Issue with Ports

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Issue with Ports

Postby Bullfrog » Tue Sep 27, 2016 9:04 pm

I recently upgraded from Zimbra Network Edition 8.6 to 8.7. In doing so, I followed the instructions for installing and configuring the proxy and memcache. Please note that this is a StandAlone installation on a single server. Since the upgrade, I have noticed two problems:

  • From the Administrator Console, when I manage an account and select "View Mail", a new browser tab is opened taking me to: http://example.zimbra.server:8080..... I am accessing the Administrator Console from a secure url, such as https://example.zimbra.server:7071.
  • When attempting to configure a mobile client, the configuration is unsuccessful because when the client hits the mail server (using ActiveSync on an iPad or iPhone), the mobile client then attempts to connect using port 8080.

I clearly have something configured incorrectly, but am unable to identify the problem. Does anyone have any suggestions as to where I have misconfigured my server? I do have an SSL certificate installed, so I do not need/want http port 80 access. I originally configured the server to redirect port 80 traffic to https. Perhaps this is where I made my mistake? Any help is appreciated.

Regards,

Jeremy


User avatar
syslint
Posts: 36
Joined: Wed Feb 24, 2016 7:59 am
Contact:

Re: Issue with Ports

Postby syslint » Thu Sep 29, 2016 2:28 pm

24x7 PROACTIVE ZIMBRA SERVER MANAGEMENT | Sales : sales @ syslint.com | Skype us : SyslintSkype | Call us : (+91) 471-60 - 7799 | visit : https://syslint.com
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Re: Issue with Ports

Postby Bullfrog » Thu Oct 20, 2016 5:30 pm

Thank you for the reply. I have read through the links you provided (many times... :? ) and can not seem to find the problem. Here are a few more details about my setup that may be relevant:

  • Single Server Installation
  • Recently upgraded from 8.6 patch 7 to 8.7
  • Platform: CentOS 6 x64
  • Since this was an existing "standard" single server installation, the upgrade script required me to install proxy and memcached.
  • Following the upgrade instructions, I executed the following commands at the command line on my single server (my only mail server):
    • ./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H zimbra.mydomain.com
    • ./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H zimbra.mydomain.com
    • zmprov ms zimbra.mydomain.com zimbraMailReferMode reverse-proxied

My biggest problem at this point is that I cannot configure any new mobile clients for email access. When they initially contact the Zimbra server for the relevant configurations, the mobile device is getting pointed to port 8080. Do you have any specific suggestions as to which settings are probably incorrect?

Thank you for your assistance!
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Re: Issue with Ports

Postby Bullfrog » Thu Oct 20, 2016 5:43 pm

I should also add that I did issue the following commands as well:

  • zmmailboxdctl restart

And for good measure:

  • zmcontrol restart
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Re: Issue with Ports

Postby Bullfrog » Wed Oct 26, 2016 7:50 pm

I have been doing more digging to see where I have things misconfigured, but still can't find anything. However, I have found the following:

  • I used the Microsoft tool for Autodiscovery. Zimbra is responding to the request by providing the following information:
  • <Url>https://zimbra.mydomain.com:8443/Microsoft-Server-ActiveSync</Url>

So, Zimbra is telling the ActiveSync client to contact the mail server on port 8443. Is that correct?

It does not seem correct to me. My understanding of a Single Server installation of Zimbra 8.7 is that the proxy still listens on ports 80 and 443. Then, the Zimbra mail server internally (locally) contacts the mailstore backend (on the same server) using ports 8080 and 8443. Thus, ports 8080 and 8443 do not need to be opened up to the outside world.

Is my understanding correct? If so, what may be misconfigured that is telling mobile clients and even the Administration Console when using the 'View Mail' option to look to ports 8443 and 8080 respectively?

