How do I configure IIS/DNS for Outlook Web Access internally and externally?

Hi experts,

I want users to be able to open a web browser and type in "email" for access to OWA while inside the network and to be able to type in "email.domain" when outside the network. This keeps it simple and easy to remember and I hope it can be accomplished.

The actual URL for the OWA site is: https://server.domain/owa

Here is what I've done so far:
I purchased and installed a SSL certificate for common name "email.domain".
I configured IIS HTTP Redirect to https://email.domain.
I configured IIS Default Web Site HTTP Redirect to /owa.
I added an INTERNAL DNS Alias (CNAME) entry that resolves "email" to "server.domain.local".
I added a PUBLIC DNS Host (A) entry that resolves "email.domain" to IP (the external IP address of the IIS server)
In IIS, I configured Site Bindings for the Default Web Site to use the public SSL certificate for "All Unassigned IP Address" and Port 443.

External access works great. It is secure and everything redirects as it is supposed to, but internal access does not work. When I try URL "http://email" I get an error that it is not found. I can use the address "https://email/owa" to access it, but it is not secured. I receive a certificate error "Mismatched Address" because the SSL certificate is valid for the public address, not the private address.

Can someone tell me what I need to do?!

I attached some screenshot images that might help.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you want the cert to show as valid for your internal users, you'll need to recreate the external DNS records on your internal DNS resolver. Then, modify the mail server's A record to point to the internal IP address. A CNAME record may work, but I've used an A record in the past. You should not re-create the MX record.

If you have any external servers that your internal users access, you'll need to create those records as well. This is because you will effectively be the authoritative server for your external domain (for your internal users, anyway). You can point these records at the external IP addresses (if you don't host them yourself), or the internal ones (if you do host them yourself).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The SSL certificate must match the address in the browser bar, with either the "common name" or the "subject alternative name". You might be able to ask your certificate provider to re-issue your certificate with the internal address ("email") as the subject alternative name, but they may want you to buy a new one...

Alternatively you could do what we usually do, which is to create a split dns setup, so internal and external users both use https://email.domain.

To do that, in the DNS manager simply right-click forward lookup zones, and create a zone email.domain, then create a new host (A) record and leave the name blank and put in the internal IP address of the server.
CoSmismgrAuthor Commented:
Thanks for the quick response. So I need to create a new INTERNAL DNS forward lookup zone and add an A record  of the external fqdn?
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

CoSmismgrAuthor Commented:
Thanks for the response as well mobius, that pretty much answers my last question. I'll go do this and test it.
on your internal server, create a forward lookup zone with the name of the external fqdn (email.domain). Then the A record inside points to the internal IP address.

The result of this is users inside the network, using your internal dns server will query email.domain and will get the internal ip as a result, whilst external users will query external dns servers and get the external ip address
CoSmismgrAuthor Commented:
So far testing does not work, I deleted the CNAME alias for "email" and flushed the dns cache but I am still resolving "email" to the private IP address.

I have to go on a call-out, I'll be back later to work on this again.
Don't forget you will now go to https://email.domain while you are internal as well as external
CoSmismgrAuthor Commented:
I repaired the network connection, and now it's working great!!

That was a nice feature to learn, and thank you for the quick solution. I can implement that DNS solution with a couple other external/internal applications as well.
CoSmismgrAuthor Commented:
Perfect and fast, thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.