• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 885
  • Last Modified:

Problems with external OWA and the autodiscovery for outlook clients

Hi

I would appreciate some help with resolving a few problems.  I will go through what i think is needed and would appreciate if you could let me know if I'm on the right track.

Basically we have been using active office for emails and have decided to migrate the operation to hosted exchange 2010 servers.  The set up is as follows we have a mail store server ----> CAS/HUB -----> (DMZ) edge transport server.

I have migrated myself over and am able to send and receive without problems both internally and externally.

When i was setting up my outlook client it auto discovered to CAS01.domain.local however this only connects if i have a persistent route on the local machine which i want to avoid as this will then use our MPLS connection and i would rather the email traffic be routed over the net.  Am i right in thinking i will need to get a certificate that has autodiscover.domain.com with the name space being directed at the edge transport servers external IP which should in turn route it to the CAS? (for the routing to and from the edge server does edge sync need to be activated?)  As i already have the connectors set up.

So basically to configure the outlook clients to connect over the internet is the above steps correct?

Secondly regarding the OWA set up i have the internal URL configured to https://CAS01.domain.local and internally this is working fine.  However when i am trying to connect to the external URL of https://mail.domain.com it does not connect and times out.  The namespace is pointing to the external IP of the edge server.  However when i try the external URL from the edge transport server it connects, so i assume that the port 443 is not open and https traffic is not being redirected to CAS.  I have asked the hosting company to check their firewall settings.  Do you think this would be the cause?

Many thanks in advance
0
SSAN_NH
Asked:
SSAN_NH
  • 5
  • 3
1 Solution
 
JamesSenior Cloud Infrastructure EngineerCommented:
On both senarios this would be correct. You do need a SSL Cert with the SPN names for Autodiscover etc. With regard to the hosting company this would appear to be a firewall issue. They may well need to redirect port 443.
0
 
JamesSenior Cloud Infrastructure EngineerCommented:
You will need to purchase a SSL Cert that will support multiple SPN - Server Principal Names. As far as I know Thawte SSL Certs support multiple SPN names. You can verify this on their website. Also, I have provided a link with some interesting information regarding this. This applys to Exchange 2007, but there is not much variation of the Autodiscovery service in Exchange 2010.

http://busbar.blogspot.com/2008/03/autodiscovery-and-commercial.html
0
 
SSAN_NHAuthor Commented:
Hi JBond

Thanks for the replies.  

Is there anyway of using a self signed certificate for testing purposes?

I was thinking that i would need a Subject Address Name SSL cert for the multiple names.  Is it a SPN or SAN that is required for the autodiscovery, legacy etc?

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
JamesSenior Cloud Infrastructure EngineerCommented:
You would be using a SAN Certificate. Refer to the link below and this will guide in the right direction.

http://blogs.catapultsystems.com/IT/archive/2010/02/17/exchange-2010-part-2-of-4-%E2%80%93-understanding-the-new-uc-san-certificate-requirement.aspx
0
 
SSAN_NHAuthor Commented:
Thanks, that's a great link
0
 
JamesSenior Cloud Infrastructure EngineerCommented:
Your welcome:)
0
 
SSAN_NHAuthor Commented:
One final query as it does not mention in the article.  

For the name spaces do i point them at the external IP of the Edge transport server and have the firewall just redirect the requests to the internal IP of the Client access server?
0
 
JamesSenior Cloud Infrastructure EngineerCommented:
Yes, this should work fine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now