Solved

Use a different SSL port for Exchange 2010

Posted on 2010-11-19
40
1,354 Views
Last Modified: 2012-05-10
I have Exchange 2010 running on a single 2008R2 server.

I am using Citrix Secure Gateway which is using SSL Port 443.

When I access the Citrix Secure Gateway from a remote location I am forwarded from SSL port 443 to the internal Citrix Secure Gateway server.

That all works perfectly well.

Now I have installed Exchange 2010 and my end user wants to access Outlook remotely from PCs, Macs, Blackberries and IPhones.

Therefore SSL is required, but I am already utilising SSL port 443 for Citrix, so I have to use a different SSL port, I chose 448.

I have a UCC/SAN SSL certificate from GoDaddy with the following URLs
externaldomainname.com
autodiscover.externaldomainname.com.

Current situation:

I have created a DNS 'A' record directing autodiscover.externaldomainname.com to the external facing IP Address of the company.

OWA seems to works perfectly well using https://autodiscover.externaldomainname.com:448/owa.

Office 2011 for Mac Outlook seems to work perfectly well.

Blackberries seem to work again using OWA URL.

Problems with IPhones which I'm still investigating.

Internal Outlook works but puts up an irritating warning after each invocation:

 Outlook Warning
The certificate it is being presented with is the self cert certificate I use for Citrix Secure Gateway:

 Outlook Warning Certificate
So I'm assuming Outlook is heading off looking for autodiscover.externaldomainname.com and coming back in on SSL port 443 and being forwarded to the Citrix Secure Gateway server.

Also Outlook Out-of-Office fails with the following error:

 Out-of-Office Error
I believe this is caused by the same SSL port issue as above.

One point to note is that my internal domain name is different from my external domain name and unfortunately the internal domain name is used externally by a completely separate 3rd party.

My questions are:

Can I configure Exchange so that it uses port 448 for SSL rather that port 443 for all services or is there any other method I can employ?

Can I force the Exchange server to look for autodiscover.externaldomainname.com through internal DNS resolution rather than heading off externally to resolve it which is how it appears to work?

I'm sure once I have answers to these questions others will surface....

Regards

Brian
0
Comment
Question by:3D2K
  • 19
  • 18
  • 2
  • +1
40 Comments
 
LVL 25

Expert Comment

by:Tony1044
ID: 34171296
It looks like Autodiscover problems - what are the SAN names on your certificate? Did you include the autodiscover addresses on it?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34171364
Hi Brian

This is a very interesting request I have never done and I think it cannot be done but I am willing to help.

 we basically have 2 challenges

1. make autodiscover to work I have a solution for this
2. make outlook anywhere work and this is where  I don't see a way out for now
if you configure your outlook manually to connect to https://autodiscover.externaldomainname.com:448 does it work ?
0
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 34171396
Hmm it might be easier to change Citrix AG to use 448 rather than Exchange.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34171405
Sorry - Secure Gateway, not Access Gateway.

Which version of Citrix SG are you running?
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34171501
You will need to configure bindings at your IIS for port 448 and reconfigur your autodiscover service.
0
 

Author Comment

by:3D2K
ID: 34172724
Tony1044

My GoDaddy SSL Certificate references

redwoodskills.com
autodiscover.redwoodskills.com

Changing CSG SSL port will definitely be my last resort.  If it ain't broke don't fix it.

They are running XenApps 6.

The whole system is running virtually on XenServer 5.5 Update 2.

Akhater:

I can get OWA to work externally at https://autodiscover.redwoodskills.com:448/owa.

If I use IE to browse to https://autodiscover.redwoodskills.com:448 I get IIS 7 screen.

Please expand on what you want me to do with Outlook.

abhijitmdp:

Can you please give more specific instructions?

Many Thanks

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34172959
If it works externally why not just set up a DNS alias to point to the internal server address?

http://support.microsoft.com/kb/168322
0
 

Author Comment

by:3D2K
ID: 34173124
Tony1044

Thanks.

Externally the DNS entries are:

redwoodskills.com -> 3rd party hosted.
autodiscover.redwoodskills.com -> Internet facing IP Address of company.

Are you suggesting I add the autodiscover.redwoodskills.com entry internally and point to the FQDN of the Exchange server internally.

I am very-very nervous about changing anything that may break what is already working albeit badly.

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34173224
Yep - it won't break anything because it'll point to the 'right' place when you're inside the LAN and also the 'right' place when outside of it.

So in the MS article, instead of the www just have autodiscover - the other steps are the same.

Of course, to try it and make sure it works, you could add say discover instead of autodiscover and use that yourself. That way you don't risk breaking anything at all except for yourself :)
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34174099
Go through the below article
http://technet.microsoft.com/en-us/library/cc731692(WS.10).aspx

For configuring binding
Open IIS manager > Right click over Default website > Bindings > from here change the port for SSL to 448. this will may work
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34174151
Not sure if it'll rebind autodiscover though - never tried so can't say definitively one way or the other. Maybe worth a try.
0
 

Author Comment

by:3D2K
ID: 34179456
Tony1044

Attached is a screen shot of my DNS Forward Lookup Zone:

 DNS FLZ
Am I just adding autodiscover as a CNAME record?

