Public folder replication not working on Exchange 2007?

are you using outlook 2003 or older ?
you could try to reconfigure the OAB generation on the server & see if it works..

are you replicating the oab from an 2003 server?

I am using both outlook 2003 and 2007... but Exchange server 2007.

How do i reconfigure OAB generation..?

- i think this is the problem, and the reason why i am getting the offline address book error (0x8004010F)

Do i need to do anything with the command shell below? -  internal/external url's

[PS] C:\Documents and Settings\bossman\Desktop>Get-autodiscovervirtualdirectory |fl


Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://apple.romgroup.com/W3SVC/1/ROOT/Autodiscover
Path                          : D:\Exchange\ClientAccess\Autodiscover
Server                        : APPLE
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=APPLE,CN=Servers,C
                                N=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN
                                =ROM Group Limited,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=romg
                                roup,DC=com
Identity                      : APPLE\Autodiscover (Default Web Site)
Guid                          : 9287ac26-8d92-47b4-ac2f-15dbd64a5266
ObjectCategory                : romgroup.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 20/06/2008 20:33:30
WhenCreated                   : 20/06/2008 20:33:22
OriginatingServer             : plane.romgroup.com
IsValid                       : True

;) don't mix up the issues...
if you'll need autodiscover help i will be more then happy to assist!

test outlook 2003 first.

EWS will be easy to setup once you'r sure the base configuration works .. keep us posted

** to reconfigure the OAB , under organization , check the offline address book tab to see which server does generation

ilantz
i just thought autodiscover might be related to OAB.

Can we test with outlook 2007 please? i'm using outlook 2007.

our exchange server name is apple. Apple is doing the offline line address book generation under organization...

is your OAB enabled for web generaton?

yes it is enabled, public folder replication is also ticked...

for outlook 2003 and later (version 3/4) - we are using a global address list in outlook...

you can check https://www.experts-exchange.com/questions/23488191/Free-Busy-Info-and-OAB.html
It has quite a lot of steps that you can check.

Hi rakeshmiglani

I have followed the below link and set the diagnostic logging to 'expert', and typed in Update-OfflineAddressBook Identity Default Offline Address List, with no errors, but outlook clients still fail to download the OAB with error 0x8004010F when configuring cached mode:...??

http://blogs.msdn.com/dgoldman/archive/2007/05/09/after-installing-an-exchange-2007-server-in-to-a-mixed-site-the-oab-generation-fails-with-error-9342-and-outlook-clients-fail-to-download-the-oab-with-error-0x8004010f.aspx 

i'm still sure it is to do with the error originally stated when opening the question (above) how else can this be rectified...? - i get the 0x8004010F error when configuring outlook in cached mode/offline mode

online mode doesnt download oab.. it doesn't need it ;)
as for the outlook 2007 issues, as i said it's a diffrent topic.
one thing you might try is to re-select the offline address book , when viewing properties on the respective user's databse..


please confirm that in outlook 2003 , the behavior is the same.

ilantz

online mode its fine, its only when i configure cache mode users experience this outlook 0x8004010F error. As far as i am aware it is happening for outlook 2007 users.

As originally posted, please can you guide me on solving the public folder error, as i believe it is the reason why users are getting this outlook OAB error..?

ok, so as i see it it's just a matter of a few cmdlets..
i'll keep it simple , and leave you to read on how it works :)
http://technet.microsoft.com/en-us/library/bb332063.aspx

if you have configured a single cas that is facing the internet (with no isa2006) you probably have created already a certificate that matches your owa.domain.com address.

i found the following to be the most simple method to fix it and here's the commands:
one guideline - all clients must resolve webmail.lab.com & be able to authenticate , ntlm is more "nice" for lan experience..

hope it works.

