• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1388
  • Last Modified:

Use a different SSL port for Exchange 2010

I have Exchange 2010 running on a single 2008R2 server.

I am using Citrix Secure Gateway which is using SSL Port 443.

When I access the Citrix Secure Gateway from a remote location I am forwarded from SSL port 443 to the internal Citrix Secure Gateway server.

That all works perfectly well.

Now I have installed Exchange 2010 and my end user wants to access Outlook remotely from PCs, Macs, Blackberries and IPhones.

Therefore SSL is required, but I am already utilising SSL port 443 for Citrix, so I have to use a different SSL port, I chose 448.

I have a UCC/SAN SSL certificate from GoDaddy with the following URLs
externaldomainname.com
autodiscover.externaldomainname.com.

Current situation:

I have created a DNS 'A' record directing autodiscover.externaldomainname.com to the external facing IP Address of the company.

OWA seems to works perfectly well using https://autodiscover.externaldomainname.com:448/owa.

Office 2011 for Mac Outlook seems to work perfectly well.

Blackberries seem to work again using OWA URL.

Problems with IPhones which I'm still investigating.

Internal Outlook works but puts up an irritating warning after each invocation:

 Outlook Warning
The certificate it is being presented with is the self cert certificate I use for Citrix Secure Gateway:

 Outlook Warning Certificate
So I'm assuming Outlook is heading off looking for autodiscover.externaldomainname.com and coming back in on SSL port 443 and being forwarded to the Citrix Secure Gateway server.

Also Outlook Out-of-Office fails with the following error:

 Out-of-Office Error
I believe this is caused by the same SSL port issue as above.

One point to note is that my internal domain name is different from my external domain name and unfortunately the internal domain name is used externally by a completely separate 3rd party.

My questions are:

Can I configure Exchange so that it uses port 448 for SSL rather that port 443 for all services or is there any other method I can employ?

Can I force the Exchange server to look for autodiscover.externaldomainname.com through internal DNS resolution rather than heading off externally to resolve it which is how it appears to work?

I'm sure once I have answers to these questions others will surface....

Regards

Brian
0
3D2K
Asked:
3D2K
  • 19
  • 18
  • 2
  • +1
1 Solution
 
Tony JLead Technical ArchitectCommented:
It looks like Autodiscover problems - what are the SAN names on your certificate? Did you include the autodiscover addresses on it?
0
 
AkhaterCommented:
Hi Brian

This is a very interesting request I have never done and I think it cannot be done but I am willing to help.

 we basically have 2 challenges

1. make autodiscover to work I have a solution for this
2. make outlook anywhere work and this is where  I don't see a way out for now
if you configure your outlook manually to connect to https://autodiscover.externaldomainname.com:448 does it work ?
0
 
Tony JLead Technical ArchitectCommented:
Hmm it might be easier to change Citrix AG to use 448 rather than Exchange.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Tony JLead Technical ArchitectCommented:
Sorry - Secure Gateway, not Access Gateway.

Which version of Citrix SG are you running?
0
 
abhijitmdpCommented:
You will need to configure bindings at your IIS for port 448 and reconfigur your autodiscover service.
0
 
3D2KAuthor Commented:
Tony1044

My GoDaddy SSL Certificate references

redwoodskills.com
autodiscover.redwoodskills.com

Changing CSG SSL port will definitely be my last resort.  If it ain't broke don't fix it.

They are running XenApps 6.

The whole system is running virtually on XenServer 5.5 Update 2.

Akhater:

I can get OWA to work externally at https://autodiscover.redwoodskills.com:448/owa.

If I use IE to browse to https://autodiscover.redwoodskills.com:448 I get IIS 7 screen.

Please expand on what you want me to do with Outlook.

abhijitmdp:

Can you please give more specific instructions?

Many Thanks

Brian
0
 
Tony JLead Technical ArchitectCommented:
If it works externally why not just set up a DNS alias to point to the internal server address?

http://support.microsoft.com/kb/168322
0
 
3D2KAuthor Commented:
Tony1044

Thanks.

Externally the DNS entries are:

redwoodskills.com -> 3rd party hosted.
autodiscover.redwoodskills.com -> Internet facing IP Address of company.

Are you suggesting I add the autodiscover.redwoodskills.com entry internally and point to the FQDN of the Exchange server internally.

I am very-very nervous about changing anything that may break what is already working albeit badly.

Brian
0
 
Tony JLead Technical ArchitectCommented:
Yep - it won't break anything because it'll point to the 'right' place when you're inside the LAN and also the 'right' place when outside of it.

So in the MS article, instead of the www just have autodiscover - the other steps are the same.

Of course, to try it and make sure it works, you could add say discover instead of autodiscover and use that yourself. That way you don't risk breaking anything at all except for yourself :)
0
 
abhijitmdpCommented:
Go through the below article
http://technet.microsoft.com/en-us/library/cc731692(WS.10).aspx

For configuring binding
Open IIS manager > Right click over Default website > Bindings > from here change the port for SSL to 448. this will may work
0
 
Tony JLead Technical ArchitectCommented:
Not sure if it'll rebind autodiscover though - never tried so can't say definitively one way or the other. Maybe worth a try.
0
 
3D2KAuthor Commented:
Tony1044

Attached is a screen shot of my DNS Forward Lookup Zone:

 DNS FLZ
Am I just adding autodiscover as a CNAME record?

Notice the internal domain name is redwood.co.uk.

Does Outlook started internally use autodiscover and just reference the internal domain name or does it use the default email address of each user which by default is @redwoodskills.com?

abhijitmdp:

I'm terrified of breaking something that is already working by using (more) complicated solutions, so I may come back to your suggestion later.

Thanks

Brian
0
 
3D2KAuthor Commented:
Tony1044

DNS FLZ after autodiscovery CNAME addition:

 DNS FLZ
No change to certificate error which is looking for autodiscovery.redwoodskills.com

 Outlook SSL Error
Should I be adding a new zone redwoodskills.com with the autodiscovery CNAME in it?  If so are there any special instructions, things to look out for?

Also I presume I'm pointing at my Exchange Server for autodiscovery!

Thanks

Brian

0
 
Tony JLead Technical ArchitectCommented:
Hi Brian,

Apologies for the delayed response - was away at the weekend.

If you follow the instructions in the MS article exactly it will get what you require. The only changes being where it references www you need autodiscover and where it references the domain, you need redwoodskills.
0
 
Tony JLead Technical ArchitectCommented:
Ah sorry just had a thought.

You need a new forward lookup zone for redwoodskills.com if it doesn't already exist and then the A & CNAME records go under that.
0
 
3D2KAuthor Commented:
Tony1044

I've added a new zone redwoodskills.com and configured it not to do dynamic updates as I'd assumed I only require it for internal users to access the correct server for autodiscover.redwoodskills.com.

There are no A records and I have added a CNAME record called autodiscover that points to the Exchange server.

A ping internally to autodiscover.redwoodskills.com now returns the internal Exchange server.

However, when I connect using CSG remotely and I execute the ping command I get the external IP address.  Is this a timing issue with DNS updates or do I need to get the Citrix server to update DNS tables etc?

Also will this redwoodskills.com DNS zone have any effect on internal users browsing to www.redwoodskills.com which is hosted externally by a 3rd party?

Thanks again.

Brian
0
 
Tony JLead Technical ArchitectCommented:
It is probably a DNS replication issue is all - how many servers do you have as DNS? One quick way to tell if it's timing is log onto a Citrix desktop and from a command prompt, type the following

NSLOOKUP
Server=xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the DNS server you made the change to)
autodiscover.redwoodskills.com

It should return your Exchange server.

In terms of www.redwoodskills.com - possibly. What happens if you do a NSLOOKUP / ping on it?

