kinsja1
asked on
External Outlook 2007 connectivity fails to exchange 2010
Hi,
I have a new setup of exchange 2010 and everything seems to be working fine except I cannot connect external outlook clients. Internally no problem and OWA works everywhere. I have run some tests using www.testexchangeconnectivity.com and the problem area seems to be with the autodiscovery part. This is for a hosting implementation (hopefully!)
Checking Host autodiscover.DOMAIN.com for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.
I am using a UCC certificate on the CAS server. This is going to be a hosting solution, so the domains of the clients are not default. I have added an autodiscover A record for the client domain to point to my CAS server.
I have a new setup of exchange 2010 and everything seems to be working fine except I cannot connect external outlook clients. Internally no problem and OWA works everywhere. I have run some tests using www.testexchangeconnectivity.com and the problem area seems to be with the autodiscovery part. This is for a hosting implementation (hopefully!)
Checking Host autodiscover.DOMAIN.com for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.
I am using a UCC certificate on the CAS server. This is going to be a hosting solution, so the domains of the clients are not default. I have added an autodiscover A record for the client domain to point to my CAS server.
Sorry I forgot instructions on how to configure Office Outlook 2007- the one client you actually asked for!
Details below:
http://www.it.ubc.ca/email/exchange/setupdocs/rpcoutlook2007.html
Details below:
http://www.it.ubc.ca/email/exchange/setupdocs/rpcoutlook2007.html
ASKER
Hi,
Here's some update to the problem. Frosty555 - the issue isn't related as such to the setup of Outlook anywhere, but more to do with the autodiscover. I might also mention that internal client are OK.
As this is for a hosting implementation, I believe the problem can be solved by setting up a central redirection for the autodiscover. I have seen a couple of articles that describe this for a hosting environment but still cannot get it to work.
http://technet.microsoft.com/en-us/library/ff923256.aspx
On one of my CAS servers I have created a new website for the autodiscover redirection. The server has 2 IP addresses - 1 for public and 1 for NLB (NLB is working fine). Do I need a third IP for this site? I am not really convinced that I've setup the redirection correctly.
When I browse to https://autodiscover.othersmtpdomain.com/autodiscover/autodiscover.xml - I get asked for creditentials. when I manually enter them i get this
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="14:59:06.4928435" Id="238028835">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
testex.png
Here's some update to the problem. Frosty555 - the issue isn't related as such to the setup of Outlook anywhere, but more to do with the autodiscover. I might also mention that internal client are OK.
As this is for a hosting implementation, I believe the problem can be solved by setting up a central redirection for the autodiscover. I have seen a couple of articles that describe this for a hosting environment but still cannot get it to work.
http://technet.microsoft.com/en-us/library/ff923256.aspx
On one of my CAS servers I have created a new website for the autodiscover redirection. The server has 2 IP addresses - 1 for public and 1 for NLB (NLB is working fine). Do I need a third IP for this site? I am not really convinced that I've setup the redirection correctly.
When I browse to https://autodiscover.othersmtpdomain.com/autodiscover/autodiscover.xml - I get asked for creditentials. when I manually enter them i get this
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="14:59:06.4928435" Id="238028835">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
testex.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow, before I say anything else I would really like to say thanks to the people that make up experts-exchange. The effort people make to help is amazing.
JuusoConnecta - I have almost gotten there, with only a very small couple of issues.
Do you have several cas servers in your exchange infrastructure ?
#YES, I have a CAS array and these are load balanced using MS NLB.
For load balancing the cas servers and then have one public ip and one ip against the NLB ? (sorry didnt quiet understand this bit)
#All I was trying to say there was that I was using a private heartbeat network for the NLB component. This is working OK I believe at this stage.
Also
When you say OA is not working, Do you mean that they cannot resolved the hostname, cannot resolve the username, you keep on getting authentication window ?
# OA externally was previously not connecting at all to my mail servers.
Pointing out a few points where issue may be:
1. When you installed your exchange server did you run the following before installing
(this is for example for a exchange server that holds cas, hub and mb role) =
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,We
reference: http://technet.microsoft.com/en-us/library/bb691354.aspx
# Yes this is the doc I followed to build
2. Settings on outlook clients =
If Outlook Anywhere is enabled, on clients computer make sure the settings are correct:
Connect to Microsoft Exchange using HTTP (checked) ->
Exchange proxy Settings -> https://webmail.yourdomain.com (is written) ->
Connect using SSL only (checked) -> Only connect to proxy servers that have this principal name in their ceritifcate (checked) -> msstd:webmail.yourdomain.c
Set authentication to Basic
# I have not manually configured any settings on the outlook. My testing was on new demo users, so as soon as the demo user logged on and opened outlook (over the internet) it tried to self configure - the only information I provided was the email address.
AND
On the server side:
On the server side locate -> Exchange Management console -> Server Cofiguration -> Clien Access -> Properties of your exchange server -> Outlook Anywhere -> Make youre you have your external host name written here "webmail.yourdomain.com" and Basic authentication is Set.
Make also sure that under IIS (on the exchange), sub category owa has been set for basic authenticaion
# This is set correctly
3. Autodiscover in your DNS records = You should have autodiscover created in your internal DNS records as a seperate ZONE and have not this created in your domain zone (this by best practice from microsoft)
# Can you please explain a little more on this? My internal and external DNS match. The autodiscover internally points to the internal address and externally to the public IP.
4.Go to exchange management shell and type in the following:
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity “ExchangeServerName\oab (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/oab
Set-ClientAccessServer -Identity ExchangeServerName -AutodiscoverServiceIntern
# I have already been through these a few times and are correct
5. Make sure that you have your autodiscover name listed in your Exchange certificate: Autodiscover.yourdomain.co
# This is one of the areas the I think there is an issue with
6. Make sure your IIS corresponds to the following settings:
Autodiscover: SSL:ON, Redirect: ON, Auth: Anonymous, Basic, Windows
EWS: SSL:ON, Auth: Anonymous, Windows, Redirect: ON
# These settings are correct.
7. Go to Exchange Management Shell and do the following:
type: Test-OutlookWebServices -Identity firstname.lastname@yourdom
# This all comes back successfully, except the EWS - I have had to make a couple of changes to this and am currently using "email" instead of "mail" - I will go back and fix this.
____________________
Here's where I'm up to now.
I am using a wildcard certificate so I have had to manually set the outlookprovider EXPR to msstd:*.mydomain.com rather than email.mydomain.com - this was one fix
The second fix was related to the way the central autodiscover website http redirect was not functioning correctly on the CAS server. I moved this to a completely separate server running IIS and did the redirection from there. This now allows any SMTP domain to connect provided they have the autodiscover A record pointed to my autodiscover domain.
I'm based in Sydney Australia so it's late here and I will continue with my analysis in the morning. I have the outlook client successfully connecting in, but it did require me to manually enter my creditentials at one stage. I will run through this again and post results.
Getting there slowly!
cheers
JuusoConnecta - I have almost gotten there, with only a very small couple of issues.
Do you have several cas servers in your exchange infrastructure ?
#YES, I have a CAS array and these are load balanced using MS NLB.
For load balancing the cas servers and then have one public ip and one ip against the NLB ? (sorry didnt quiet understand this bit)
#All I was trying to say there was that I was using a private heartbeat network for the NLB component. This is working OK I believe at this stage.
Also
When you say OA is not working, Do you mean that they cannot resolved the hostname, cannot resolve the username, you keep on getting authentication window ?
# OA externally was previously not connecting at all to my mail servers.
Pointing out a few points where issue may be:
1. When you installed your exchange server did you run the following before installing
(this is for example for a exchange server that holds cas, hub and mb role) =
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,We
reference: http://technet.microsoft.com/en-us/library/bb691354.aspx
# Yes this is the doc I followed to build
2. Settings on outlook clients =
If Outlook Anywhere is enabled, on clients computer make sure the settings are correct:
Connect to Microsoft Exchange using HTTP (checked) ->
Exchange proxy Settings -> https://webmail.yourdomain.com (is written) ->
Connect using SSL only (checked) -> Only connect to proxy servers that have this principal name in their ceritifcate (checked) -> msstd:webmail.yourdomain.c
Set authentication to Basic
# I have not manually configured any settings on the outlook. My testing was on new demo users, so as soon as the demo user logged on and opened outlook (over the internet) it tried to self configure - the only information I provided was the email address.
AND
On the server side:
On the server side locate -> Exchange Management console -> Server Cofiguration -> Clien Access -> Properties of your exchange server -> Outlook Anywhere -> Make youre you have your external host name written here "webmail.yourdomain.com" and Basic authentication is Set.
Make also sure that under IIS (on the exchange), sub category owa has been set for basic authenticaion
# This is set correctly
3. Autodiscover in your DNS records = You should have autodiscover created in your internal DNS records as a seperate ZONE and have not this created in your domain zone (this by best practice from microsoft)
# Can you please explain a little more on this? My internal and external DNS match. The autodiscover internally points to the internal address and externally to the public IP.
