External Outlook 2007 connectivity fails to exchange 2010

Hi,
I have a new setup of exchange 2010 and everything seems to be working fine except I cannot connect external outlook clients. Internally no problem and OWA works everywhere. I have run some tests using www.testexchangeconnectivity.com and the problem area seems to be with the autodiscovery part. This is for a hosting implementation (hopefully!)

Checking Host autodiscover.DOMAIN.com for an HTTP redirect to AutoDiscover
  ExRCA failed to get an HTTP redirect response for Autodiscover.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.


I am using a UCC certificate on the CAS server. This is going to be a hosting solution, so the domains of the clients are not default. I have added an autodiscover A record for the client domain to point to my CAS server.
kinsja1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frosty555Commented:
Have you turned on Outlook Anywhere for both your Exchange Server, and your Outlook clients? You must do this for your outlook clients to connect to Exchange over the internet. Outlook will effectively use an HTTPS proxy to connect to your exchange server, once you've turned on the feature.

The alternative is to have your external clients connect to your server via a VPN connection first. That's probably a better solution.

Information on setting up Outlook Anywhere in Exchange 2010:
http://technet.microsoft.com/en-us/library/bb123741.aspx

Information about how to configure Microsoft Office Outlook 2010:
http://technet.microsoft.com/en-us/library/cc179036.aspx

Information about how to configure Microsoft Office Outlook 2003:
http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm
Frosty555Commented:
Sorry I forgot instructions on how to configure Office Outlook 2007- the one client you actually asked for!

Details below:
http://www.it.ubc.ca/email/exchange/setupdocs/rpcoutlook2007.html
kinsja1Author Commented:
Hi,
Here's some update to the problem. Frosty555 - the issue isn't related as such to the setup of Outlook anywhere, but more to do with the autodiscover. I might also mention that internal client are OK.

As this is for a hosting implementation, I believe the problem can be solved by setting up a central redirection for the autodiscover. I have seen a couple of articles that describe this for a hosting environment but still cannot get it to work.

http://technet.microsoft.com/en-us/library/ff923256.aspx

On one of my CAS servers I have created a new website for the autodiscover redirection. The server has 2 IP addresses - 1 for public and 1 for NLB (NLB is working fine). Do I need a third IP for this site? I am not really convinced that I've setup the redirection correctly.

When I browse to https://autodiscover.othersmtpdomain.com/autodiscover/autodiscover.xml - I get asked for creditentials. when I manually enter them i get this

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="14:59:06.4928435" Id="238028835">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>







testex.png
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

JuusoConnectaCommented:
Kinsja,

Do you have several cas servers in your exchange infrastructure ?
For load balancing the cas servers and then have one public ip and one ip against the NLB ? (sorry didnt quiet understand this bit)
Also
When you say OA is not working, Do you mean that they cannot resolved the hostname, cannot resolve the username, you keep on getting authentication window ?

Pointing out a few points where issue may be:

1. When you installed your exchange server did you run the following before installing
(this is for example for a exchange server that holds cas, hub and mb role) =
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

reference: http://technet.microsoft.com/en-us/library/bb691354.aspx


2. Settings on outlook clients =
If Outlook Anywhere is enabled, on clients computer make sure the settings are correct:
Connect to Microsoft Exchange using HTTP (checked) ->
Exchange proxy Settings -> https://webmail.yourdomain.com (is written) ->
Connect using SSL only (checked) -> Only connect to proxy servers that have this principal name in their ceritifcate (checked) -> msstd:webmail.yourdomain.com ->
Set authentication to Basic

AND

On the server side:
On the server side locate -> Exchange Management console -> Server Cofiguration -> Clien Access -> Properties of your exchange server -> Outlook Anywhere -> Make youre you have your external host name written here "webmail.yourdomain.com" and Basic authentication is Set.
Make also sure that under IIS (on the exchange), sub category owa has been set for basic authenticaion


3. Autodiscover in your DNS records = You should have autodiscover created in your internal DNS records as a seperate ZONE and have not this created in your domain zone (this by best practice from microsoft)


4.Go to exchange management shell and type in the following:

Set-WebServicesVirtualDirectory -Identity “ExchangeServerName\EWS (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/ews/exchange.asmx 
Set-OABVirtualDirectory -Identity “ExchangeServerName\oab (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/oab 
Set-ClientAccessServer -Identity ExchangeServerName -AutodiscoverServiceInternalUri https://webmail.yourdomain.com/autodiscover


5. Make sure that you have your autodiscover name listed in your Exchange certificate: Autodiscover.yourdomain.com


6. Make sure your IIS corresponds to the following settings:
Autodiscover: SSL:ON, Redirect: ON,  Auth: Anonymous, Basic, Windows
EWS: SSL:ON, Auth: Anonymous, Windows, Redirect: ON


7. Go to Exchange Management Shell and do the following:
type: Test-OutlookWebServices -Identity firstname.lastname@yourdomain.com | ft -AutoSize <-- and post your results here,


cheers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kinsja1Author Commented:
Wow, before I say anything else I would really like to say thanks to the people that make up experts-exchange. The effort people make to help is amazing.

JuusoConnecta - I have almost gotten there, with only a very small couple of issues.


Do you have several cas servers in your exchange infrastructure ?

#YES, I have a CAS array and these are load balanced using MS NLB.

