Solved

Requesting a UCC in Exchange 2010...what should I add?

Posted on 2011-02-14
36
2,339 Views
Last Modified: 2012-05-11
I have a 2003 and 2010 Exchange Server in my org.  Nothing but test mailboxes on the Exchange 2010 box.


I bought and installed a SSL from GoDaddy for Active Sync and OWA on the 2010 box and they work fine.  Issue I am having is if I open a mailbox internally that is currently on 2010 Server box I get a Security Alert that states "The name on the security certificate is invalid or does not match the name of the site"   I understand why I am getting that message as the internal url is not on the certificate that IIS is using.  

So I need to get a UCC that contains both the name of the internal URL and the external URL correct?  And if I understand correctly the external facing URL needs to be the common name on the cert correct?

Anyways, creating the cert within Exchange 2010 is pretty straight forward until I get to one particular area where I need to choose Autodiscover.  Autodiscover used on the INTRANET is grayed out but Autodiscover used on the INTERNET is not.   In the Autodiscover URL to use box, all of the domains that I have listed on the Exchange Server as accepted domains are listed.  About 22 email domains in total, all legit email domains we use.

Now my big question is do I NEED to keep all of these domains in the there?  In a demo video I saw, the walk-through said I should just have in there my external url...such as autodiscover.mail.drtvpn.com   Is this correct??  Should the internal url be in there as well?  I'm not clear exactly on what fields should be in this box.

On the next page, Certificate of Domains it lists autodiscover.xxx.xxx for all of the accepted domains and also the internal and external urls with the external url being the common name in bold.


If I could get some assistance in what I need for the autodiscover fields that would be great


Thanks!
0
Comment
Question by:BlueGoose
  • 22
  • 14
36 Comments
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
For autodiscover you only need the external URL. Internal autodiscover is handled differently, and doesn't use DNS lookups to get the Autodiscover URL.
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
FYI, here's what I'd do. First, you don't need to worry about most of those domain names, unless any of those domain names is likely to be used in a user's email address. If you really have 22 different names that might be used in a user's email address, then you are also going to want to use SRV records in each domain's public DNS, all of which point to the single autodiscover.domain.com name that you chose to put in the cert. And that A-record will point to your server's IP address.

So these are the critical ones:

Common name: mail.domain.com (whatever users will use when they use OWA)
SANs:
autodiscover.domain.com
mailserver.internal.local
mailserver
0
 

Author Comment

by:BlueGoose
Comment Utility
Thank you for the info however just a little confused on the autodiscover part.....

We only have one 2010 Exchange Server (SP1)

CAS, Hub Transport etc are all located on one server.  No unified messaging or edge.

 Our external url lets just say mail.drtvpn.com is a host record under drtvpn.com on our domain controller...so would it be safe to say that on the certificate I should be able to put autodiscover.drtvpn.com and have it work?


We usually setup mailboxes manually as well

And yes we do use maybe out of those 22 domains, 7 or 8 of them that use the "domain name" in their email address.


As you can see I am a bit confused on autodiscover
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
Are your internal and external domain names the same? Your comment about "on our domain controller" seems to imply that's the case. Since that will make a difference, let me know, and I'll tell you how I'd set things up depending on your answer.
0
 

Author Comment

by:BlueGoose
Comment Utility
I'm sorry I was not more clear...no, they are not the same.

For example, external url is mail.drtvpn.com (this is url we also use for owa and active sync and working fine)

Internal url is same name as Exchange server  for example  widget.drtadmin.com

as far as dc's we have about about 5, did not mean to imply just one.


further example as far as additional domains (of the 22)

heder.com
garbazo.com
fleeting.com

and so on


Hope I'm not being too confusing
0
 
LVL 6

Accepted Solution

by:
Shack-Daddy earned 500 total points
Comment Utility
Ok, so here's what you'd be putting on your UCC/SAN cert:

Common Name: mail.drtvpn.com

Subject Alt Names:
autodiscover.drtvpn.com
widget.drtadmin.com
widget

That would make a total of four names on the cert.

Now I will warn you, if you are really using a ".com" domain name internally that you do not own, you will not be able to put that name on the certificate, and we'll have to do some workarounds on a lot of the URLs on your server's virtual directories.

In that situation, you'd have this on the cert:

Common name: mail.drtvpn.com
Subject Alt names:
autodiscover.drtvpn.com
widget

And that's the certificate part. If you want autodiscover to work for all those other names, you are going to want to create SRV records in each of those public DNS zones, and in each record, you are going to specify autodiscover.drtvpn.com as the target hostname. For more information on setting up SRV records, look at this article I wrote:

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/

In each of those public domains (including drtvpn.com) you will also need to make sure that there is NO wildcard "*" record existing, or autodiscover will not work.
0
 

Author Comment

by:BlueGoose
Comment Utility
Ok that seems pretty clear!  I will give it a go in the morning when I get into the office
0
 

Author Comment

by:BlueGoose
Comment Utility
Oopps one last question..I do have a 2003 Exchange Server in the mix that will be around for a little bit...do I need to add it's name to the cert?  It will eventually go away but not within a year probably.  So we will have mailboxes on both servers for a bit of time.
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
No, you shouldn't need to add that server's name, since that server should already have a self-signed cert that is good internally, but it wouldn't hurt if you added that server's internal FQDN to the certificate and installed a copy of the cert on that server. But you'd need to make sure that you properly exported and imported the cert in order for it to work. Probably easiest to not mess with it. I assume that the new server is handling all the internet-side interaction with OWA, ActiveSync and mail receiving, right?
0
 

Author Comment

by:BlueGoose
Comment Utility
Ok good to know, I did not put it on there.  

We have Active Sync, OWA and mail receiving working on both servers at the moment.  Different addresses for owa and active sync on each server.  As I move each mailbox over if that user has a need for active sync I will make the changes to their mobile device at that time.

As far as mail delivery I have one of our email domains pointed at the new server even though the mailboxes are on the 2003 server and mail flow is going ok.

I installed the UCC cert and the security warning is gone.  Thanks!  I just need to figure out why Out of Office for the exchange 2010 mail servers is not working and also add those SRV records to get autodiscover to work
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
Could you run this command and post the results? We may be able to help you sort out the OOF thing.

get-webservicesvirtualdirectory | fl *url
0
 

Author Comment

by:BlueGoose
Comment Utility
Here you go

InternalNLBBypassUrl : https://widget.drtadmin.com/ews/exchange.asmx
InternalUrl          : https://widget.drtadmin.com.com/EWS/Exchange.asmx
ExternalUrl          : https://mail.drtvpn.com/ews/exchange.asmx



0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
If you do this, OOF may work:

get-webservicesvirtualdirectory | set-webservicesvirtualdirectory -internalURL https://widget/EWS/Exchange.asmx

This would change the URL so that it didn't reference widget.drtadmin.com.com (which I don't think is on your cert, right?). Instead it would reference it by the internal server name which IS on your cert.

Alternately we could do this:

get-webservicesvirtualdirectory | set-webservicesvirtualdirectory -internalURL https://mail.drtvpn.com/EWS/Exchange.asmx

But this would assume that your internal clients are able to resolve mail.drtvpn.com to the internal IP of the server and not the external IP. You could tweak DNS to allow this, but you'd probably need a little guidance.
0
 

Author Comment

by:BlueGoose
Comment Utility
InternalNLBBypassUrl : https://widget.drtadmin.com/ews/exchange.asmx
InternalUrl          : https://widget.drtadmin.com/EWS/Exchange.asmx
ExternalUrl          : https://mail.drtvpn.com/ews/exchange.asmx


My bad on that one....the internal url I had posted was wrong, I had an extra .com in there...so widget.drtadmin.com is on my cert........
0
 

Author Comment

by:BlueGoose
Comment Utility
Users get the "Your out of office settings cannot be displayed because the server is currently unavailable" message.


BUT with OWA it works?
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
On an Outlook client with Outlook 2007 or higher running, hold down Control and right-click the Outlook icon in the systray. It should pop up a menu and you can choose Test Email Autoconfiguration from the list. Uncheck the two GuessSmart boxes and then just click Test. Could you report back whether it is successful, and if so, what URL gets returned for the OOF?

Clients don't have any trouble reaching widget.drtadmin.com, right?
0
 

Author Comment

by:BlueGoose
Comment Utility
They can connect fine internally.

Hmmmmm  ...autodiscover not working at all...I think a lot if not all of it is because I don't have a record yet on the domain server?


wondering if something go goobered up somewhere as it was working before,


with it not working at all, is it cert related or something else?


Sorry this is sort of going off course isnt it
0
 

Author Comment

by:BlueGoose
Comment Utility
Actually autodiscover internally should not have anything to do with what "autodiscover" is on the cert should it?
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 

Author Comment

by:BlueGoose
Comment Utility
Hmmm...spinning my wheels here trying to figure this out....on internal autodiscover does it use the cert?
0
 

Author Comment

by:BlueGoose
Comment Utility
This is what I get when I run get-autodiscovervirtualdirectory


[PS] C:\Windows\system32>get-autodiscovervirtualdirectory

Name                                    Server                                  InternalUrl
----                                    ------                                  -----------
Autodiscover (Default Web Site)         WIDGET



Blank url?

Not sure if this helps


0
 

Author Comment

by:BlueGoose
Comment Utility
To add one more piece of info and not sure it applies...in IIS anon is the only authentication enabled
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
What do you get for these:

get-autodiscovervirtualdirectory | fl *url
get-clientaccessserver | fl *uri
0
 

Author Comment

by:BlueGoose
Comment Utility
[PS] C:\Windows\system32>get-autodiscovervirtualdirectory | fl *url


InternalUrl :
ExternalUrl :


[PS] C:\Windows\system32>get-clientaccessserver | fl *url





[PS] C:\Windows\system32>




Blank in both?


0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
The second one you didn't do right. You changed my "typo" and put "url" at the end instead of "uri". Do that one again.

But the critical thing is to give your server an external Autodiscover address:

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -externalurl https://widget.drtvpn.com/autodiscover/autodiscover.xml
0
 

Author Comment

by:BlueGoose
Comment Utility
[PS] C:\Windows\system32>get-clientaccessserver | fl *uri


AutoDiscoverServiceInternalUri : https://widget.drtadmin.com/Autodiscover/Autodiscover.xml


0
 

Author Comment

by:BlueGoose
Comment Utility
ok I added the external url so when I run the get-autodiscovervirtualdirectory | fl *url command i see it now for the external url but internal is still blank
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
Ok, let's do this for the internal:

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalurl https://widget.drtadmin.com/Autodiscover/Autodiscover.xml

Then do an IISRESET and test to see whether the issue is resolved.

If not, look at this article, particularly at step 2 and let me know what results you get when you paste that URL into a web browser:

http://www.proexchange.be/blogs/exchange2007/archive/2009/07/14/your-out-of-office-settings-cannot-be-displayed-because-the-server-is-currently-unavailable-try-again-later.aspx
0
 

Author Comment

by:BlueGoose
Comment Utility
Well didn't work...now it is a case of my autodiscover not working at all I'm afraid.....when I do the connection test it comes back all as failed ...no xml file at all.   Hmmmm...I know at one point it was working because I was getting results with mailboxes on the 2010 server
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
So you don't get anything when you paste https://widget.drtadmin.com/ews/exchange.asmx into a browser?

That's the URL that the Outlook testing tool tells you for OOF, right?
0
 

Author Comment

by:BlueGoose
Comment Utility
I don't get a url for OOF because autodiscover does not run correctly.  It fails on all tries so I never get the info that you get under the first tab when you run the autodiscover test.


I pasted the above url in but just get a canned message : This XML file does not appear to have any style information associated with it. The document tree is shown below.
     

And then a ton of stuff that looks to be just canned xml (if that makes sense)


Autodiscover did work at one point (the test) because I know what you are talking about.  For internal autodiscover the cert or dns should not matter right as it is all internal?  fwiw I can setupmail boxes automaticaly just by putting in the email address but maybe not even related


I'm wondering what stopped the autodiscover from working internally?
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
Ok, you probably need to rebuild your virtual directories. When you are in the Exchange Management Console, if you go down into Server -> Client Access, you should see an Action item on the right that will allow you to rebuild the virtual directories. It's pretty automated, so it shouldn't be hard. Let's do that and then test again.
0
 

Author Comment

by:BlueGoose
Comment Utility
Ok will do that in the morning...am I correct in assuming that the cert and dns entry should NOT effect internal autodiscover
0
 

Author Comment

by:BlueGoose
Comment Utility
which virtual directory am I resetting?  So far I just have done the auto discover one and re-ran the above commands to set my internal and external url's
0
 

Author Comment

by:BlueGoose
Comment Utility
Hey autodiscover and oof are now working!
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
Good, so basically one of those two vdirs had some corruption, and rebuilding them resolved it.
0
 

Author Closing Comment

by:BlueGoose
Comment Utility
Very knowledgeable expert, would not hesitate to follow any of his Exchange advice
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now