Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: [SOLVED] Trouble with Web Client Access - from public hotspots

  1. #1
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Unhappy [SOLVED] Trouble with Web Client Access - from public hotspots

    Hi All,

    Zimbra is working well sending and receiving mail from inside our network. I am now testing to be sure our outside users of the Web Client can connect and do business from public hotspots. ex. internet cafe. I am having trouble with the web client connecting.

    Example: Connecting from McDonalds - I can ssh in fine, connect using http to the admin console fine, but have trouble connecting with the Web Client even with port 443 and 25 open.

    I have read the other posts on "ports" for zimbra and have the following ports forwarded through our firewall to the zimbra server on our private network:

    SSH 22 (just in case in I need it - root access only)
    Postfix 25 (open just for argument sake)
    Postfix 2525 (DynDNS Mail Hop - around the ISP's block)
    HTTP 80
    POP3 110
    IMAP 143
    LDAP 389
    HTTPS 443
    IMAPS w/ SSL 993
    POPS w/ SSL 995
    For Zimbra Admin access 7071

    Any tips on resolving this issue?

    Steve

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tribear View Post
    Zimbra is working well sending and receiving mail from inside our network. I am now testing to be sure our outside users of the Web Client can connect and do business from public hotspots. ex. internet cafe. I am having trouble with the web client connecting.
    What sort of trouble, exactly, are you having? I assume you have a Split DNS set-up so is your DNS setting on your LAN correct?

    Quote Originally Posted by tribear View Post
    Example: Connecting from McDonalds - I can ssh in fine, connect using http to the admin console fine,
    I hope you mean https on port 7071?
    Quote Originally Posted by tribear View Post
    but have trouble connecting with the Web Client even with port 443 and 25 open.
    Describe the problem.

    Quote Originally Posted by tribear View Post
    I have read the other posts on "ports" for zimbra and have the following ports forwarded through our firewall to the zimbra server on our private network:

    SSH 22 (just in case in I need it - root access only)
    Postfix 25 (open just for argument sake)
    Postfix 2525 (DynDNS Mail Hop - around the ISP's block)
    HTTP 80
    POP3 110
    IMAP 143
    LDAP 389
    HTTPS 443
    IMAPS w/ SSL 993
    POPS w/ SSL 995
    For Zimbra Admin access 7071
    This is too many ports (depending on your requirements) but we'll cover that later.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default

    Basically,
    I can connect to my network- (using ssh on port 22 for admin work)
    I can connect with Zimbra Web Admin console - (using port 7071)
    I can not get the Zimbra Desktop client to connect to my server inside/outside my network - we can talk about that later.

    ** I can not connect with Zimbra using Web client from outside my network using port 25 (blocked by ISP) or port 443 - its just not connecting.

    The other ports are open to test whether various clients can connect to deliver and retrieve mail: eg. Thunderbird Imap or Evolution IMAP etc.
    Ports that are open now:
    pop3 w/o ssl
    imap w/o ssl
    HTTP for normal Web client access
    HTTPS for secure Web client access (if I need it to make it work)
    LDAP - I read it had to be open for client authenication - maybe not.

    So lets focuse on the WEB client's problem with connecting from outside the network.
    The Admin console works.... so I am baffled as to why the Web client fails.
    I know port 25 is blocked by isp but 443 should be available for connecting.

    Your thoughts. If you want IM me at "glider7808" no quotes needed.

