[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1142
  • Last Modified:

How do I configure IIS/DNS for Outlook Web Access internally and externally?

Hi experts,

I want users to be able to open a web browser and type in "email" for access to OWA while inside the network and to be able to type in "email.domain" when outside the network. This keeps it simple and easy to remember and I hope it can be accomplished.

The actual URL for the OWA site is: https://server.domain/owa

Here is what I've done so far:
I purchased and installed a SSL certificate for common name "email.domain".
I configured IIS HTTP Redirect to https://email.domain.
I configured IIS Default Web Site HTTP Redirect to /owa.
I added an INTERNAL DNS Alias (CNAME) entry that resolves "email" to "server.domain.local".
I added a PUBLIC DNS Host (A) entry that resolves "email.domain" to IP 209.1.1.2 (the external IP address of the IIS server)
In IIS, I configured Site Bindings for the Default Web Site to use the public SSL certificate for "All Unassigned IP Address" and Port 443.

External access works great. It is secure and everything redirects as it is supposed to, but internal access does not work. When I try URL "http://email" I get an error that it is not found. I can use the address "https://email/owa" to access it, but it is not secured. I receive a certificate error "Mismatched Address" because the SSL certificate is valid for the public address, not the private address.

Can someone tell me what I need to do?!



I attached some screenshot images that might help.

http-redirect.JPG
warning.JPG
redirect-site.JPG
internal.JPG
0
CoSmismgr
Asked:
CoSmismgr
  • 5
  • 3
2 Solutions
 
cgaedenCommented:
If you want the cert to show as valid for your internal users, you'll need to recreate the external DNS records on your internal DNS resolver. Then, modify the mail server's A record to point to the internal IP address. A CNAME record may work, but I've used an A record in the past. You should not re-create the MX record.

If you have any external servers that your internal users access, you'll need to create those records as well. This is because you will effectively be the authoritative server for your external domain (for your internal users, anyway). You can point these records at the external IP addresses (if you don't host them yourself), or the internal ones (if you do host them yourself).
0
 
mobiusNZCommented:
The SSL certificate must match the address in the browser bar, with either the "common name" or the "subject alternative name". You might be able to ask your certificate provider to re-issue your certificate with the internal address ("email") as the subject alternative name, but they may want you to buy a new one...

Alternatively you could do what we usually do, which is to create a split dns setup, so internal and external users both use https://email.domain.

To do that, in the DNS manager simply right-click forward lookup zones, and create a zone email.domain, then create a new host (A) record and leave the name blank and put in the internal IP address of the server.
0
 
CoSmismgrAuthor Commented:
Thanks for the quick response. So I need to create a new INTERNAL DNS forward lookup zone and add an A record  of the external fqdn?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
CoSmismgrAuthor Commented:
Thanks for the response as well mobius, that pretty much answers my last question. I'll go do this and test it.
0
 
mobiusNZCommented:
on your internal server, create a forward lookup zone with the name of the external fqdn (email.domain). Then the A record inside points to the internal IP address.

The result of this is users inside the network, using your internal dns server will query email.domain and will get the internal ip as a result, whilst external users will query external dns servers and get the external ip address
0
 
CoSmismgrAuthor Commented:
So far testing does not work, I deleted the CNAME alias for "email" and flushed the dns cache but I am still resolving "email" to the private IP address.

I have to go on a call-out, I'll be back later to work on this again.
0
 
mobiusNZCommented:
Don't forget you will now go to https://email.domain while you are internal as well as external
0
 
CoSmismgrAuthor Commented:
I repaired the network connection, and now it's working great!!

That was a nice feature to learn, and thank you for the quick solution. I can implement that DNS solution with a couple other external/internal applications as well.
0
 
CoSmismgrAuthor Commented:
Perfect and fast, thanks again!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now