- Jeremy
NetCircle
Posts: 18
Joined: Sat Sep 13, 2014 12:22 am
Location: Shanghai, P.R.China
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016
Contact:

Re: Issue with Ports

Postby NetCircle » Wed Oct 26, 2016 11:36 pm

You are probably tired of looking at documentation but I recommend you have a look here: https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached. There is good information on how to verify nginx and memcache are listening properly.
With reverse-proxy mode set to "both" you would want to have nginx listening on the standard ports: 80, 443, 143, 993, 110, 995 and the mailbox handler (java) listening on 8080, 8443, 7143, 7993, 7110, 7995. Then, when a client requests a connection on the standard port, nginx would proxy that connection to the port where the mailbox handler is listening.
i.e.:
80 ==> 8080 (http)
443 ==> 8443 (https)
143 ==> 7143 (IMAP)
993 ==> 7993 (IMAPS)
110 ==> 7110 (POP3)
995 ==> 7995 (POP3S)

If you run this command (as the zimbra user) it will return all the pertinent configuration parameters and you can inspect their settings:

Code: Select all

zmprov gs `zmhostname` \
zimbraReverseProxySSLToUpstreamEnabled \
zimbraReverseProxyLookupTarget \
zimbraReverseProxyHttpEnabled \
zimbraMailReferMode \
zimbraMailPort \
zimbraMailProxyPort \
zimbraMailSSLPort  \
zimbraMailSSLProxyPort \
zimbraMailMode \
zimbraReverseProxyMailEnabled \
zimbraReverseProxyMailMode \
zimbraImapBindPort \
zimbraImapProxyBindPort \
zimbraImapSSLBindPort \
zimbraImapSSLProxyBindPort \
zimbraImapCleartextLoginEnabled \
zimbraPop3BindPort \
zimbraPop3ProxyBindPort \
zimbraPop3SSLBindPort \
zimbraPop3SSLProxyBindPort \
zimbraPop3CleartextLoginEnabled \
zimbraAdminPort \
zimbraAdminProxyPort \
zimbraReverseProxyAdminEnabled

If you wish to use https only for the web clients rather than both or redirect, nothing need listen on port 80 or 8080.
In this case zimbraMailMode should be set to either https or both and zimbraReverseProxyMailMode to https.

A client should never even be aware they are being proxied to a different port than the one they requested. Your ActiveSync client client should request connection on port 443 as normal and be transparently proxied to 8443. In any case, if the client is requesting a secure connection it should never be proxied to an unsecure port.

I hope some of this info helps.

Cheers!
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Re: Issue with Ports

Postby Bullfrog » Mon Oct 31, 2016 1:57 am

@NetCircle -

Thank you for the help. I am slowly getting there, troubleshooting one piece at a time. Interestingly, I tested setting up an Exchange ActiveSync account on an Android device, and it worked perfectly. However, it simply will not configure an iOS 10 device (iPad or iPhone). Could this be a problem specific to iOS devices? If so, would it still be an iOS problem or a Zimbra config issue?

-- Jeremy
Bullfrog
Posts: 8
Joined: Tue Sep 27, 2016 8:39 pm

Re: Issue with Ports

Postby Bullfrog » Mon Oct 31, 2016 3:58 am

Interestingly, in the Zimbra Wiki, it appears that the article regarding Autodiscover is providing the same incorrect results I am getting. See here:

https://wiki.zimbra.com/wiki/Autodiscover#The_autodiscover_Log_trace_for_EAS

In the results generated and posted in that wiki article, you can see that Zimbra is generating the Autodiscover results to include port 8443, which is NOT correct. The result in that wiki article is exactly what I am seeing.

Does this indicate there is a problem with the way Zimbra is generating the Autodiscover results incorrectly when the proxy is installed and configured? Apparently, Android is able to overcome this error, because in the account settings on an Android device, the SSL port is identified as 443, but is also editable. However, on iOS, the SSL port is not editable, it uses the SSL port identified in the Autodiscover results, which Zimbra with proxy installed responds with the incorrect port of 8443.

I wonder if this should be reported as a bug?

-- Jeremy

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 13 guests