    Steve

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tribear View Post
    So lets focuse on the WEB client's problem with connecting from outside the network.
    The Admin console works.... so I am baffled as to why the Web client fails
    Yes, but what do you mean by 'fails' and what happens? Does it time out, do you see the login page or any other error? Try a telnet from an external address to port 443, if you get no response then I'd suggest you gave a firewall problem. If you have port 443 forwarded to the LAN IP of your Zimbra server and its running in https mode (you've changed that, haven't you?) then you should have no problem connecting. When you connect to your Zimbra server it's either http or https that's available and not both.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default RE:Trouble with Web Client Access

    Quote Originally Posted by phoenix View Post
    Yes, but what do you mean by 'fails' and what happens? Does it time out, do you see the login page or any other error? Try a telnet from an external address to port 443, if you get no response then I'd suggest you gave a firewall problem. If you have port 443 forwarded to the LAN IP of your Zimbra server and its running in https mode (you've changed that, haven't you?) then you should have no problem connecting. When you connect to your Zimbra server it's either http or https that's available and not both.
    To answer your questions - The other night I never even saw the log in screen for the web client but did get all the way through log in with the Admin console.

    Bill - The https setting change needed for the Web Client was something I did not know needed to be done. I assumed Zimbra would "see" me in ldap and allow the connection through the appropriate port (of course port 25 was blocked). So that failed completely and 443 was not working because I had not made the https change you suggested.

    So, I made the change and will go to the field and test it today.

    For today's test - the only ports open will be:
    2525 - dyndns mail hop (Relay MTA for external delivery)
    443 - Web Mail Client
    143 - IMAP Mail Client

    I'll have an update after the field test.

    Steven

  6. #6
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default Default RE:Trouble with Web Client Access

    Bill,

    After testing today I still can not connect from outside on port 443 using the Web Client or Telnet to it either. I can telnet to standard ports 110, 143 & 2525 (used by dyndns mail hop). I checked - 443 is open on first firewall (port forwarded) to internal router to the zimbra mail server just like the others.

    I was curious to see what kind of changes happened at the MTA after running the https command to setup 443 for web client and looked at the Postfix Master.cf.ini and noticed one change that I don't understand. Postfix should be listening on 2525 for DynDns and nothing else - except maybe 443? and saw a line for port 465?
    What is that about?

    So I added 443 and still could not telnet to it; I must be missing something simple?

    This is what is a snip from the config concerning smtpd
    # ================================================== ========================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ================================================== ========================
    smtp inet n - n - - smtpd
    2525 inet n - n - - smtpd
    465 inet n - n - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    submission inet n - n - - smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
    -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
    -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLev el%%


    Steve

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    When you changed the mode to https, did you restart zimbra? Can you telnet to port 443 and reach it via a browser from inside your LAN?

    Port 465 in the configuration file is for the Submission port, that's the correct port that a 'fat client' should us to submit mail for relaying/delivery and not port 25. The use of Port 465 has been deprecated and Port 587 is the correct port to use, this is automatically set in Zimbra 6.x but needs to be added in prior versions.

    Quote Originally Posted by tribear View Post
    I checked - 443 is open on first firewall (port forwarded) to internal router to the zimbra mail server just like the others.
    What are you using for for your Firewall (IPTABLES or some other device)? Is there anything else between the firewall and your Zimbra server? All I can suggest is that the firewall is blocking the connection or you have SElinux enabled which might be causing this sort of problem (but that would also cause problem for LAN connections).

    Could you update your forum profile with the output of the following (so we know which version you're running):

    Code:
    zmcontrol -v
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default Trouble with Web Client Access - from public hotspots

    Bill,

    Quote Originally Posted by phoenix View Post
    When you changed the mode to https, did you restart zimbra? Can you telnet to port 443 and reach it via a browser from inside your LAN?
    Yes I restarted Zimbra
    "telnet to port 443" NO - tried outside static IP and Internal IP address of server.
    "reach it via a browser from inside your LAN?" YES, Web Client works fine.

    Quote Originally Posted by phoenix View Post
    The use of Port 465 has been deprecated and Port 587 is the correct port to use, this is automatically set in Zimbra 6.x but needs to be added in prior versions.
    Since I am using 6.x should I change this port to 587?

    Quote Originally Posted by phoenix View Post
    What are you using for for your Firewall (IPTABLES or some other device)? Is there anything else between the firewall and your Zimbra server?
    IPTables is disabled for this server - I use two hardware routers for security, port forward using my VOIP/Firewall router to my private Lan router to virtual servers on the private lan. Note: I do have my own DNS running on my private lan and is visible from outside. I maintain both external and interviews in my DNS config and the MX resolves fine.