1. Change the SCP in activedirectory :
Set-clientaccessserver id ex2k7 AutoDiscoverServiceInternalUri https://webmail.lab.com/autodiscover/autodiscover.xml
 
2. configure OAB external url
Set-OABVirtualDirectory -identity "ex2k7\OAB (Default Web Site)" -externalurl https://webmail.lab.com/OAB -internalurl https://webmail.lab.com/OAB -RequireSSL:$true
 
3. configure the EWS external url
Set-WebServicesVirtualDirectory -identity "SERVER\EWS (Default Web Site)" -externalurl https://webmail.lab.com EWS/Exchange.asmx -internalurl https://webmail.lab.com EWS/Exchange.asmx 

Select allOpen in new window

ilantz

You want me to change internal/external URL's for the above directories to point to the external CAS address? will this not cause autodiscover issues for internal users? - i guess i firstly need a SAN cert which authenticates to the below addresses first?

our internal OWA address: https://apple.romgroup.com/owa
our external OWA address: https://apple.romgroup.co.uk/owa

well , as i said autodiscover issues is somthing eles :)

i assumed you use a single all-in-one server , are you ?
do you use isa 2006 to publish the exchange ? or are you using NAT on an external firewall to publish your exchange to the internet ?

as for the urls , do you use "split dns" configuration ? do you hold the romgroup.co.uk zone in your internal dns ? (even if its not published to the internet) ?

** if you do use a SAN cert , then we should do somthing eles..
im using the single CN cert example...

Hi

Yes we are using an all in one server with all the roles. We dont use isa, we are using iis 6.0. I have NAT'd exchange servers public ip address, and had it pointed to https://apple.romgroup.co.uk/owa, for OWA access. I would have liked to use apple.romgroup.com but we didnt own the domain.

I have a zone in windows DNS for romgroup.com and another for rom.co.uk, shall i create a zone for romgroup.co.uk ..?

Thanks for your help, i hope we can sort this, i will continue to check this forum today.

yes , and create all the relevant records you have on the domain in the "real world"
that is , your www, any other server you have outside of lan.

when you create the A records , create them using the LAN IP , so that client will not go thru the firewall.
this will allow you to use the same name for inside/outside lan.

then the suggestion i explained will work :)
have fun

If you can tell me how to point our internal/external users to apple.romgroup.com/owa (or a similar website), that would be ideal? and if it makes this process easier... then maybe we can use a single cert (CN)..?

Just as a note, we dont configure our public DNS, a 3rd party company does that for us...

Shall i change the URL's for the three virtual directories as stated first...?

as soon as you create the DNS zone . yes
then test from client outlook 2007.

What entry shall i include in this DNS zone for romgroup.co.uk....?



Thanks

Just to confirm:

1. in the romgroup.co.uk Zone i need to create a New Alias for 'www' and point it to Exchange's internal IP address?
2. What A record's or other records do i need?
3. Then point the URL's for the virtual directories above to the external OWA address

My concerns are the certificate on the server is pointing to the servers FQDN? I'm going to need another certificate... the reason i ask is i'm still confused on how to use 1 OWA website for both internal and external...

Appologies i dont know much about DNS

"create all the relevant records you have on the domain in the "real world"
that is , your www, any other server you have outside of lan."

by that i've ment for the following example:
nslookup www.romgroup.co.uk = 81.3.74.50
this should happend now , and the answer is non-authorative. that means your DC does NOT hold the zone , and it preformed a recrusive lookup and got it from the "real dns" that holds it .. probably your ISP.

by creating the roomgroup.co.uk zone in your your dns , your DC will hold the zone , and by that will be authorative. that means that asking your DC with nslookup www.romgroup.co.uk , will result in no answer.
this is why i've asked you to create any relevant records you do hold on the real world in the new zone you created. so clients will continue to resolve www.romgroup.co.uk = 81.3.74.50 , within the lan.

on the other hand , we need to create an A record for webmail so it will point to the INTERNAL ip of the server , and not the external , so we could bypass firewall and save us trouble.

you should recreate your SSL certificate so the Common name will be just webmail.romgroup.co.uk , then all the settings will be vaild , within the lan , and outside :)

hi ilantz

Thanks for the response. We dont hold any records in our windows DNS for the real world, it is just an internal DNS and has nothing to do with the outside world. An external company hosts our website e.g. www.rom.co.uk..

i have created an A record for romgroup.co.uk which points to internally 200.200.100.112 (exchange)

You mentioned changing the cert on the server, but i thought the cert on the server had to match the FQDN of the server?

ilantz

i havent changed the URL's for the virtual directories yet. So far i have created the romgroup.co.uk internal DNS zone, added an A record for romgroup.co.uk which points to the internal IP of Exchange, is this correct?

if anything needs to be added in the public DNS, please let me know...

What is the next step in solving this..? are we going to continue to have two URL's for OWA, 1 for internal and another for external then...

you wont have 2 url's that's the fun of split dns .

please read again my last comment regarding any records.
if you did created the zone internally , then i guess you cannot access www.romgroup.co.uk :) if you do access it , i guess you understood .

execute the cmdlets i've wrote before for the change of url's.
run iisreset , after you finish.

you'll be good to go.

ilantz

www.romgroup.co.uk is accessible, but it goes directl;y to one part of our company website... how do i get it to reach OWA...?

We seem to have two issues;  1. OWA access via one URL   2. Public folder replication issue

i'm getting confused on what we are trying to accomplish. I previously pointed the URL's for the virtual directories you stated to the external address, but public folder replication was still not working....i get the same error on the server....? i dont get no errors in the event viewer when the OAB is generated, but the replication is not working.... i still believe this is the reason i am still getting the (0x8004010F) (OAB error)

office 2007 works via web services when exchange 2007 is used.
by that you must ensure the OAB is available with HTTPS , not public folders.

that's the real problem.
the number 2 error is happening because the 2007 doesnt holds a replica of the oab version 2 folder..
you could try to fix , but it's not a must..

try to see that you receive vaild data in the autodiscover response by , hold CTRL, right click on the taskbar outlook icon, and click "test- e-mail autoconfiguration" .

as far as i see it you have only issue with the webservices of exchange 2007.

all the best.

ilantz
thanks for the clarification, i thought error number 2 was directly related to this OAB error, i read on the web one of the reasons it doesnt work is to do with local replica's on the server not working... but as you said i can concentrate on the https side of things....

Going back to the virtual directory URL changes, i have the internal/external URL's to point to the external OWA address (https://apple.romgroup.co.uk) - successful.

1. However when i change the clientaccessserver autodiscoverserviceinternaluri to point to the external address, outlook 2007 clients get a security alert saying the name of the cert does not match...? does this mean i need some kind of SAN cert which supports both domain names (FQDN of server; apple.romgroup.com and apple.romgroup.co.uk).....?

2. Test email configuration while on the networks seems to give me a response.. (see attached)



test-emailconfig2.doc

you should make sure that every url you see there is https://apple.romgroup.co.uk , i see that internal OAB address is incorrect.

besides that you could recreate the certificate to be a single name CN : apple.romgroup.co.uk , you'll be good.

* make sure you run all the commands i wrote back up..

ilantz

URGENT - After changing the internal url's to point externally, outlook clients could no longer sucessfully complete a send/recieve..? i had to change the internal url's (for oab/web services) to point back to the internal server name, the send/recieve kept hanging around 50-60%..?

as with the previous post, the url for the clientaccessserver i havent changed at the moment because of the security alerts outlook clients were facing...

????

ilantz

when i pointed the internal url for the oab, outlook clients got the (0x8004010F) internally, this i think is because apple.romgroup.co.uk is not accessible inside the network as it is a NAT'd address, the it wont find it... i've had to change it back to point to the FQDN of the server...

?

ilantz

see attached for details of from the exchange mangement console, i believe the cert for the cert needs to be pointing to the server name, not apple.romgroup.co.uk - therefore i dont think i am supposed to change the cert name to its external name, unless i use a SAN..  ? correct me if i'm wrong

NOT WORKING FOR CACHE USERS:
changing the internal url's for oab and web services was not succesful this morning...I FOUND IT WAS NOT WORKING FOR USERS WHO HAVE CACHE MODE/OFFLINE MODE CONFIGURED why is this happening?? bearing in mind i havent changed the url for the clientaccessserver autodiscoverserviceinternaluri yet because of the security alerts we are getting.... are these internal url's meant to be pointing to external url's....??


