Exchange 2010 SP1 – EWS not available externally

After upgrading to Exchange 2010 SP1 over the weekend (i lead an exciting life) – and believing that all was fine, i found this week, while away, that i couldnt set an out-of-office auto-reply while connected via RPC/HTTP.

This was fairly obviously something to do with the Exchange Web services (EWS) IIS directory not being correctly avaible externally.

After checking the settings – the first port of call is always, the normally great https://www.testexchangeconnectivity.com – unfortunately this time all i got a was a not-too-helpful 403 forbidden for the availability service.

After some further testing, i found a couple of issues

 I no longer had any test mailboxes internally, when using the powershell commandlet to re-create these mailboxes “get-mailboxServer | .new-TestCasConnectivityUser.ps1” i was getting an error: “CreateTestUser : Mailbox could not be created. Verify that OU ( Users ) exists and that password meets complexity requirements.”

Hurumph. It turned out the issue was the script itself. The script uses the variable $OrganizationalUnit to set the OU the account is created in and by default, the OU name is “Users”. If you have another OU with the same name in your OU structure somewhere – this will cause this issue. I simply edited the script and changed the default value – voila, test accounts created fine.

After that, i could now run “test-outlookwebservices” internally, which reported all was fine.

I could access https://owa.domain.com/EWS/Exchange.asmx internally, but not externally….

Some further investigation of permissions found that basic authentication wasnt enabled for the EWS IIS subidr on all the servers in my CAS Array – enabled that, away it went (I use FBA with delegation from the TMG reverse proxy to publish)

I know that installating Exchange 2010 SP1 reset the “require SSL” on the CAS IIS settings for the root level website…. as i have a website at that level that needs anonymous auth… as to whether or not Exchange 2010 SP1 also reset the auth methods for the EWS sub-dir…. i cant say for sure, but it looks like it. So for those of you that are upgrading, might be worth having a look at your IIS perms before upgrade, incase you need to re-apply some settings.

3 thoughts on “Exchange 2010 SP1 – EWS not available externally