HayesJupe's Blog

September 23, 2010

Exchange 2010 SP1 – EWS not available externally

Filed under: Exchange — hayesjupe @ 7:12 am

After upgrading to Exchange 2010 SP1 over the weekend (i lead an exciting life) – and believing that all was fine, i found this week, while away, that i couldnt set an out-of-office auto-reply while connected via RPC/HTTP.

This was fairly obviously something to do with the Exchange Web services (EWS) IIS directory not being correctly avaible externally.

After checking the settings – the first port of call is always, the normally great https://www.testexchangeconnectivity.com – unfortunately this time all i got a was a not-too-helpful 403 forbidden for the availability service.

After some further testing, i found a couple of issues

 I no longer had any test mailboxes internally, when using the powershell commandlet to re-create these mailboxes “get-mailboxServer | .\new-TestCasConnectivityUser.ps1” i was getting an error: “CreateTestUser : Mailbox could not be created. Verify that OU ( Users ) exists and that password meets complexity requirements.”

Hurumph. It turned out the issue was the script itself. The script uses the variable $OrganizationalUnit to set the OU the account is created in and by default, the OU name is “Users”. If you have another OU with the same name in your OU structure somewhere – this will cause this issue. I simply edited the script and changed the default value – voila, test accounts created fine.

After that, i could now run “test-outlookwebservices” internally, which reported all was fine.

I could access https://owa.domain.com/EWS/Exchange.asmx internally, but not externally….

Some further investigation of permissions found that basic authentication wasnt enabled for the EWS IIS subidr on all the servers in my CAS Array – enabled that, away it went (I use FBA with delegation from the TMG reverse proxy to publish)

I know that installating Exchange 2010 SP1 reset the “require SSL” on the CAS IIS settings for the root level website…. as i have a website at that level that needs anonymous auth… as to whether or not Exchange 2010 SP1 also reset the auth methods for the EWS sub-dir…. i cant say for sure, but it looks like it. So for those of you that are upgrading, might be worth having a look at your IIS perms before upgrade, incase you need to re-apply some settings.



  1. Thank you so much for this. Enabled Basic authentication and EWS works externally!

    Comment by Tyler — March 1, 2011 @ 7:23 am | Reply

  2. I have it the other way around. I can’t access internally. Any suggestions?

    Comment by Okan Korsal (@IT_Supremacy) — April 30, 2014 @ 2:52 am | Reply

    • test-outlookwebservices is your friend with testing for internal usage mate…. what output do you get from running that command ?

      Comment by hayesjupe — May 1, 2014 @ 8:27 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: