OpenChange on HTTPs

[SilkBC]

I have Zentyal 3.4 with OpenChange installed.  I cannot seemt o access these services using HTTPs.  The Zentyal server is behind a NAT firewall, with a single NOC operating in "WAN" mode, so RPC Proxy is not giving me any errors.

My configuration is as follows:

Domain: zentyal-lan.local
Internal server name: zentyal.zentyal-lan.local
External Server name: zentyal.oc.mydomain.com  (replaced actual domain with "mydomain" for privacy reasons)

If I try to access the OpenChange webmail (https://zentyal.oc.mydomain.com/SOGo), I get a 404 "Page not found error".  I suspect the RPC Proxy is not running in HTTPs mode, because I tried setting up my Outlook 2007 at home (outside of the network I set the Zentya server up in), and when I try the auto-configuration, it says it cannot make an HTTPs connection.  If I try to manually configure the settings, I get prompted for my user credentials, but it comes back saying my user name could not be resolved to an account on the server.

I am using "zentyal.zentyal-lan.local" as the "Exchange Server", then in the "Outlook Anywhere" or "RPC Settings", I am using "zentyal.oc.mydomain.com" for the server name there.

Any idea/suggestions greatly appreciated.

Thanks! :-)

-SilkBC

[kwyap]

Hi,


I'm not sure the tips listed here is helping, I hope you can verify and feedback;

1. Change the Administration interface TCP port to custom port, after change and saved, you have to connect to the custom port in your browser.

2. Go to the Web Server, enable the HTTPS.

[jbahillo]

Have you enabled HTTPS in the openchange section?

[obimichael]

Hi!
I was always got redirected to the internal hostname. I changed the %hostname% in  /usr/share/zentyal/stubs/sogo/zentyal-sogo.mas, line RequestHeader set "x-webojects-server-url" "https://<% $hostname %>:<% $sslPort %>" with my external hostname, and it worked, after restarting the webserver.
Michael

[theb2b]

I'm having the same problem, reading through this post I have a question. How do you enable the option HTTPS in the openchange section, I don't even see this option.

Also my situation may be different than SilkBC, I get the HTTPS login page, but after logging in I get;

https://hostname.domain-name.local/sogo/so/username

[obimichael]

I'm having the same problem, reading through this post I have a question. How do you enable the option HTTPS in the openchange section, I don't even see this option.

Also my situation may be different than SilkBC, I get the HTTPS login page, but after logging in I get;

https://hostname.domain-name.local/sogo/so/username

You can change the /usr/share/zentyal/stubs/sogo/zentyal-sogo.mas file with the external hostname, as described above, and it will work.
Michael

[heupink]

Great, when I'm near my test server, I'll try this out.

Thank you Obi-Michael :-)

[theb2b]

Not working for me, still getting https://hostname.domain-name.local

What is the proper way to do this,
 "x-webobjects-server-url" "https://<% myhostname.domain-name.org %>:<% $sslPort %>"
or
 "x-webobjects-server-url" "https://<% myhostname.domain-name %>:<% $sslPort %>"
or
 "x-webobjects-server-url" "https://<% myhostname %>:<% $sslPort %>"

thoughts please.

[obimichael]

The correct way is

"x-webobjects-server-url" "https://myhostname.domain-name.org:<% $sslPort %>"

because <% xxxx %> will be a variable which will replaced with sth.

and do not forget to restart the webserver at the dashboard. If not the config file will not be replaced.

Michael

[SilkBC]

1. Change the Administration interface TCP port to custom port, after change and saved, you have to connect to the custom port in your browser.

2. Go to the Web Server, enable the HTTPS.

After doing the above, I am now able to access the webmail component over both SSL and non-SSL, so thank you for that.  Trying to connect Outlook from outside the network still does not work, however.  Still getting the same error about not being able to resolve my user name to an account on the server.

I did follow the instructions at http://doc.zentyal.org/en/openchange.html.  The only difference between those instructions and what I am doing is that my "Exchange Server" (usually the internal name of the server, in an Exchange environment) and "Exchange Proxy" server (usually the external host name from outside) values are different.  In the official example, it uses the same server name for both (which is actually an internal, non-routable host name, so maybe the doc should be updated?).

In my first post, I indicated the external host name and the internal host name of my server.

I have just confirmed that RPC proxy *is* enabled, and both the "without SSL" and "with SSL" boxes are checked.