EMC.doc

"this i think is because apple.romgroup.co.uk is not accessible inside the network as it is a NAT'd address, the it wont find it... i've had to change it back to point to the FQDN of the server..."

this is my friend exactly the reason why i've instructed you to create a split dns configuration.
and you should have created an a record for apple , and fill in the LAN ip of the server.

a single name certificate & single naming on the server is my best practice for all-in-one.
i rather go that way, to keep it simple. all functions works inside/out and same url's.

ilantz

Appologies, in my windows DNS i have now added an A record in the romgroup.co.uk zone which points to the LAN ip of exchange... maybe now i can try revert the url's to point to apple.romgroup.co.uk and test when i am next in the office...

this still brings me to the question of the cert name on the server which is currently pointing to the FQDN.. i ran the below syntax in EMC to create a cert with multiple names:

New-ExchangeCertificate -DomainName apple.romgroup.com, apple.romgroup.co.uk, autodiscover.rom.co.uk, autodiscover.rom-tech.co.uk, autodiscover.rfa-tech.co.uk, -FriendlyName
 RomGroup -GenerateRequest:$True -Keysize 1024 -path c:\romgroup.req -privatekeyExportable:$true -subjectName "c=uk, o=Rom, CN=apple.romgroup.com"

how shall i solve this cert issue? a friend of mine is going to show me how to use 1 url (FQDN) for OWA internally/externally, maybe then this will be a way forward?

once dns has replicated i will test again, after i have changed the url's for oab and web services to point externally... i'm reluctant to change the url destination for the clientaccessserver url until i'm certain outlook clients will not get the autodiscover security alert when they open outlook 2007... this co-insides with the cert name... i just need some advice on what to do with the cert, i know on one hand it needs to match the FQDN of the server and secondly OWA external address...

?

would be good to contact you directly via telephone:)
Thanks for all your help so far...

New-ExchangeCertificate -DomainName apple.romgroup.co.uk -FriendlyName RomGroup -GenerateRequest:$True -Keysize 1024 -path c:\romgroup.req -privatekeyExportable:$true

run this. single name certificate. ;)
then import & enable-services ..

no sweat happy to assist it's a good practice

p.s to get the autodiscover services & web services outside the lan , create an SRV record in the public DNS , with the following info:
host: apple.romgroup.co.uk
protocol: tcp
port: 443

all outlook 2007 clients should be sp1 updated.. very easy.

I dont have access to our public DNS, a 3rd party company control our public dns, but i can get that arranged... when you mean outside the LAN do you mean via VPN?

before i add the apple.romgroup.co.uk cert, internally users access OWA via https://apple.romgroup.com, the certificate wont match...? which brings me to my earlier question of needing syntax for a SAN cert...? unless there is anothe way users internally should be accessing OWA  (internally https://apple.romgroup.co.uk/owa is NAT'd therefore not accessible...)

with no VPN, over HTTPS (if you opened your firewall to the server via 443).

you'll have a single URL this way. clean and simple..
and as i said , apple.romgroup.co.uk , should be resolved to the server LAN ip , not the firewall NAT ip it has. that's the hope point.

ilantz

quick update. I have now configured OWA to point to https://apple.romgroup.com/owa internally and externally with 1 cert in IIS pointing to the FQDN of the server.. i hope this is a positive step... i was able to do this because we now own the romgroup.com domain..

internally: https://apple.romgroup.com/owa  >> internal address
externally: https://apple.romgroup.com/owa >> external address (87.86.13.54)

1. shall i now point the virtual server directory url's all to romgroup.com...? and re-test?

why can't you stick with the plan ?
let me know how your tests are going because we've went over the stages like 5 times already :)

ilantz

As we have been working on this for a while i just wanted re-clarify and make you aware, the (0x8004010F)  error is only affecting outlook 2007 clients who are configured to use cache mode.... they experience this error.

the firewall is open on 443

i am more than happy to stick with your method...  i havent changed nothing to affect what we were doing, only another external OWA address.

(ilantz)"..and as i said , apple.romgroup.co.uk , should be resolved to the server LAN ip , not the firewall NAT ip it has. that's the hope point..."

-This doesnt seem to be working still, i have a split windows DNS with a zone for romgroup.co.uk - an A record for apple.romgroup.co.uk pointing to exchange server
-all the virtual directory url's pointing to apple.romgroup.co.uk
-cert name is the fqdn of server

- outlook 2007 clients still get the OAB error (0x8004010F)

i have tested whilst on the VPN, which is the same as being on the network, i can test in the office on Monday... as i posted earlier i'm worried because outlook 2007 clients who were configured to use cache mode, their send/recieive status was not completing after changing the url destinations... maybe the addition of the A record will sort this...

see attached for my IIS directories...
iis.doc

i'm sorry then.. maybe try turning outlook logging & check out why its failing.
all the issues i've met with this problem were solved out with url's / certs / nat -firewall  fixes.

Please see attached, which shows details of the virtual directories in the exchange management shell:

i will give you feedback on monday about this, when i can test in the office like i did Friday. Thats when 2007 cache mode users experienced the difficulties with send/recieve status; when i changed these url's  

an immediate result would be if users no longer get the autodiscover security alert, as all URL's including the clientaccessserver url is pointing to apple.romgroup.co.uk.  i hope the the DNS A record change will take affect...  i also included an A record for autodiscover which points to the LAN IP

Doc2.doc

make sure you use the correct certificate on iis. check it with the gui or powershell.
and iisreset, after changes.

the certificate in IIS points to its FQDN -   apple.romgroup.com
i've never changed it... that why i was asking if i had to use a SAN as i'm dealing with two domain names; apple.romgroup.com and apple.romgroup.co.uk....

?

you said owa from outside is apple.romgroup.co.uk , and the solution is single cn. it must be apple.romgroup.co.uk  .

internally OWA is accessed via https://apple.romgroup.com/owa, that means if i change the cert to romgroup.co.uk they will get a cert authentication error...

unless there is another way they can access it...

but correct externally it is https://apple.romgroup.co.uk/owa 

so internal will be same url. once you change it.

ilantz

i've mentioned this before, internally https://apple.romgroup.co.uk/owa is not accesible as it is a NAT'd address and not accessible inside the firewall...

ilantz

RESULT via HTTPS:
going back to one of your eariler posts of getting it work using HTTPS, that part seems to work. My outlook can connect to exchange via the web, i dont get the (0x8004010F) error, i only have two autodiscover security alerts, which i believe maybe solved when i create the SRV records in the public DNS? This worked when on exchange i set the internal URL's for oab/clientaccessserver/web services to the internal address and the external url's to apple.romgroup.co.uk ...so it is recognising apple.romgroup.co.uk as the external URL and pulling the information into Exchange (so this works!!?).  This did not work when i set all the url's to point to apple.romgroup.com or apple.romgroup.co.uk, i had to specifically state different internal/external url's...

i guess the problem is through the VPN. I have to ammend the local host file to recognise exchange server's IP (200.200.100.112 - apple.romgroup.com), otherwise it cannot resolve and connect to exchange. i have to ammend the host file for all servers i want to connect to. Would this host file entry have anything to do with it? i dont think it should because, we are on the network, and the internal url is set to apple.romgroup.com -  so i shouldnt get no OAB errors....?

hey , i'm glad somthing worked at last ;)

i didn't get you fully.
please confirm each step you've made so i could understand exactly what you've done and not ...
the autodiscover service inside lan , should be okay once you've ran the set-clientaccess cmdlet with the information i've wrote.

IIS reset is a must , dont skip this phase.
let me know what comes up.

i tested connecting to exchange via https (formerly known as rpc over http):

HTTPS
1. -In outlook went to Tools, Account settings, More settings, connection, clicked on connect to microsoft exchange using http, in connection settings entered apple.romgroup.com, ticked the below boxes and selected Basic authentication (see attached). This worked and gave me no errors, other than an autodiscover alert (autodiscover.rom.co.uk..)... i had no offline address book errors.
-In exchange server i set the internal url's for oab/web services/clientaccess to point to apple.romgroup.com and external url's to apple.romgroup.co.uk... >> this worked...
-i removed any entries in the local host file which resembled apple.romgroup.com

VPN
2. On the other hand i was trying to explain to you how we connect to resources via the VPN. This is done by adding entries to the local host file on the computer, so we can connect to mstsc sessions, use outlook etc. It is through the VPN i get the (0x8004010F) error. If i do not add the entry apple.romgroup.com 200.200.100.112 in the host file outlook does not connect through the VPN. i think it is clear the external url is working as i didnt get no send/recieve errors when connecting via https (above), the problem is through the VPN...

are we making some improvement?
HTTPS.doc

yes !
good to hear, as i see your already managed to get the principle of the cas config...

you should  set the outlook anywhere to the external owa address as well btw.
autodiscover alert will be resolved once you configure the srv record as i wrote (outlook 2007 sp1)

as for vpn you should try testing and monitoring your firewall ... could be just that.
follow name resolution as debug always :)


good luck !

ilantz

Good to hear from you... do you understand what i wrote? Outlook anywhere is set to the external address...  i will have created the public dns entries tommorrow...

just like you said, the VPN cannot resolve IP > Names unless specified in the host file...

the firewall is open for all services via the VPN... do you think it is anything to with local replica's on the server not working? as per my original post...? because i just cant get rid of this OAB error - i'm desperate to get it sorted....

no you wrote : "-In outlook went to Tools, Account settings, More settings, connection,clicked on connect to microsoft exchange using http, in connectionsettings entered apple.romgroup.com " :) while all the ews/oab is set to .co.uk !

if the clients in the vpn are able to route to the internal ip of the exchange and use full mapi , then they should resolve only the .com names.

you can always use the outlook logging it really helps ! and double check the connections the client makes with : netstat -ano

i'm sure you'll catch it, and you'll be more then satisfied when you will !hehe the poweshell does it to ya.

good point, i set the ews/oab external url's to point to .co.uk -  the cert on the server is .com, bingo! that will explain the reason why i am getting the first security alert 'apple.romgroup.co.uk'  when opening outlook 2007 via https... i need a SAN cert here to accomodate the .com and .co.uk addresses, i cant have one or the other .... correct?

as for the autodiscover security alert which is('autodiscover.rom.co.uk') -  i've already had setup a public record which points to exchanges external ip, is this not right?

how can i make use of outlook logging? where is this functionality...

i cant believe how difficult outlook 2007 is, i've had so many issues with autodiscover and OAB, which i still havent resolved properly :-(

i should really focus on getting it working through the VPN, we wont be using it via https only, the clients will always be connecting though the VPN. I have no autodiscover alerts via the VPN just that horrible (0x8004010F) error when setting up cache mode...

thinking about this logically... when on the VPN, i am on the network, so outlook will be communicating with exchange via the .com URL not .co.uk... so it must be an internal setting in DNS or on exchange that is not working correctly... what you think?

i have a romgroup.com zone, in which there is an A record for apple.romgroup.com pointing to internal IP.... there is alot of information out there to with the problem originally posted with this question, i'm thinking it must be to do with replica on the server not working....look at the below link: http://msexchangeteam.com/archive/2007/04/19/437902.aspx

well if from lan & outside it works, then only vpn is issue , check the rules.

ilantz

good point, it does work via https... (when i remove the POP account and the host file entry)

i noticed when i use a proxy address in internet options, i cant send/recieve succesfully in outlook 2007, it hands between 50-80%.....

what could be preventing the OAB downloading through the VPN? i will re-check the rules, but we dont control the VPN, and the last i spoke with the company, everything was open and accessible. it should be pulling the OAB while on the VPN from https://apple.romgroup.com/oab , remember there is also an entry in the host file for apple.romgroup.com which points to the internal IP so we can connect to exchange....

can you open the out of office assistance while in VPN ?
if not its quite possible that https is not allowed from vpn to lan.

the send/recieve get stuck because in this process it also check the oab , so it stuck.. it cannot find it :)

VPN:
i can't access out of office assistance in the vpn (see attached)... what shall i found out from the company who setup our VPN? the last we spoke all services were open...  has this got anything to do with the below section...

HTTPS:
ilantz i've been thinking about this. I have to remove the local host file entry for apple.romgroup.com > 200.200.100.112 otherwise outlook does not connect. This is because it is trying to connect to .com via https which is pointing to 87.86.13.54, so when i remove the host file entry it works. But i get a 'apple.romgroup.co.uk' security alert and autodiscover.rom.co.uk security alert... which i believe will be solved when i ask to have public records (SRV) for autodiscover and apple.romgroup.co.uk

shall i create the apple.romgroup.co.uk public dns record and point to external ip?
i already have a public dns record for autodiscover.rom.co.uk which also points to external ip, but i still get the security alert, i think this is because the cert on the server is .com, and the clientaccessserver url is pointing to .com. the clientaccessserver also needs to be pointing to .co.uk and the server needs to authenticate to this...

correct??
Out-of-hours-via-vpn.doc

just make sure resolution works. it's too confusing already :)
sort it simple , inside names & ip's & outside.

same nameing for inside/out = easy life.
you contiune to make it hard on your self :)

ilantz

sorry i was just trying to explain the reason for the host file entry.

i have been told there are NO restrictions on the VPN....

i cant get it to work with the same names inside/out, i mentioned this to you before, and as explained there are a number of reasons why. You said to change all URLs to point to .co.uk, below were the results:

1. cert name error when i change the clientacccess url to point to .co.uk (.co.uk/.com) - i would need a SAN

2. when i change all the virtual directory urls to point to .co.uk - outlook clients cannot succesfully send/receive..

3. i think i will have to stick with using the 2 URL's, which i know works... except via the VPN!!!!?

correct, i'm glad we got that cleared, i'm sure the URL's are set correctly...

i think the problem is name resolution? the VPN does not do this unless we fill in the host file for the services we want to connect to... we cannot just ping a server, it has to be specified in this file

i have to remove this entry for outlook to work via HTTPS... it must have something to do with it...

is there any other way i can get outlook to connect via VPN without ammending the host file? -  am i along the right lines?

if it has full access.. just use MAPI not outlook anywhere :)

ilantz

I THINK IT MIGHT BE SORTED! THE VPN policy was set to their DNS, i asked why? i told them we shouldnt have to add everything to the host file in order to connect to resources, i askedm them to change the vpn to point to our internal DNS! and its worked! i dont get the OAB error through the VPN....

i will test further later this evening...... but seems fine :-)

;) told ya !
glad your got it set.

Exchange 2007 rox.

iliantz

my outlok seems to be working ok, along with a few others. But some are getting a (0x80072F0D) error in outlook (uknown error) ...? when clicking on send/receive...

i've created new profiles, unchecked 'download offline address book' just in case from tools, send and receive, send recieive settings, define send recieve groups..

??

ilantz

Good to hear from you... installing the cert onto the client PC and turning off the firewall worked, so i'm sure this procedure will work for the rest of the clients. We seem to be sorted.

The next thing i am desperate to get working is sync windows mobile 6 with Exchange, i have posted a question on this, but not had much luck... i'll give you the 500 points you deserve for helping me, thanks alot.. maybe you could assist with this sync error >>  i keep geting "Your account in microsoft Exchange server does not have permissions to synchronise with your account..."

im on it .
glad to assist.

ilantz you were brilliant!!!