Notice the internal domain name is redwood.co.uk.

Does Outlook started internally use autodiscover and just reference the internal domain name or does it use the default email address of each user which by default is @redwoodskills.com?

abhijitmdp:

I'm terrified of breaking something that is already working by using (more) complicated solutions, so I may come back to your suggestion later.

Thanks

Brian
0
 

Author Comment

by:3D2K
ID: 34179531
Tony1044

DNS FLZ after autodiscovery CNAME addition:

 DNS FLZ
No change to certificate error which is looking for autodiscovery.redwoodskills.com

 Outlook SSL Error
Should I be adding a new zone redwoodskills.com with the autodiscovery CNAME in it?  If so are there any special instructions, things to look out for?

Also I presume I'm pointing at my Exchange Server for autodiscovery!

Thanks

Brian

0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34186293
Hi Brian,

Apologies for the delayed response - was away at the weekend.

If you follow the instructions in the MS article exactly it will get what you require. The only changes being where it references www you need autodiscover and where it references the domain, you need redwoodskills.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34186303
Ah sorry just had a thought.

You need a new forward lookup zone for redwoodskills.com if it doesn't already exist and then the A & CNAME records go under that.
0
 

Author Comment

by:3D2K
ID: 34187278
Tony1044

I've added a new zone redwoodskills.com and configured it not to do dynamic updates as I'd assumed I only require it for internal users to access the correct server for autodiscover.redwoodskills.com.

There are no A records and I have added a CNAME record called autodiscover that points to the Exchange server.

A ping internally to autodiscover.redwoodskills.com now returns the internal Exchange server.

However, when I connect using CSG remotely and I execute the ping command I get the external IP address.  Is this a timing issue with DNS updates or do I need to get the Citrix server to update DNS tables etc?

Also will this redwoodskills.com DNS zone have any effect on internal users browsing to www.redwoodskills.com which is hosted externally by a 3rd party?

Thanks again.

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34187303
It is probably a DNS replication issue is all - how many servers do you have as DNS? One quick way to tell if it's timing is log onto a Citrix desktop and from a command prompt, type the following

NSLOOKUP
Server=xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the DNS server you made the change to)
autodiscover.redwoodskills.com

It should return your Exchange server.

In terms of www.redwoodskills.com - possibly. What happens if you do a NSLOOKUP / ping on it?

You may need to add www as a cname and point it to the external IP but from memory, forwarding should work (sorry not in front of my systems so cannot check for you)
0
 

Author Comment

by:3D2K
ID: 34187368
Tony1044

ipconfig /flushdns did the trick.

I'll move on to checking the rest of the problems out.  Out-of-Office etc, and report back.

Thanks

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34187380
Brilliant. And no adverse effects browing www.redwoodskills.com ?
0
 

Author Comment

by:3D2K
ID: 34187472
Tony1044

As suspected the www.redwoodskills.com we site is no longer reachable from inside the network.

I have added an A record Same as Host Name (redwoodskills.com) which points at the external IP address.  I also added another CNAME record to point WWW to the redwoodskills.com A record but still couldn't reach the site.

This is exactly the situation I'm trying to avoid, breaking something that is already working.  Sadly it comes with the territory when your working with Microsoft products.  My problem is that I'm doing the work remotely from over 200 miles away and there isn't a great deal of resource on site so if I break it I have to travel to fix it.

Anyway, many thanks for your efforts as the certificate warning has now been fixed.

Are you going to offer an answer via this thread for the www problem that has surfaced or should I start another question?

Thanks

Brian
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:3D2K
ID: 34187477
Tony1044

This is the current redwoodskills.com DNS zone:

 DNS
Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34187547
Of course. Adding an additional CNAME will use your internal "domain"

Can you add it in as an A record? Sorry it's tricky to remember DNS tricks without a server to play with in front of me.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34187548
Also - happy to continue here as it's all related to the same problem
0
 

Author Comment

by:3D2K
ID: 34188096
Tony1044

Ok here is the current situation:

I've added an autodiscover CNAME record to both the redwood.co.uk and redwoodskills.com zones, and a www A record for the redwoodskills.com zone on my internal DNS server.

OWA works externally, even Out-of-Office works externally through OWA.

The certificate warning no longer displays on internal clients starting so that is fixed.

The internal clients can browse the www.redwoodskills.com externally hosted web site, so that works.

Although Out-of-Office works vai OWA externally it doesn't work for internal clients, eventually bringing up the following error:

 Out-of-Office-01
I have run the Outlook Autoconfiguration test and here are the results:

 Out-of-Office-02

 Out-of-Office-03
I can ping autodiscover.redwoodskills.com and autodiscover.redwood.co.uk from internal clients and they return the Exchange server as expected so why no Out-of-Office?

Any thoughts would be greatly appreciated.

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34188223
SRV record is missing in your DNS looking at the screenshot.

It's never simple is it? lol

Create an SRV record with the following info (in your Redwoodskills zone)

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.redwoodskills.com <--- where this would be the FQDN on the certificate.


0
 

Author Comment

by:3D2K
ID: 34188253
I have seen some comments on the web about proxy settings but I'm logging on as a domain administrator and the GP proxy settings are not applied.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34188277
Yeah there can be issues where connections use reverse proxy but I don't think that's the case here - the error log you attached specifically mentions no SRV records.
0
 

Author Comment

by:3D2K
ID: 34188467
Tony1044

I've added a SRV record as you suggest, but put the host as res-exs.redwood.co.uk.

Now outlook asks me if I want to trust the res-exs.redwood.co.uk server to autoconfigure administrator@redwoodskills.com.  I chose yes and off it went to do nothing for a while before eventually returning the original  cannot find server error.

Is 443 correct?  I'm using 448 externally.

Also my SSL certificate only references redwoodskills.com and autodiscover.redwoodskills.com.

Brian

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34188522
Ah of course - in all the too-ing and fro-ing I'd forgotten the port change - my mistake!

I'm thinking internally it is be using 443?

No - don't put res-exs, put autodiscover - it should resolve properly then via DNS (that word "should" again!)

Try the name change and if that doesn't work try the port change as well.
0
 

Author Comment

by:3D2K
ID: 34189058
Tony1044

Sorry my friend the following message appears:

 Out of Office-04
(twice), after picking Allow

followed by the good old server cannot  be reached error.

I've tried 443 and 448 for the SRV record, both the same.

The problem is now that the above message is appearing on all users Outlook sessions now and they're getting hacked off about that so I suspect I'll have to delete the SRV record soon.

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34189257
0
 

Author Comment

by:3D2K
ID: 34189737
Tony1044

Remember that the system still cannot locate the server for autoconfiguration even if I pick the Allow box, and I'm working in a Citrix/Terminal Services environment so registry hacks are not where I want to be.

I'm going to take a step back and have a think about it overnight.

Many thanks for your efforts today.

Brian
0
 

Author Comment

by:3D2K
ID: 34189777
Tony1044

Just noticed I can apply the last fix with GP so I'll take another look after a battery recharge.

Thanks

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34189796
Yeah I wouldn't give a registry fix that had to be applied at a client level if I could possibly avoid it.

0
 

Author Comment

by:3D2K
ID: 34226725
Tony1044

Apologies for the time it has taken me to respond to your help with this problem.

I have come across the following articles which appear to have some bearing on my setup and I'm investigating further:

http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover-part2.html

What I have done in the meantime is added a sub-domain webmail.redwoodskills.com and I've added this to my godaddy SSL certificate but I'm not happy about installing the new SSL certificate to replace the original one which appears to work.  The instructions for installation on Exchange 2010 from GoDaddy are less than helpful and there appears to be lots of noise on the Internet regarding SSL certificate errors/problems which I hope to avoid.

I'm starting a new question asking for help with the SSL certificate installation before I continue on with this question.

Many Thanks

Brian
0
 

Author Closing Comment

by:3D2K
ID: 34240023
Tony1044

After much wasted time and earache from the end-user I have decided that the only course of action left open to me is to do as you suggest.

In future any Exchange installations will be given SSL port 443 first.  There appears to be no way that you can configure autodiscover to use anything but the default SSL port.

All of the diagnostic tools also assume SSL port 443 without any way to modify them, so you really can't fault find with those tools unless you've configured the autodiscover service to use SSL 443.

Lesson learned, but thanks for you continued help.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34240071
I'm really sorry we couldn't nail it - seems somewhat daft in this day and age that something would be so hard-coded.

Thank you for the points - under the circumstances that was more generous than you needed to be.

If I can help on the Citrix side of things, please shout.
0
 

Author Comment

by:3D2K
ID: 34240259
Tony1044

10 out of 10 for effort!

My concern is that I've hacked about with it so much that I may have damaged it beyond redemption.

Watch this space....

Brian
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34240379
I understand but actually we didn't do all that much and we have a nice audit trail.

But you can always remove and reisntall the virtual directories:

Remove:
Remove-AutodiscoverVirtualDirectory -Identity Contoso\Autodiscover (Default Web Site)

Remove-OwaVirtualDirectory “owa (Default Web Site)”


The recreate:

New-AutodiscoverVirtualDirectory -WebsiteName "Default Web Site" -BasicAuthentication $true -WindowsAuthentication $true

New-OwaVirtualDirectory -Name “owa (Default Web Site)”

Or if you're really worried, remove and reinstall the CAS role.
0
 

Author Comment

by:3D2K
ID: 34240997
That's what you think ;-)

I've run a few EMS commands that I suspect may have some knock-on effect.

For instance one of the things I've tried to do is to set the InternalURL and ExternalURL for the virtual directories via the GUI and EMS and I couldn't get the AutodiscoverServiceInternalURL to be anything other than blank regardless what commands I used.

I may take your advice to delete and recreate the VirtualDirectories at a later time, when I've fixed up CSG not to go near 443 to my satisfaction.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now