The only other thing is I just have the default self-signed certificate on the server; I do not have a "trusted" certificate on there, nor have I enabled the Certificate Authority and generated a certificate from that module.  Do I need to do either of things, or should I be able to use the default self-signed certificate?

I am able to connect an Outlook client on the same internal network as the server no problem, so I know that fundamentally the server is working; it just seems the RPC proxy is not.

On the Zentyal server, I have also completely disabled the firewall.  Since it is already behind a NAT firewall, I set the "external" rules to allow *all* traffic (i.e., I deleted all the existing rules and have just one that is allowing anything from anywhere), so I do not believe it is a firewall issue.

I hope this helps shed some light?

[SilkBC]

Hrm, just SSH'd into the Zentyal server looking at the networking on it.  It cannot reach the Internet, and has no default gateway set.  Here is the routing table:

Code: [Select]

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.40.6    0.0.0.0         255.255.255.0   U     0      0        0 eth0

If I configure the interface as a non-WAN interface, then it gets a default gateway, but I get errors in OpenChange about the RPC not being able to find the host name.  I am wondering if this is part of the problem (or even the problem itself??)

• Is there anyone else who has a Zentyal server behind a NAT firewall, and using just a single NIC?
• If the answer to #1 above is "yes", can you access the Internet from that box?

[theb2b]

That did it, works like a charm. Not sure why I didn't pickup on that but thanks for the help!

[heupink]

Well, the problem I was having, was that the admin web interface was bound to port 443. As soon as I put the admin interface on another port, 443 became available for /SOGo and /webmail etc. It all works now.

[SilkBC]

OK, so I have made a *bit* of progress, I think.  I blew away my test installation and re-installed, but this time, did not enable the firewall module (I probably could have just disabled the firewall module in my previous installation).  Now I no longer have any issues accessing the Internet from my Zentyal server.  That being said, I did change the name of my server.  The "OpenChange Setup" page now has my Zentyal server as "exchange.oc.mydomain.com", and my "realm" is "MYDOMAIN.LOCAL".

In my outlook setup, I entered "exchange.oc.mydomain.com" as both the "Microsoft Exchange Server" and as the external server name in the Exchange Proxy (or "Outlook Anywhere") settings.  I have both "HTTP" and "HTTPS" enabled in  my OpenChange setup, and I have enabled HTTPS listening port in the web server module.  I changed the port for the webadmin from "443" to "8443".  All ports are accessible from outside, and I can log in to the OpenChange webmail with no issue.

I have created a user, "jsmith", and that is what I put in the "User name" field in the Outlook setup.

When I click "Check Name", I am prompted for a user name and password.  I have tried leaving it as just "jsmith" and entering the account's password, and I have also tried entering "MYDOMAIN\jsmith" as the user name, but each time, Outlook seems to "think" for about 30 seconds or so, then comes back with the following:

Code: [Select]

Microsoft Office Outlook
The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action
The host name "exchange.oc.mydomain.com" is resolvable from outside the network (i.e., the host name exists in external DNS)

I am obviously still missing something, but not sure what?  I can connect an Outlook client that is on the same internal network with no problem.  Outlook version is 2007.

Any further advice and/or suggestions appreciated.

-SilkBC

[stickybro]

@SilkBC

I am testing Zentyal under Hyper-V in Windows 2012 R2 - after many times reinstalling I have exhausted the possibilities of connecting Outlook Anywhere or Windows Phone 8 to OpenChange. Both of these products connect to an exchange server via RPC Proxy and require a valid SSL certificate meaning NOT self signed. As currently nobody here can answer how to add a valid SSL certificate in build 3.4.2 we are stuck

As proof of this outcome you can go to https://testconnectivity.microsoft.com and perform a "Microsoft Office Outlook Connectivity Tests - Outlook Anywhere (RPC over HTTP)" test on your server and see where the connection fails...

in the case of a self-signed certificate:

Code: [Select]

Certificate trust is being validated.
  Certificate trust validation failed.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.domain.com.
  A certificate chain couldn't be constructed for the certificate.
  Tell me more about this issue and how to resolve it
 
Additional Details
 
The certificate chain didn't end in a trusted root. Root = CN=mail.domain.com
Elapsed Time: 35 ms.

hope this helps and hope someone else can tell us how to add a valid SSL certificate in the current build