Link to home
Start Free TrialLog in
Avatar of mndthegap1

asked on

Availability service Exchange 2007

We have 2 cas servers one internet facing one is internal.
autodiscover is working this question is more of trying to understand..

our internal domain is different than our external domain name.
so internal alias would be user@test.lcl
external would be

From a computer added to the domain and connected to network if i run the test auto-configuration using my email address  it populates with the external urls correctly using the intenet facing cas server.

If i use my ad credentials user@test.lcl   it pulls the services from the internal client access server not the internet facing cas server.

I do not understand how outlook/ exchange determines which CAS server to use internally or if there is a way to specify one over the other ?
Why doesnt it use the external facing cas server ?

the reason i ask is if we have a computer that is not a member of the domain but is on the network  when a user with a valid account tryies to authenticate and open outlook they are getting a cert error to trust the cert. which is self signed cert of the internal cas server rather than hitting the internet facing cas server.
if the computer external and not connected to the domain trys to access outlook using autodiscover or outlook anywhere it works fine.
Avatar of MegaNuk3
Flag of United Kingdom of Great Britain and Northern Ireland image

Basically the non domain joined client can't trust the internal cert because it is not in the same domain as the CAS server. Have you got internal DNS for your external domain name that resolves your cert name to the internal IP address of your Internet CAS server? Also add a SRV record to that internal zone that points at your internal Internet facing CAS server.
Avatar of MegaNuk3
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mndthegap1


we do have dns configured with both intenal and external dns zones.
i do have an A record for my pointing to the internet facing cas server.
i will try adding the srv record thank you.

but can you explain or let me know how when internally which CAS server is selected ?
i just cant grasp that
thanks for the help.
one other thing. i need to add the SRV record to the internal dns zone correct
the test.lcl zone ?  because if i am using the internal credentials alias@test.lcl

or do i need to add it to both the internal test.lcl zone and my external zone ?
A non domain joined client will resort to DNS to find Autodiscover service and the URLs

The SRV article I posted will explain that. Whereas the domain joined client will query AD for Service Connection Points and will connect to whichever CAS server in it's AD site was created first.
More info on the Autodiscover service:

Add the SRV record to your internal DNS zone, that way if someone internal uses a nondomain joined machine they will get connected to exchange with no cert error.
okay so if the internal cas server was created in the site before the internet facing cas server outlook will attempt to try that server first then the intenet facing as a 2ndary is basically how it works ?

but i get the srv record fix o i will do that.
I thought you said that @test.lcl worked correctly? Wouldn't be easier for users to enter their external email address and password?
Yep, you got the idea, have a read of the whitepaper it might explain things a bit better or make them a bit clearer...
thanks so much for your help i appreciate it.
one last question regarding it. is there a way to modify the SCP list to change the order ?
or would that require using adsi edit or what not.
ADSiedit and reinstalling your CAS server ;-)
Are both of your CAS servers in the same AD site?
Upgrade to exchange 2010 for CAS arrays
Thanks for the points, did the SRV record and internal DNS resolve your issue?