For load balancing the cas servers and then have one public ip and one ip against the NLB ? (sorry didnt quiet understand this bit)

#All I was trying to say there was that I was using a private heartbeat network for the NLB component. This is working OK I believe at this stage.

Also
When you say OA is not working, Do you mean that they cannot resolved the hostname, cannot resolve the username, you keep on getting authentication window ?

# OA externally was previously not connecting at all to my mail servers.

Pointing out a few points where issue may be:

1. When you installed your exchange server did you run the following before installing
(this is for example for a exchange server that holds cas, hub and mb role) =
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

reference: http://technet.microsoft.com/en-us/library/bb691354.aspx

# Yes this is the doc I followed to build


2. Settings on outlook clients =
If Outlook Anywhere is enabled, on clients computer make sure the settings are correct:
Connect to Microsoft Exchange using HTTP (checked) ->
Exchange proxy Settings -> https://webmail.yourdomain.com (is written) ->
Connect using SSL only (checked) -> Only connect to proxy servers that have this principal name in their ceritifcate (checked) -> msstd:webmail.yourdomain.com ->
Set authentication to Basic

# I have not manually configured any settings on the outlook. My testing was on new demo users, so as soon as the demo user logged on and opened outlook (over the internet) it tried to self configure - the only information I provided was the email address.

AND

On the server side:
On the server side locate -> Exchange Management console -> Server Cofiguration -> Clien Access -> Properties of your exchange server -> Outlook Anywhere -> Make youre you have your external host name written here "webmail.yourdomain.com" and Basic authentication is Set.
Make also sure that under IIS (on the exchange), sub category owa has been set for basic authenticaion

# This is set correctly

3. Autodiscover in your DNS records = You should have autodiscover created in your internal DNS records as a seperate ZONE and have not this created in your domain zone (this by best practice from microsoft)

# Can you please explain a little more on this? My internal and external DNS match. The autodiscover internally points to the internal address and externally to the public IP.


4.Go to exchange management shell and type in the following:

Set-WebServicesVirtualDirectory -Identity “ExchangeServerName\EWS (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/ews/exchange.asmx 
Set-OABVirtualDirectory -Identity “ExchangeServerName\oab (Default Web Site)” -InternalUrl https://webmail.yourdomain.com/oab 
Set-ClientAccessServer -Identity ExchangeServerName -AutodiscoverServiceInternalUri https://webmail.yourdomain.com/autodiscover

# I have already been through these a few times and are correct

5. Make sure that you have your autodiscover name listed in your Exchange certificate: Autodiscover.yourdomain.com

# This is one of the areas the I think there is an issue with

6. Make sure your IIS corresponds to the following settings:
Autodiscover: SSL:ON, Redirect: ON,  Auth: Anonymous, Basic, Windows
EWS: SSL:ON, Auth: Anonymous, Windows, Redirect: ON

# These settings are correct.

7. Go to Exchange Management Shell and do the following:
type: Test-OutlookWebServices -Identity firstname.lastname@yourdomain.com | ft -AutoSize <-- and post your results here,

# This all comes back successfully, except the EWS - I have had to make a couple of changes to this and am currently using "email" instead of "mail" - I will go back and fix this.

____________________

Here's where I'm up to now.

I am using a wildcard certificate so I have had to manually set the outlookprovider EXPR to msstd:*.mydomain.com rather than email.mydomain.com - this was one fix

The second fix was related to the way the central autodiscover website http redirect was not functioning correctly on the CAS server. I moved this to a completely separate server running IIS and did the redirection from there. This now allows any SMTP domain to connect provided they have the autodiscover A record pointed to my autodiscover domain.

I'm based in Sydney Australia so it's late here and I will continue with my analysis in the morning. I have the outlook client successfully connecting in, but it did require me to manually enter my creditentials at one stage. I will run through this again and post results.

Getting there slowly!

cheers
JuusoConnectaCommented:
Good to hear that it is moving forward and working now (even though you have to enter your credentials, also I have to point out that on different assignments User have been intermittently been having this from time to time, entering the credentials using OA that is)

2. Test configure the outlook client settins when you got time

3.  what you said here: "The autodiscover internally points to the internal address and externally to the public IP." that is correct! Only thing to point out is that from microsofts best practice you should have your autodiscover as a new zone and not included in your domain zone. (Check my attachment, lets call the domain for hack.olam.se and in here I have an A record called autodiscover pointing to the public ip, this is what most users do. But you can also see that the zone above hack.olam.se is called autodiscover.hack.olam.se and this is what microsofts recommends, though I have not checked the documentationen in the last months if they have updated it,  in the zone autodiscover.hack.olam.se I have the same records as you, so basically the setup is same, only difference is that I have mine as a "Different Zone" and do not have autodiscover A records in my "Domain Zone", hope this clarifys somewhat I meant)

5. Read this from Microsoft regarding Autodiscover: http://technet.microsoft.com/en-us/library/aa995928.aspx

Keep me posted! =]

Cheers!

AutoDiscoverAsANewZone.jpg
kinsja1Author Commented:
OK, So everything is now working. One of the things that didn't seem to take the new setting was the RPC/HTTP on the servers. I disabled outlook anywhere and re-enabled. Did an iisreset and everything is now working. .....well until I come across the next issue.

Thanks for you help
kinsja1Author Commented:
One great cmdlet was the test-outlookwebservices
JuusoConnectaCommented:
Glad you got it to work!

cheers and thanks for the points = ]
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.