Exchange 2010 OWA: Getting internal access working...

Hi!  I have setup an exchange 2010 server with OWA access.  Using TMG and procedures outlined in the MS ForeFront Threat Management Gateway book from MS, I was able to successfully get the external clients authenticating and using OWA.  However, in order to get the OWA working externally, I had to change the bindings on the exchange/OWA default server for port 443 from the default exchange server (mercury) certificate to the external, validated certificate.  Now when internal clients try to go to the internal owa address (https://mercury.myserver.local/owa) they get a message that IE "can't display the web page".  I have tried using the IP for the exchange server and still the same message.  Internal users can reach it fine if they use the external address that is validated by the certificate binding.  I can fix this problem by switching the bindings back to the internal certificate, but then the external users can't access.

How can I give access to both the external, and internal users?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Look at link:

You should use certificate with multiple host names.
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Whats your internal fqdn for the owa? in the EMC go to server configuration-> client access -> choose the server and go to the OWA and ECP tabs.. configure the internal url for the internal fqdn of the server. Also you need to have a certificate with multiple host names, like davorin said, and include the internal fqdn of the server on the subject alternative names of the certificate. Have you used the New Exchange certificate GUI in EMC to issue the certificate? it's very easy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alex_bairdAuthor Commented:
I never saw that wizard GV!  I have walked through the process of the certificate request wizard you referred to.  However , I am testing Exchange 2010 out and don't want to go to an paid authority to certify the SAN.  Can I self-certify the request that I generated?

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Yes, you can. You can install certificate authority service on one of your servers or you can install one of free CA servers and issue the certificate you need. The (only) drawback would be, that you will have to install CA server and issued exchange certificate on all computers that are not part of your domain.
For domain computers will be enough to install CA server certificate on exchange server or domain controller. (trusted root CA)
Free and really simple CA server:
alex_bairdAuthor Commented:
Did not see the certificate wizard!  Thanks for pointing it out!

As a note from someone who has just gone through setting up a new domain (windows 2008r2) with Exchange 2010 AND TMG, there are several things that I found would have speeded up my new Domain/Exchange installation immensely:

For All 2008R2 servers involved:
- Every server should without pause be patched fully before installing any other roles beyond the most basic.
-Make sure that if you setting up a split domain, you add a forward lookup zone on your DNS server that points to your Exchange server with it's external FQDN.  
-IF you are using server 2008R2 you don't need to disable IPV6 on the servers.  I don't think that disabling will impede anything, but leaving it on doesn't hurt either.  Don't know if this is true with 2008 servers.

For The Edge Server with TMG:
-If you are going to have your edge server also host TMG, then make sure you install everything in the correct order:  Exchange/Edge first, then Forefront Protection for Exchange, then TMG.  Installing out of order can cause alot of headaches.
-Make sure that you remember to put an Outbound DNS Allow rule on TMG first thing so that your domain has Internet access.
-If you are using dual nics for the TMG setup (one internal/one external) remember to leave the external NIC DNS empty.  The only DNS entry will be on the internal nic pointed to your DC (or wherever you have DNS setup).  Also, make sure that the gateway entry for the internal nic is empty, not just  This will cause you issues during TMG setup if it isn't empty.
-Remember to install the appropriate certificates on the TMG server if you intend to give access to OWA, activesync, etc.  The certifcate is the one that you will export from the exchange CAS/Hub server after you have gone through the New Exchange certificate wizard on that server.  The certificate needs to be installed in both the local computers "personal" and "trusted authority" to work for TMG.
-Turn off the  "externally secured" checkbox under the advanced tab in the Listener for the "Internal_Mail_Servers" Properties under SMTP Routes in TMG.    Make sure that TLS, Basic and Exchange Server authentication is checked.  I couldn't get any email in or out of my system till this was unchecked.
-Make sure that your OWA on the CAS/Hub is not being authenticated with forms.  You are using forms authentication at the TMG and you can't have it active on both.
-When you setup your Exchange Web Client Access rules for OWA, Activesync and Outlook Anywhere, your "To" tab should have the FQDN of your external site in both the "This rule applies to this published site" AND the "Computer name or IP address" boxes.  You setup your internal DNS previously, to look for that FQDN on your Exchange CAS/Hub so it will point to the internalserver.
-Setup the ActiveSync, OWA and Outlook Anywhere authentication method as Basic.
-Don't forget to setup an edge subscription using the TMG wizard on the "E-Mail Policy" section of TMG.  Copy the resulting XML to the CAS/HUB AFTER you have setup your Exchange Certificate using the new certificate wizard and assigned services to it.
-Use the MS Exchange test site to troubleshoot your setup:
-Install rollups for Exchange using ONLY an elevated command line.  Rollups take forever when they are "building net assemblies".  Just be patient.  You can hurry up the install by disabling the check for certificate revocation, but I would advise not doing that.
-For the edge transport to work, BOTH the edge and the HUB/CAS need to have the same rollups installed.

For the Exchange Hub/CAS server
-Make sure that you have installed all the prerequisite roles and services needed for the CAS/HUB.  This is outlined here:
-Go through the New Exchange Certificate wizard immediately.  Here is a good overview of the Wizard:
-When you are adding the extra CNs to the certificate, make sure that you include your FQDN's for the internal and external.  Remember to put your autodiscovers in there to.  
-If you want to get up and going quick, install a Certificate Authority locally and use that to fufill the request file that you generate from the New Exchange Certificate wizard.  I installed the MS CA on my DC and used that.  It worked fine.  
-Remember to assign the proper services to the certificate including smtp, web, imap, etc...
-Don't delete your old exchange certificate on the HUB/CAS
-Make sure that you use the exchange powershell to start the edge synchronization after you have installed the edge sub from the edge server.

Hope this helps!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.