Outlook Anywhere in SBS 2008

I am using a SBS 2008 based server and am trying to configure Outlook Anywhere to work outside the LAN.  Currently, I have port 80 and 443 forwarded to the server.  I checked to make sure the RPC over HTTP protocol was installed - and it is.  I can work with Exchange all day long on the LAN (over TCP/IP), but am still unable to connect from WAN side.  I have configured the Outlook 2003 client on this system to "Connect to my Exchange server using HTTP" and have configured our external IP address (static BTW) as the proxy server in the settings dialog.  Does the server have to have a CNAME on our internet domain forwarded to it?  Is there something I am missing here?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Have you installed a 3rd Party Trusted SSL certificate?

Microsoft recommend that you do to make this work:

ryan_a-icsAuthor Commented:
I can't even get it to work without SSL (which shouldn't require a cert at all)...
Alan HardistyCo-OwnerCommented:
It is designed to work with SSL - if you try to make it work without, you could mess things up.

I would suggest you buy a 3rd party SAN / UCC (multi-name) certificate from somewhere like GoDaddy as they seem to be the cheapest (www.godaddy.com).

Certificates names you will need are:

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ryan_a-icsAuthor Commented:
And it is impossible to use a self-signed cert?
Alan HardistyCo-OwnerCommented:
I am sure it is not impossible to use a self-certified certificate, but when Microsoft advise you to buy a 3rd party one - there will be a good reason.
$89.99 buys you a GoDaddy cert for a year - which will save you countless certificate installation problems and then problems when renewing the certificate and having to install the renewed self-certified certificate onto all your clients / windows mobile phones if you have any.
I have seen other wuestions where Self-Certified certs have been installed, but I have never done this and would personally go down the costlier router as I have alredy been down the cheap route and had many headaches.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Even though in SBS 2008 a Self-Signed Certificate is supported for use with domain-joined Microsoft Office Outlook 2007 clients and Outlook Web Access, I do not recommend long term use of the self-signed certificate for any purpose other than encrypting communications between Exchange 2007 servers within your organization. I recommend that to support many, if not all, of the Client Access server features such as Exchange ActiveSync, Outlook Web Access, and Outlook Anywhere, you obtain a certificate from either a Windows PKI or a trusted third-party CA and make sure that this certificate is imported using the SBS Console SSL Certificate wizard.

When you run the Internet Address Wizard you need to just tell it you already have a domain and you will manage it yourself. This should let the wizard complete and configure exchange with the proper smtp addresses. I also never let the wizard configure my router. I'm usually a wizard guy but this is one area I feel more comfortable in setting up the router myself and it usually fails if the router isn't upnp.

When it asks for your external address i would use the default "domain.com"
Then create a multi-domain certificate from godaddy or someone like that. The configuration of the Subjective Alternative Names (SAN) would be something like this:


There are others you could use but these are the basics.

You will need to modify your existing external DNS with these records that are externaldomain.com I prefer to use a wildcard * to redirect everything that is not specified. The wizards will configure the rest for internaldomain.local.

This normally takes care of internal issues and external issues.

I hope this is helpful and if you need further clarification or I have misunderstood something please don't hesitate to elaborate.

ryan_a-icsAuthor Commented:
OK - I'll see what I can do to convince my customer that they need a cert.  I figured this would be a pretty cut-and-dried setup, but apparently I was mistaken!  I assume I'll be needing to set up the above listed CNAMEs in my domain DNS?  - ex.  remote.whatever.com, autodiscover.whatever.com    Thanks in advance for your responses!
If you mean your external DNS then follow my comments the third from the bottom paragraph. Your internal records will be taken care of by the wizard.
ryan_a-icsAuthor Commented:
OK, sounds like a plan.  I'll see what I can do to make this thing work.  Thanks for your input!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.