for a new one because of another purpose and this problem still continues. I have also notice that there is a user that cannot even access in this private network, only through private ip. I have also another FQDN in dyndns running and inside of this private network it leads to my router config page, and with /owa to that page where nginx is running. From outside this link leads to the right website.

UPDATE 5:

Since this problem is being a struggle, I will resume it.

I have two FQDNs pointed to a static IP, who is being used in the WAN port. One is set in a remote server, the remote.x.pt (FQDN1), the other is set by dyndns, x.dyndns.biz(FQDN2).

In my pfsense I have a NAT rule to forward traffic to a internal server from port 443 to port 443.

I am blocking traffic each network in my pfsense router, who are two networks.

I have changed router config GUI https to port 8080.

So this is the output from three possible scenarios, where the last two are inside of my pfsense router:

From internet:

FQDN1: Can access to webservice FQDN2: Can access to webservice Private IP: Can access to webservice

From internal network where the server is:

FQDN1: Can access to webservice FQDN2: It was showing router GUI but now there is nothing, and with more location inputs such as /owa who is my webmail service, I get a nginx error, saying page not found. Private IP: Same output from FQDN2

From visitor network:

FQDN1: Cannot access to webservice, it was saying before connecting refused because of firewall, but now after changing port it is not showing nothing. FQDN2: Same output from FQDN1. Private IP: Same output from FQDNs.

marafado88
  • 412
  • 2
  • 9
  • 31
  • Did you use ipv4 or ipv6? – BastianW Mar 16 '17 at 14:28
  • @BastianW I am using ipv4, i will also update this question with more tests that I have done – marafado88 Mar 16 '17 at 14:33
  • Sounds like a question for you to ask the IT department of your company. – Gerald Schneider Mar 16 '17 at 14:39
  • I am the sysadmin of the company. I think that there is something at my ISP blocking access. – marafado88 Mar 16 '17 at 14:49
  • We need more information about your network design. You said you have NAT rules to redirect the traffic to the Exchange server. What exactly are the destination NAT rules you are using? Did you confirm the private IP of your Exchange server is the destination in your NAT rule? Do you have a static public IP address? What are the ACLs on your router for traffic being NAT'd to the Exchange server? Please provide the actual NAT rules and ACLs. – user5870571 Mar 16 '17 at 15:22
  • Dont know if you want the exact rule but it is: public port 443 to server x at private port 443. Yes it is static. I dont have ACLs being used here. Note: I have updaded my question with more info. – marafado88 Mar 16 '17 at 15:33

2 Answers2

1

The Draytek routers will often use port 443 for their own purposes - either SSL VPN and/or remote management. Go in to the router config, check the ports being used. Even if you aren't using the SSL VPN, change the port (4433 for example). Check you don't have router management from the internet enabled, and change the internal port for router management on HTTPS as well.

Sembee
  • 2,884
  • 1
  • 8
  • 11
  • thanks! Here can I change the port of SSL VPN? router management from the internet is disable. I changed internal port for router management on HTTPS for 8080 but not sure if I would have to restart it to apply changes, 443 seems offline now but there is no sign of life at 8080. – marafado88 Mar 16 '17 at 17:19
  • This page at Draytek UK explains the issue. http://www.draytek.co.uk/support/guides/kb-forwarding-tcp443 – Sembee Mar 17 '17 at 08:33
  • I dont have that option in my draytek: http://prntscr.com/el17ha – marafado88 Mar 17 '17 at 10:04
  • Do you have the latest firmware on that router? You can get the latest from ftp.draytek.com You will need to reboot the router for the port on the management to change - it should have asked you to do that. Drayteks like to reboot for almost any change. – Sembee Mar 17 '17 at 15:01
  • sorry for the late response but I have changed my router for another one, a pfsense firewall, and this problem still continues =/ – marafado88 Mar 21 '17 at 16:32
  • You need to start looking at DNS, ensure the name resolves where you expect it to. I would also be looking to see if there is another product that has a web service on it that could be getting in the way. – Sembee Mar 22 '17 at 14:29
  • Sembee I think that this could be a conflict between router GUI and my webservice. I have discovered that nginx is installed in my new router, and I think that is related with GUI config. – marafado88 Mar 27 '17 at 08:15
  • That is what I thought was happening with the Draytek. Do you have another router in front of that? Change the port the GUI runs on to something like 4433. Although there is no reason why the router needs to be manageable from the Internet. – Sembee Mar 27 '17 at 14:17
  • No, I just have one. This was a replacement. I dont have the config GUI viewed from WAN because of security reasons. I just have access to GUI with FQDNs when I use those in the same network where I have the server. And only do that with the FQDN from dyndns, with the other one in a remote DNS server poiting to this private IP, it redirect only to my webservice =/ – marafado88 Mar 27 '17 at 15:55
0

OWA is served with IIS. I see a nginx error, please check your router redirection.

As the 404 error just mean that your nginx server does not serve that OWA URL, which is normal, but it mean a webserver answer you, even if the wrong's one ..

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • My router is forwarding to 443 for web and exchange port. If was a bad config from my router I would be unable to connect through 3/4G network with my smartphone. When I try to connect from those private networks seems like there is a lot of lag, and some times it says it take too long to open and rarely it shows nginx who is the provider of my webservice. – marafado88 Mar 16 '17 at 14:58
  • @SipriusPT You land somewhere else, it's a fact, it's an IIS error's page you should see. As some router analyze the URL to redirect to the good webservice/server. A proxy on your side ? – yagmoth555 Mar 16 '17 at 15:00
  • There is no proxy in the router. I forgot to say that this uplink to this company (from the carrier is a fiber) is in a subnet (255.255.255.252) with a dedicated IP where there is also in the subnet, the subnet ID, gateway and broadcast. I think that maybe there is a proxy in the gateway of my ISP, but I dont understand if its possible to block traffic from private networks or even if ISP would usually do this with dedicated IPs. – marafado88 Mar 16 '17 at 15:24
  • @SipriusPT the nginx server is what by the way ? is it served by the same router nat rule ? – yagmoth555 Mar 16 '17 at 15:41
  • I was thinking that nginx was my webservice but it seems that its not, I have search for it and nothing. Even in terminal using _nginx -h_ and I have even _telnet locahost 80_ (http://prntscr.com/ekqeox). Sorry for the bad assumption! This webservice came by default with Exchange I believe. This installation was not made by me. – marafado88 Mar 16 '17 at 15:55