    Quote Originally Posted by phoenix View Post
    - SElinux enabled which might be causing this sort of problem (but that would also cause problem for LAN connections).
    Selinx is set to permissive so I can track issues without killing off access to things it complains about.

    Quote Originally Posted by phoenix View Post
    Could you update your profile
    It has been updated.
    Using 6.0.2_GA_1912.RHEL5_20091020185714 RHEL5 FOSS edition
    Last edited by phoenix; 12-17-2009 at 10:02 AM.

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Even running SElinux in permissive mode can cause problems, can you disable it completely (it is recommended not to have it enabled on the Zimbra server) while you're testing this problem?

    If you want to use a Submission port then 587 would be the correct one to use.

    I can only suggest that you check the rules in your routers for port 443 and make sure they're set the same as one of the ports that can be accessed. Let me know what happens when you've disabled SElinux. It also makes no sense that you can access the server via https on the LAN and not telnet to that port.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default Trouble with Web Client Access - from public hotspots

    Quote Originally Posted by phoenix View Post
    Even running SElinux in permissive mode can cause problems, can you disable it completely (it is recommended not to have it enabled on the Zimbra server) while you're testing this problem?

    OK it is disabled - I rebooted and restarted zimbra.

    If you want to use a Submission port then 587 would be the correct one to use.

    I will make that later after testing the first change.

    I can only suggest that you check the rules in your routers for port 443 and make sure they're set the same as one of the ports that can be accessed. Let me know what happens when you've disabled SElinux. It also makes no sense that you can access the server via https on the LAN and not telnet to that port.
    Here are the results of telnet sessions from outside the network to domain static IP:
    port 443 fails and 2525 works fine. Both are open on both routers.

    [root@newbee steven]# telnet xx.xxx.xxx.xx 443
    Trying xx.xxx.xxx.xx...
    Connected to adsl-074-167-251-030.sip.rmo.bellsouth.net (xx.xxx.xxx.xx).
    Escape character is '^]'.
    Connection closed by foreign host.
    [root@newbee steven]# telnet xx.xxx.xxx.xx 2525
    Trying xx.xxx.xxx.xx..
    Connected to adsl-074-167-251-030.sip.rmo.bellsouth.net (xx.xxx.xxx.xx).
    Escape character is '^]'.
    220 mail1.sprague-enterprises.com ESMTP Postfix


    Here is the results of telnet from inside the private network:
    [root@newbee steven]# telnet xx.xxx.xxx.xx 443
    Trying xx.xxx.xxx.xx...
    Connected to mail1.sprague-enterprises.com (xx.xxx.xxx.xx).
    Escape character is '^]'.
    Connection closed by foreign host.
    [root@newbee steven]# telnet xx.xxx.xxx.xx 2525
    Trying xx.xxx.xxx.xx...
    Connected to sprague-enterprises.com (xx.xxx.xxx.xx).
    Escape character is '^]'.
    220 mail1.sprague-enterprises.com ESMTP Postfix


    Suggestions

    Steven
    Last edited by tribear; 12-18-2009 at 07:33 AM. Reason: security

Similar Threads

  1. Replies: 4
    Last Post: 12-15-2009, 01:28 PM
  2. GAL not working with Active Directory
    By ardiederich in forum Installation
    Replies: 13
    Last Post: 02-12-2008, 07:01 PM
  3. How to access Mobile Web Client?
    By ms2k in forum Zimbra Mobile
    Replies: 4
    Last Post: 01-08-2008, 11:58 PM
  4. Web Client Performance and Basic client features
    By fviero in forum Administrators
    Replies: 1
    Last Post: 11-23-2007, 04:34 AM
  5. Using Ajax Web client on Windows 2000!
    By celeron in forum Administrators
    Replies: 1
    Last Post: 03-09-2007, 10:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •