Requesting a UCC in Exchange 2010...what should I add?
I have a 2003 and 2010 Exchange Server in my org. Nothing but test mailboxes on the Exchange 2010 box.
I bought and installed a SSL from GoDaddy for Active Sync and OWA on the 2010 box and they work fine. Issue I am having is if I open a mailbox internally that is currently on 2010 Server box I get a Security Alert that states "The name on the security certificate is invalid or does not match the name of the site" I understand why I am getting that message as the internal url is not on the certificate that IIS is using.
So I need to get a UCC that contains both the name of the internal URL and the external URL correct? And if I understand correctly the external facing URL needs to be the common name on the cert correct?
Anyways, creating the cert within Exchange 2010 is pretty straight forward until I get to one particular area where I need to choose Autodiscover. Autodiscover used on the INTRANET is grayed out but Autodiscover used on the INTERNET is not. In the Autodiscover URL to use box, all of the domains that I have listed on the Exchange Server as accepted domains are listed. About 22 email domains in total, all legit email domains we use.
Now my big question is do I NEED to keep all of these domains in the there? In a demo video I saw, the walk-through said I should just have in there my external url...such as autodiscover.mail.drtvpn.c
On the next page, Certificate of Domains it lists autodiscover.xxx.xxx for all of the accepted domains and also the internal and external urls with the external url being the common name in bold.
If I could get some assistance in what I need for the autodiscover fields that would be great
Thanks!
I bought and installed a SSL from GoDaddy for Active Sync and OWA on the 2010 box and they work fine. Issue I am having is if I open a mailbox internally that is currently on 2010 Server box I get a Security Alert that states "The name on the security certificate is invalid or does not match the name of the site" I understand why I am getting that message as the internal url is not on the certificate that IIS is using.
So I need to get a UCC that contains both the name of the internal URL and the external URL correct? And if I understand correctly the external facing URL needs to be the common name on the cert correct?
Anyways, creating the cert within Exchange 2010 is pretty straight forward until I get to one particular area where I need to choose Autodiscover. Autodiscover used on the INTRANET is grayed out but Autodiscover used on the INTERNET is not. In the Autodiscover URL to use box, all of the domains that I have listed on the Exchange Server as accepted domains are listed. About 22 email domains in total, all legit email domains we use.
Now my big question is do I NEED to keep all of these domains in the there? In a demo video I saw, the walk-through said I should just have in there my external url...such as autodiscover.mail.drtvpn.c
On the next page, Certificate of Domains it lists autodiscover.xxx.xxx for all of the accepted domains and also the internal and external urls with the external url being the common name in bold.
If I could get some assistance in what I need for the autodiscover fields that would be great
Thanks!
Shack-Daddy
For autodiscover you only need the external URL. Internal autodiscover is handled differently, and doesn't use DNS lookups to get the Autodiscover URL.
FYI, here's what I'd do. First, you don't need to worry about most of those domain names, unless any of those domain names is likely to be used in a user's email address. If you really have 22 different names that might be used in a user's email address, then you are also going to want to use SRV records in each domain's public DNS, all of which point to the single autodiscover.domain.com name that you chose to put in the cert. And that A-record will point to your server's IP address.
So these are the critical ones:
Common name: mail.domain.com (whatever users will use when they use OWA)
SANs:
autodiscover.domain.com
mailserver.internal.local
mailserver
So these are the critical ones:
Common name: mail.domain.com (whatever users will use when they use OWA)
SANs:
autodiscover.domain.com
mailserver.internal.local
mailserver
ASKER
Thank you for the info however just a little confused on the autodiscover part.....
We only have one 2010 Exchange Server (SP1)
CAS, Hub Transport etc are all located on one server. No unified messaging or edge.
Our external url lets just say mail.drtvpn.com is a host record under drtvpn.com on our domain controller...so would it be safe to say that on the certificate I should be able to put autodiscover.drtvpn.com and have it work?
We usually setup mailboxes manually as well
And yes we do use maybe out of those 22 domains, 7 or 8 of them that use the "domain name" in their email address.
As you can see I am a bit confused on autodiscover
We only have one 2010 Exchange Server (SP1)
CAS, Hub Transport etc are all located on one server. No unified messaging or edge.
Our external url lets just say mail.drtvpn.com is a host record under drtvpn.com on our domain controller...so would it be safe to say that on the certificate I should be able to put autodiscover.drtvpn.com and have it work?
We usually setup mailboxes manually as well
And yes we do use maybe out of those 22 domains, 7 or 8 of them that use the "domain name" in their email address.
As you can see I am a bit confused on autodiscover
Are your internal and external domain names the same? Your comment about "on our domain controller" seems to imply that's the case. Since that will make a difference, let me know, and I'll tell you how I'd set things up depending on your answer.
ASKER
I'm sorry I was not more clear...no, they are not the same.
For example, external url is mail.drtvpn.com (this is url we also use for owa and active sync and working fine)
Internal url is same name as Exchange server for example widget.drtadmin.com
as far as dc's we have about about 5, did not mean to imply just one.
further example as far as additional domains (of the 22)
heder.com
garbazo.com
fleeting.com
and so on
Hope I'm not being too confusing
For example, external url is mail.drtvpn.com (this is url we also use for owa and active sync and working fine)
Internal url is same name as Exchange server for example widget.drtadmin.com
as far as dc's we have about about 5, did not mean to imply just one.
further example as far as additional domains (of the 22)
heder.com
garbazo.com
fleeting.com
and so on
Hope I'm not being too confusing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok that seems pretty clear! I will give it a go in the morning when I get into the office
ASKER
Oopps one last question..I do have a 2003 Exchange Server in the mix that will be around for a little bit...do I need to add it's name to the cert? It will eventually go away but not within a year probably. So we will have mailboxes on both servers for a bit of time.
No, you shouldn't need to add that server's name, since that server should already have a self-signed cert that is good internally, but it wouldn't hurt if you added that server's internal FQDN to the certificate and installed a copy of the cert on that server. But you'd need to make sure that you properly exported and imported the cert in order for it to work. Probably easiest to not mess with it. I assume that the new server is handling all the internet-side interaction with OWA, ActiveSync and mail receiving, right?
ASKER
Ok good to know, I did not put it on there.
We have Active Sync, OWA and mail receiving working on both servers at the moment. Different addresses for owa and active sync on each server. As I move each mailbox over if that user has a need for active sync I will make the changes to their mobile device at that time.
As far as mail delivery I have one of our email domains pointed at the new server even though the mailboxes are on the 2003 server and mail flow is going ok.
I installed the UCC cert and the security warning is gone. Thanks! I just need to figure out why Out of Office for the exchange 2010 mail servers is not working and also add those SRV records to get autodiscover to work
We have Active Sync, OWA and mail receiving working on both servers at the moment. Different addresses for owa and active sync on each server. As I move each mailbox over if that user has a need for active sync I will make the changes to their mobile device at that time.
As far as mail delivery I have one of our email domains pointed at the new server even though the mailboxes are on the 2003 server and mail flow is going ok.
I installed the UCC cert and the security warning is gone. Thanks! I just need to figure out why Out of Office for the exchange 2010 mail servers is not working and also add those SRV records to get autodiscover to work
Could you run this command and post the results? We may be able to help you sort out the OOF thing.
get-webservicesvirtualdire
get-webservicesvirtualdire
ASKER
Here you go
InternalNLBBypassUrl : https://widget.drtadmin.com/ews/exchange.asmx
InternalUrl : https://widget.drtadmin.com.com/EWS/Exchange.asmx
ExternalUrl : https://mail.drtvpn.com/ews/exchange.asmx
InternalNLBBypassUrl : https://widget.drtadmin.com/ews/exchange.asmx
InternalUrl : https://widget.drtadmin.com.com/EWS/Exchange.asmx
ExternalUrl : https://mail.drtvpn.com/ews/exchange.asmx
If you do this, OOF may work:
get-webservicesvirtualdire
This would change the URL so that it didn't reference widget.drtadmin.com.com (which I don't think is on your cert, right?). Instead it would reference it by the internal server name which IS on your cert.
Alternately we could do this:
get-webservicesvirtualdire
But this would assume that your internal clients are able to resolve mail.drtvpn.com to the internal IP of the server and not the external IP. You could tweak DNS to allow this, but you'd probably need a little guidance.
get-webservicesvirtualdire
This would change the URL so that it didn't reference widget.drtadmin.com.com (which I don't think is on your cert, right?). Instead it would reference it by the internal server name which IS on your cert.
Alternately we could do this:
get-webservicesvirtualdire
But this would assume that your internal clients are able to resolve mail.drtvpn.com to the internal IP of the server and not the external IP. You could tweak DNS to allow this, but you'd probably need a little guidance.
ASKER
InternalNLBBypassUrl : https://widget.drtadmin.com/ews/exchange.asmx
InternalUrl : https://widget.drtadmin.com/EWS/Exchange.asmx
ExternalUrl : https://mail.drtvpn.com/ews/exchange.asmx
My bad on that one....the internal url I had posted was wrong, I had an extra .com in there...so widget.drtadmin.com is on my cert........
InternalUrl : https://widget.drtadmin.com/EWS/Exchange.asmx
ExternalUrl : https://mail.drtvpn.com/ews/exchange.asmx
My bad on that one....the internal url I had posted was wrong, I had an extra .com in there...so widget.drtadmin.com is on my cert........
ASKER
Users get the "Your out of office settings cannot be displayed because the server is currently unavailable" message.
BUT with OWA it works?
BUT with OWA it works?
On an Outlook client with Outlook 2007 or higher running, hold down Control and right-click the Outlook icon in the systray. It should pop up a menu and you can choose Test Email Autoconfiguration from the list. Uncheck the two GuessSmart boxes and then just click Test. Could you report back whether it is successful, and if so, what URL gets returned for the OOF?
Clients don't have any trouble reaching widget.drtadmin.com, right?
Clients don't have any trouble reaching widget.drtadmin.com, right?
ASKER
They can connect fine internally.
Hmmmmm ...autodiscover not working at all...I think a lot if not all of it is because I don't have a record yet on the domain server?
wondering if something go goobered up somewhere as it was working before,
with it not working at all, is it cert related or something else?
Sorry this is sort of going off course isnt it
Hmmmmm ...autodiscover not working at all...I think a lot if not all of it is because I don't have a record yet on the domain server?
wondering if something go goobered up somewhere as it was working before,
with it not working at all, is it cert related or something else?
Sorry this is sort of going off course isnt it
ASKER
Actually autodiscover internally should not have anything to do with what "autodiscover" is on the cert should it?
ASKER
Hmmm...spinning my wheels here trying to figure this out....on internal autodiscover does it use the cert?
ASKER
This is what I get when I run get-autodiscovervirtualdir
[PS] C:\Windows\system32>get-au
Name Server InternalUrl
---- ------ -----------
Autodiscover (Default Web Site) WIDGET
Blank url?
Not sure if this helps
[PS] C:\Windows\system32>get-au
Name Server InternalUrl
---- ------ -----------
Autodiscover (Default Web Site) WIDGET
Blank url?
Not sure if this helps
ASKER
To add one more piece of info and not sure it applies...in IIS anon is the only authentication enabled
What do you get for these:
get-autodiscovervirtualdir
get-clientaccessserver | fl *uri
get-autodiscovervirtualdir
get-clientaccessserver | fl *uri
ASKER
[PS] C:\Windows\system32>get-au
InternalUrl :
ExternalUrl :
[PS] C:\Windows\system32>get-cl
[PS] C:\Windows\system32>
Blank in both?