You may need to add www as a cname and point it to the external IP but from memory, forwarding should work (sorry not in front of my systems so cannot check for you)
0
 
3D2KAuthor Commented:
Tony1044

ipconfig /flushdns did the trick.

I'll move on to checking the rest of the problems out.  Out-of-Office etc, and report back.

Thanks

Brian
0
 
Tony JLead Technical ArchitectCommented:
Brilliant. And no adverse effects browing www.redwoodskills.com ?
0
 
3D2KAuthor Commented:
Tony1044

As suspected the www.redwoodskills.com we site is no longer reachable from inside the network.

I have added an A record Same as Host Name (redwoodskills.com) which points at the external IP address.  I also added another CNAME record to point WWW to the redwoodskills.com A record but still couldn't reach the site.

This is exactly the situation I'm trying to avoid, breaking something that is already working.  Sadly it comes with the territory when your working with Microsoft products.  My problem is that I'm doing the work remotely from over 200 miles away and there isn't a great deal of resource on site so if I break it I have to travel to fix it.

Anyway, many thanks for your efforts as the certificate warning has now been fixed.

Are you going to offer an answer via this thread for the www problem that has surfaced or should I start another question?

Thanks

Brian
0
 
3D2KAuthor Commented:
Tony1044

This is the current redwoodskills.com DNS zone:

 DNS
Brian
0
 
Tony JLead Technical ArchitectCommented:
Of course. Adding an additional CNAME will use your internal "domain"

Can you add it in as an A record? Sorry it's tricky to remember DNS tricks without a server to play with in front of me.
0
 
Tony JLead Technical ArchitectCommented:
Also - happy to continue here as it's all related to the same problem
0
 
3D2KAuthor Commented:
Tony1044

Ok here is the current situation:

I've added an autodiscover CNAME record to both the redwood.co.uk and redwoodskills.com zones, and a www A record for the redwoodskills.com zone on my internal DNS server.

OWA works externally, even Out-of-Office works externally through OWA.

The certificate warning no longer displays on internal clients starting so that is fixed.

The internal clients can browse the www.redwoodskills.com externally hosted web site, so that works.

Although Out-of-Office works vai OWA externally it doesn't work for internal clients, eventually bringing up the following error:

 Out-of-Office-01
I have run the Outlook Autoconfiguration test and here are the results:

 Out-of-Office-02

 Out-of-Office-03
I can ping autodiscover.redwoodskills.com and autodiscover.redwood.co.uk from internal clients and they return the Exchange server as expected so why no Out-of-Office?

Any thoughts would be greatly appreciated.

Brian
0
 
Tony JLead Technical ArchitectCommented:
SRV record is missing in your DNS looking at the screenshot.

It's never simple is it? lol

Create an SRV record with the following info (in your Redwoodskills zone)

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.redwoodskills.com <--- where this would be the FQDN on the certificate.


0
 
3D2KAuthor Commented:
I have seen some comments on the web about proxy settings but I'm logging on as a domain administrator and the GP proxy settings are not applied.
0
 
Tony JLead Technical ArchitectCommented:
Yeah there can be issues where connections use reverse proxy but I don't think that's the case here - the error log you attached specifically mentions no SRV records.
0
 
3D2KAuthor Commented:
Tony1044

I've added a SRV record as you suggest, but put the host as res-exs.redwood.co.uk.

Now outlook asks me if I want to trust the res-exs.redwood.co.uk server to autoconfigure administrator@redwoodskills.com.  I chose yes and off it went to do nothing for a while before eventually returning the original  cannot find server error.

Is 443 correct?  I'm using 448 externally.

Also my SSL certificate only references redwoodskills.com and autodiscover.redwoodskills.com.

Brian

Brian
0
 
Tony JLead Technical ArchitectCommented:
Ah of course - in all the too-ing and fro-ing I'd forgotten the port change - my mistake!

I'm thinking internally it is be using 443?

No - don't put res-exs, put autodiscover - it should resolve properly then via DNS (that word "should" again!)