4.Go to exchange management shell and type in the following:
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity “ExchangeServerName\oab (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/oab
Set-ClientAccessServer -Identity ExchangeServerName -AutodiscoverServiceIntern
# I have already been through these a few times and are correct
5. Make sure that you have your autodiscover name listed in your Exchange certificate: Autodiscover.yourdomain.co
# This is one of the areas the I think there is an issue with
6. Make sure your IIS corresponds to the following settings:
Autodiscover: SSL:ON, Redirect: ON, Auth: Anonymous, Basic, Windows
EWS: SSL:ON, Auth: Anonymous, Windows, Redirect: ON
# These settings are correct.
7. Go to Exchange Management Shell and do the following:
type: Test-OutlookWebServices -Identity firstname.lastname@yourdom
# This all comes back successfully, except the EWS - I have had to make a couple of changes to this and am currently using "email" instead of "mail" - I will go back and fix this.
____________________
Here's where I'm up to now.
I am using a wildcard certificate so I have had to manually set the outlookprovider EXPR to msstd:*.mydomain.com rather than email.mydomain.com - this was one fix
The second fix was related to the way the central autodiscover website http redirect was not functioning correctly on the CAS server. I moved this to a completely separate server running IIS and did the redirection from there. This now allows any SMTP domain to connect provided they have the autodiscover A record pointed to my autodiscover domain.
I'm based in Sydney Australia so it's late here and I will continue with my analysis in the morning. I have the outlook client successfully connecting in, but it did require me to manually enter my creditentials at one stage. I will run through this again and post results.
Getting there slowly!
cheers
Good to hear that it is moving forward and working now (even though you have to enter your credentials, also I have to point out that on different assignments User have been intermittently been having this from time to time, entering the credentials using OA that is)
2. Test configure the outlook client settins when you got time
3. what you said here: "The autodiscover internally points to the internal address and externally to the public IP." that is correct! Only thing to point out is that from microsofts best practice you should have your autodiscover as a new zone and not included in your domain zone. (Check my attachment, lets call the domain for hack.olam.se and in here I have an A record called autodiscover pointing to the public ip, this is what most users do. But you can also see that the zone above hack.olam.se is called autodiscover.hack.olam.se and this is what microsofts recommends, though I have not checked the documentationen in the last months if they have updated it, in the zone autodiscover.hack.olam.se I have the same records as you, so basically the setup is same, only difference is that I have mine as a "Different Zone" and do not have autodiscover A records in my "Domain Zone", hope this clarifys somewhat I meant)
5. Read this from Microsoft regarding Autodiscover: http://technet.microsoft.com/en-us/library/aa995928.aspx
Keep me posted! =]
Cheers!
AutoDiscoverAsANewZone.jpg
2. Test configure the outlook client settins when you got time
3. what you said here: "The autodiscover internally points to the internal address and externally to the public IP." that is correct! Only thing to point out is that from microsofts best practice you should have your autodiscover as a new zone and not included in your domain zone. (Check my attachment, lets call the domain for hack.olam.se and in here I have an A record called autodiscover pointing to the public ip, this is what most users do. But you can also see that the zone above hack.olam.se is called autodiscover.hack.olam.se and this is what microsofts recommends, though I have not checked the documentationen in the last months if they have updated it, in the zone autodiscover.hack.olam.se I have the same records as you, so basically the setup is same, only difference is that I have mine as a "Different Zone" and do not have autodiscover A records in my "Domain Zone", hope this clarifys somewhat I meant)
5. Read this from Microsoft regarding Autodiscover: http://technet.microsoft.com/en-us/library/aa995928.aspx
Keep me posted! =]
Cheers!
AutoDiscoverAsANewZone.jpg
ASKER
OK, So everything is now working. One of the things that didn't seem to take the new setting was the RPC/HTTP on the servers. I disabled outlook anywhere and re-enabled. Did an iisreset and everything is now working. .....well until I come across the next issue.
Thanks for you help
Thanks for you help
ASKER
One great cmdlet was the test-outlookwebservices
Glad you got it to work!
cheers and thanks for the points = ]
cheers and thanks for the points = ]
The alternative is to have your external clients connect to your server via a VPN connection first. That's probably a better solution.
Information on setting up Outlook Anywhere in Exchange 2010:
http://technet.microsoft.com/en-us/library/bb123741.aspx
Information about how to configure Microsoft Office Outlook 2010:
http://technet.microsoft.com/en-us/library/cc179036.aspx
Information about how to configure Microsoft Office Outlook 2003:
http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm