Webmail server is currently unavailable (AMS 3->4 migration)

[sjoram]

I finally got around to migrating from AMS3 to AMS4.2.9

I used the import tool to copy the existing instance across. When I tested the same on a different machine a while back, I had an issue where the templates folder was pointing at the AMS3 webmail path, rather than the correct one for AMS4.

I fixed that and had webmail working on the test instance with data copied from AMS3, but in my live instance, I'm getting an error on the webmail login page that the Webmail server is currently unavailable.

I'm trawling through the logs now, but can't see an obvious explanation. I've re-initialised AMS and restarted the NT Service to no avail.

I'll email also in case that is seen sooner, but I thought I'd post to the forum in the interests of anyone else that may run into the same.

[sjoram]

Update on this one - I've identified what's causing the problem, but I don't know if there is any way around it.

I only have one IP address assigned to the server NIC, so in order to run AMS webmail, remote admin and IIS web servers, I run the services on non-standard ports.

However in my firewall, inbound connections from external IPs on standard ports are NATed - i.e.

Public IP 1 Port 443 > Private IP Port 443 (IIS)
Public IP 2 Port 443 > Private IP Port 9443 (AMS Webmail)
Public IP 3 Port 443 > Private IP Port 6443 (AMS Remote Admin)

If I access webmail via Private IP Port 9443 directly, it works as expected. I had no issues with AMS3 operating in this manner, but I know that AMS4 is using an entirely different webmail interface, with different coding.

Remote Admin, using the old code base is absolutely fine.

Any way around this? If not, I will experiment to see I can adjust my network configuration to allow me to run multiple private IPs and bind services accordingly.

[sjoram]

Resolved by adding an additional private IP to the server NIC, binding IIS to the original IP only and AMS webmail to the secondary IP, along with some firewall and NAT changes for external connections.

[EKjellquist]

I normally forward all the cardinal email ports directly from the edge router, but I've found using Apache as a proxy for webmail not only works well from a security standpoint (as AS doesn't support TLS 1.3 and a lot of the newer ciphers yet), but also if you're using a single IP for a number of sites. Granted IIS can do the same, though I'm not as familiar using it in that way. I also use shadow DNS so people with laptops, mobile devices etc get the same presentation on or off-LAN and there's no need to specify the port in the URL for webmail. All that said it did take me awhile to figure it all out years ago, but I've had success with it especially on the PCI Compliance front

[sjoram]

My AMS is only running my own personal email (& partner etc)..tend to use my home network as a bit of lab environment.

So I'm less concerned about compliance issues but obviously still wan to secure as best I can.

I'm using what my vendor refers to as hairpin NAT to redirect non-standard ports internally, though having managed to get the binding working on webmail now, I'll look to do the same with other services, so they can run on standard ports. It's only the Remote Admin that's on non-standard ports internally now, which isn't necessarily a bad thing in and of itself for that interface.

I've read some of your previous posts but haven't yet felt for my setup it was justified in investing that amount of time in it. I may re-consider in future once I've ticked a few other things off the to-do list!