ryan80
asked on
Exchange 2010 access for internal clients
I have installed Exchange 2010 within my environment, migrating from 2003.
Currently I changed my DNS so that OWA access goes through the TMG server, even from internally. However I am getting security alerts from Outlook since the the default settings have Outlook clients check into the 2010 server by its server name and the SSL does not match.
What I was thinking of doing was changing the settings via Powershell so that Outlook will look to the 2010 server by using the name on the SSL certificate, but when changing it, that means that the server will also have to serve OWA internally as well.
This means that I will need to create redirects for the default web page and means that there are two ways that OWA will be accessed depending on whether it is external or internal.
Is there a way to make it so that internal Outlook can access the 2010 server, but going through TMG so that I can keep the DNS the same and the OWA access path the same?
Currently I changed my DNS so that OWA access goes through the TMG server, even from internally. However I am getting security alerts from Outlook since the the default settings have Outlook clients check into the 2010 server by its server name and the SSL does not match.
What I was thinking of doing was changing the settings via Powershell so that Outlook will look to the 2010 server by using the name on the SSL certificate, but when changing it, that means that the server will also have to serve OWA internally as well.
This means that I will need to create redirects for the default web page and means that there are two ways that OWA will be accessed depending on whether it is external or internal.
Is there a way to make it so that internal Outlook can access the 2010 server, but going through TMG so that I can keep the DNS the same and the OWA access path the same?
Prashant Shrivastava
Considering you are not using EV certificate but worth trying - easy path would be to add the external domain name and server public IP address is DNS server. When IP will match with DNS name then it will not show any error message.
ASKER
Currently I have the URL for OWA pointing to the IP for the TMG server both internally and externally. That URL is what is on the name of the SSL.
However, per http://support.microsoft.com/kb/940726 , it says that I should run those commands so that the published address matches the SSL name. However since my DNS points to the TMG server, I doubt that Outlook will then work. I am hoping there is a way that I can set this up so that I dont have to change the 2010 server with redirects.
If not I will just update the redirects, internal DNS, and run these powershell scripts, but I was hoping there was another way.
However, per http://support.microsoft.com/kb/940726 , it says that I should run those commands so that the published address matches the SSL name. However since my DNS points to the TMG server, I doubt that Outlook will then work. I am hoping there is a way that I can set this up so that I dont have to change the 2010 server with redirects.
If not I will just update the redirects, internal DNS, and run these powershell scripts, but I was hoping there was another way.
OK try updating the host file name with FQDN ( Fully qualified domain name - URL DOMAIN NAME) and public IP address and then try browsing.
ASKER
This isnt just for one computer, but a whole network of computers. I either have to allow Outlook to connect through the TMG server, which I am not sure can be done since RPC uses a wide range of ports, or I need to update the redirect on the 2010 server, which I can do but rather not.
unfortunately you need to take decision here how you will connect - I have used this in production environment where certificate name and internal domain names were different and we used public domain name in DNS server to make sure names and correspondent IP is same. I don't think you need to change any configuration here just treat this website from TMG server as an external.
ASKER
I know that I can put the corresponding name in the internal DNS to point to the correct internal IP, but what I am saying is that currently that name points to TMG which performs the http and root domain redirects.
Currently users connect with standard RPC and not Outlook anywhere, so I am not sure of the impact on the Outlook clients.
Currently users connect with standard RPC and not Outlook anywhere, so I am not sure of the impact on the Outlook clients.
Hmm in that case our hands are tied. have you tired using the "external ip" instead?
ASKER
I tried changing the setting on the server for the autodiscover uri and leaving it pointed at the TMG server broke Outlook.
This is normal behaviour. you need to think how this looping issues can be isolated then. gist is if certificate name will match with dns name it will work. Sorry I may not be any better help than this.
ASKER
That is what I was thinking that internal Outlook would not pass through the TMG server. I would need to use Outlook Anywhere if i were to want to pass it through. I guess that I just need to configure the redirects on the Exchange server and point the services internally.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.