InternalUrl :
ExternalUrl :
[PS] C:\Windows\system32>get-cl
[PS] C:\Windows\system32>
Blank in both?
The second one you didn't do right. You changed my "typo" and put "url" at the end instead of "uri". Do that one again.
But the critical thing is to give your server an external Autodiscover address:
get-autodiscovervirtualdir
But the critical thing is to give your server an external Autodiscover address:
get-autodiscovervirtualdir
ASKER
[PS] C:\Windows\system32>get-cl
AutoDiscoverServiceInterna
AutoDiscoverServiceInterna
ASKER
ok I added the external url so when I run the get-autodiscovervirtualdir
Ok, let's do this for the internal:
get-autodiscovervirtualdir
Then do an IISRESET and test to see whether the issue is resolved.
If not, look at this article, particularly at step 2 and let me know what results you get when you paste that URL into a web browser:
http://www.proexchange.be/blogs/exchange2007/archive/2009/07/14/your-out-of-office-settings-cannot-be-displayed-because-the-server-is-currently-unavailable-try-again-later.aspx
get-autodiscovervirtualdir
Then do an IISRESET and test to see whether the issue is resolved.
If not, look at this article, particularly at step 2 and let me know what results you get when you paste that URL into a web browser:
http://www.proexchange.be/blogs/exchange2007/archive/2009/07/14/your-out-of-office-settings-cannot-be-displayed-because-the-server-is-currently-unavailable-try-again-later.aspx
ASKER
Well didn't work...now it is a case of my autodiscover not working at all I'm afraid.....when I do the connection test it comes back all as failed ...no xml file at all. Hmmmm...I know at one point it was working because I was getting results with mailboxes on the 2010 server
So you don't get anything when you paste https://widget.drtadmin.com/ews/exchange.asmx into a browser?
That's the URL that the Outlook testing tool tells you for OOF, right?
That's the URL that the Outlook testing tool tells you for OOF, right?
ASKER
I don't get a url for OOF because autodiscover does not run correctly. It fails on all tries so I never get the info that you get under the first tab when you run the autodiscover test.
I pasted the above url in but just get a canned message : This XML file does not appear to have any style information associated with it. The document tree is shown below.
And then a ton of stuff that looks to be just canned xml (if that makes sense)
Autodiscover did work at one point (the test) because I know what you are talking about. For internal autodiscover the cert or dns should not matter right as it is all internal? fwiw I can setupmail boxes automaticaly just by putting in the email address but maybe not even related
I'm wondering what stopped the autodiscover from working internally?
I pasted the above url in but just get a canned message : This XML file does not appear to have any style information associated with it. The document tree is shown below.
And then a ton of stuff that looks to be just canned xml (if that makes sense)
Autodiscover did work at one point (the test) because I know what you are talking about. For internal autodiscover the cert or dns should not matter right as it is all internal? fwiw I can setupmail boxes automaticaly just by putting in the email address but maybe not even related
I'm wondering what stopped the autodiscover from working internally?
Ok, you probably need to rebuild your virtual directories. When you are in the Exchange Management Console, if you go down into Server -> Client Access, you should see an Action item on the right that will allow you to rebuild the virtual directories. It's pretty automated, so it shouldn't be hard. Let's do that and then test again.
ASKER
Ok will do that in the morning...am I correct in assuming that the cert and dns entry should NOT effect internal autodiscover
ASKER
which virtual directory am I resetting? So far I just have done the auto discover one and re-ran the above commands to set my internal and external url's
ASKER
Hey autodiscover and oof are now working!
Good, so basically one of those two vdirs had some corruption, and rebuilding them resolved it.
ASKER
Very knowledgeable expert, would not hesitate to follow any of his Exchange advice