Try the name change and if that doesn't work try the port change as well.
0
 
3D2KAuthor Commented:
Tony1044

Sorry my friend the following message appears:

 Out of Office-04
(twice), after picking Allow

followed by the good old server cannot  be reached error.

I've tried 443 and 448 for the SRV record, both the same.

The problem is now that the above message is appearing on all users Outlook sessions now and they're getting hacked off about that so I suspect I'll have to delete the SRV record soon.

Brian
0
 
Tony JLead Technical ArchitectCommented:
0
 
3D2KAuthor Commented:
Tony1044

Remember that the system still cannot locate the server for autoconfiguration even if I pick the Allow box, and I'm working in a Citrix/Terminal Services environment so registry hacks are not where I want to be.

I'm going to take a step back and have a think about it overnight.

Many thanks for your efforts today.

Brian
0
 
3D2KAuthor Commented:
Tony1044

Just noticed I can apply the last fix with GP so I'll take another look after a battery recharge.

Thanks

Brian
0
 
Tony JLead Technical ArchitectCommented:
Yeah I wouldn't give a registry fix that had to be applied at a client level if I could possibly avoid it.

0
 
3D2KAuthor Commented:
Tony1044

Apologies for the time it has taken me to respond to your help with this problem.

I have come across the following articles which appear to have some bearing on my setup and I'm investigating further:

http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover-part2.html

What I have done in the meantime is added a sub-domain webmail.redwoodskills.com and I've added this to my godaddy SSL certificate but I'm not happy about installing the new SSL certificate to replace the original one which appears to work.  The instructions for installation on Exchange 2010 from GoDaddy are less than helpful and there appears to be lots of noise on the Internet regarding SSL certificate errors/problems which I hope to avoid.

I'm starting a new question asking for help with the SSL certificate installation before I continue on with this question.

Many Thanks

Brian
0
 
3D2KAuthor Commented:
Tony1044

After much wasted time and earache from the end-user I have decided that the only course of action left open to me is to do as you suggest.

In future any Exchange installations will be given SSL port 443 first.  There appears to be no way that you can configure autodiscover to use anything but the default SSL port.

All of the diagnostic tools also assume SSL port 443 without any way to modify them, so you really can't fault find with those tools unless you've configured the autodiscover service to use SSL 443.

Lesson learned, but thanks for you continued help.
0
 
Tony JLead Technical ArchitectCommented:
I'm really sorry we couldn't nail it - seems somewhat daft in this day and age that something would be so hard-coded.

Thank you for the points - under the circumstances that was more generous than you needed to be.

If I can help on the Citrix side of things, please shout.
0
 
3D2KAuthor Commented:
Tony1044

10 out of 10 for effort!

My concern is that I've hacked about with it so much that I may have damaged it beyond redemption.

Watch this space....

Brian
0
 
Tony JLead Technical ArchitectCommented:
I understand but actually we didn't do all that much and we have a nice audit trail.

But you can always remove and reisntall the virtual directories:

Remove:
Remove-AutodiscoverVirtualDirectory -Identity Contoso\Autodiscover (Default Web Site)

Remove-OwaVirtualDirectory “owa (Default Web Site)”


The recreate:

New-AutodiscoverVirtualDirectory -WebsiteName "Default Web Site" -BasicAuthentication $true -WindowsAuthentication $true

New-OwaVirtualDirectory -Name “owa (Default Web Site)”

Or if you're really worried, remove and reinstall the CAS role.
0
 
3D2KAuthor Commented:
That's what you think ;-)

I've run a few EMS commands that I suspect may have some knock-on effect.

For instance one of the things I've tried to do is to set the InternalURL and ExternalURL for the virtual directories via the GUI and EMS and I couldn't get the AutodiscoverServiceInternalURL to be anything other than blank regardless what commands I used.

I may take your advice to delete and recreate the VirtualDirectories at a later time, when I've fixed up CSG not to go near 443 to my satisfaction.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 19
  • 18
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now