gdctech
asked on
Testing Exchange 2007 along-side Exchange 2003 Environment - Outlook Anywhere Certificate Issue
I was brought into an environment that has 2 exchange servers. One is a 2003 Exchange server (Primary) that most people are connected to. The second is a 2007 Exchange server (both servers run Windows 2003 SP2). A few years ago, a migration was started and never completed.
I believe I have most of the migration completed (except the actual user/mailbox migration) done. The issue I have right now is that in testing, I would like to bring up Exchange 2007 along side Exchange 2003 so I can bring a few users over to test it out fully.
Everything seems to work internally, however Outlook Anywhere (RPC over HTTP) does not work properly. Internally, I get an error thrown when I start up Outlook, but it eventually connects and works fine. Externally, it doesn't work at all.
Ok, here is the environment:
ExServer2003
ExServer2007
External DNS and MX are as follows:
mail.companyname.com points to ExServer2003 (working perfectly) (resolves to primary IP address)
mail2.companyname.com points to ExServer2007 (problematic) (resolves to secondary test IP address)
I have opened appropriate ports in firewall, however it appears it is a Certificate issue that I am having.
Our primary cert for mail.companyname.com is from a trusted 3rd party vendor and works fine. However, in order to properly test Exchange 2007, I created a trusted cert from an internal certificate authority.
Certificate states that it is "Ok" and is installed in IIS on ExServer2007.
When browsing to OWA at https://mail2.companyname.com, the cert states that it is trusted and I can log in just fine.
Outlook, on the other hand is not working 100% correctly:
When I open Outlook, I am prompted for Domain\Username and Password.
I select OK button, and Exchange status is "Connected to Microsoft Exchange"
Here are my Outlook Settings:
When I go to "testexchangeconnectivity. com" I get:
Any help would be appreciated. Thank you!
I believe I have most of the migration completed (except the actual user/mailbox migration) done. The issue I have right now is that in testing, I would like to bring up Exchange 2007 along side Exchange 2003 so I can bring a few users over to test it out fully.
Everything seems to work internally, however Outlook Anywhere (RPC over HTTP) does not work properly. Internally, I get an error thrown when I start up Outlook, but it eventually connects and works fine. Externally, it doesn't work at all.
Ok, here is the environment:
ExServer2003
ExServer2007
External DNS and MX are as follows:
mail.companyname.com points to ExServer2003 (working perfectly) (resolves to primary IP address)
mail2.companyname.com points to ExServer2007 (problematic) (resolves to secondary test IP address)
I have opened appropriate ports in firewall, however it appears it is a Certificate issue that I am having.
Our primary cert for mail.companyname.com is from a trusted 3rd party vendor and works fine. However, in order to properly test Exchange 2007, I created a trusted cert from an internal certificate authority.
Certificate states that it is "Ok" and is installed in IIS on ExServer2007.
When browsing to OWA at https://mail2.companyname.com, the cert states that it is trusted and I can log in just fine.
Outlook, on the other hand is not working 100% correctly:
When I open Outlook, I am prompted for Domain\Username and Password.
"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target ExServer2007.
Outlook is unable to connect to the proxy server. (Error Code 10)"
Outlook is unable to connect to the proxy server. (Error Code 10)"
I select OK button, and Exchange status is "Connected to Microsoft Exchange"
Here are my Outlook Settings:
Outlook Account Settings, Change Account, Microsoft Exchange Connection Tab:
Connect to Microsoft Exchange using HTTP
Exchange Proxy Settings:
SSL Only, Only Connect to Proxy Servers that have this principarl name...
msstd:mail2.companyname.ne t
Checkmarks on Fast/Slow networks using HTTP first
Basic Authentication
When I go to "testexchangeconnectivity.
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to resolve the host name mail2.companyname.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: CORRECT IP ADDRESS
Testing TCP port 443 on host mail2.companyname.net to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail2.companyname.net was found in the Certificate Subject Common name.
Certificate trust is being validated.
Certificate trust validation failed.
Additional Details
The certificate chain couldn't be built. You may be missing required intermediate certificates.
The RPC/HTTP test failed.
Test Steps
Attempting to resolve the host name mail2.companyname.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: CORRECT IP ADDRESS
Testing TCP port 443 on host mail2.companyname.net to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail2.companyname.net was found in the Certificate Subject Common name.
Certificate trust is being validated.
Certificate trust validation failed.
Additional Details
The certificate chain couldn't be built. You may be missing required intermediate certificates.
Any help would be appreciated. Thank you!
Hi, Have not read through your thread, but we are in a 2003 and 2010 environment and have gone through the CERT fun.
You are not alone.....
A few things off the bat:
1) Do a network trace
2) outlook.exe /rpcdiag (2007 only)
3) make sure the cert chain is available to the client (ie., If using digicert you should pass the intermediate as well as the CA to the client (cert chain).
Again - we are going through this so I may have some ideas for you. This seems to be external issue (using the ms site).
How about internal?
What's between you and the internet (firewall, ISA, UAG, Router w/IPS)
Douglas
You are not alone.....
A few things off the bat:
1) Do a network trace
2) outlook.exe /rpcdiag (2007 only)
3) make sure the cert chain is available to the client (ie., If using digicert you should pass the intermediate as well as the CA to the client (cert chain).
Again - we are going through this so I may have some ideas for you. This seems to be external issue (using the ms site).
How about internal?
What's between you and the internet (firewall, ISA, UAG, Router w/IPS)
Douglas
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I resolved this myself.
If you have a firewall shouldnt bouth your MX records point to the same external IP address of the firewall (single point of contact?)
If you have your internal CA issued a cert for your exchange 2007 server you need to add the internal CA certificate to all of the client computers.