Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 217
  • Last Modified:

Exchange 2010 access for internal clients

I have installed Exchange 2010 within my environment, migrating from 2003.

Currently I changed my DNS so that OWA access goes through the TMG server, even from internally. However I am getting security alerts from Outlook since the the default settings have Outlook clients check into the 2010 server by its server name and the SSL does not match.

What I was thinking of doing was changing the settings via Powershell so that Outlook will look to the 2010 server by using the name on the SSL certificate, but when changing it, that means that the server will also have to serve OWA internally as well.

This means that I will need to create redirects for the default web page and means that there are two ways that OWA will be accessed depending on whether it is external or internal.

Is there a way to make it so that internal Outlook can access the 2010 server, but going through TMG so that I can keep the DNS the same and the OWA access path the same?
0
ryan80
Asked:
ryan80
  • 6
  • 5
1 Solution
 
Prashant ShrivastavaSolutions ArchitectCommented:
Considering you are not using EV certificate but worth trying - easy path would be to add the external domain name and server public IP address is DNS server. When IP will match with DNS name then it will not show any error message.
0
 
ryan80Author Commented:
Currently I have the URL for OWA pointing to the IP for the TMG server both internally and externally. That URL is what is on the name of the SSL.

However, per http://support.microsoft.com/kb/940726 , it says that I should run those commands so that the published address matches the SSL name. However since my DNS points to the TMG server, I doubt that Outlook will then work. I am hoping there is a way that I can set this up so that I dont have to change the 2010 server with redirects.

If not I will just update the redirects, internal DNS, and run these powershell scripts, but I was hoping there was another way.
0
 
Prashant ShrivastavaSolutions ArchitectCommented:
OK try updating the host file name with FQDN ( Fully qualified domain name - URL DOMAIN NAME) and public IP address and then try browsing.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ryan80Author Commented:
This isnt just for one computer, but a whole network of computers. I either have to allow Outlook to connect through the TMG server, which I am not sure can be done since RPC uses a wide range of ports, or I need to update the redirect on the 2010 server, which I can do but rather not.
0
 
Prashant ShrivastavaSolutions ArchitectCommented:
unfortunately you need to take decision here how you will connect - I have used this in production environment where certificate name and internal domain names were different and we used public domain name in DNS server to make sure names and correspondent IP is same. I don't think you need to change any configuration here just treat this website from TMG server as an external.
0
 
ryan80Author Commented:
I know that I can put the corresponding name in the internal DNS to point to the correct internal IP, but what I am saying is that currently that name points to TMG which performs the http and root domain redirects.

Currently users connect with standard RPC and not Outlook anywhere, so I am not sure of the impact on the Outlook clients.
0
 
Prashant ShrivastavaSolutions ArchitectCommented:
Hmm in that case our hands are tied. have you tired using the "external ip" instead?
0
 
ryan80Author Commented:
I tried changing the setting on the server for the autodiscover uri and leaving it pointed at the TMG server broke Outlook.
0
 
Prashant ShrivastavaSolutions ArchitectCommented:
This is normal behaviour. you need to think how this looping issues can be isolated then. gist is if certificate name will match with dns name it will work. Sorry I may not be any better help than this.
0
 
ryan80Author Commented:
That is what I was thinking that internal Outlook would not pass through the TMG server. I would need to use Outlook Anywhere if i were to want to pass it through. I guess that I just need to configure the redirects on the Exchange server and point the services internally.
0
 
Prashant ShrivastavaSolutions ArchitectCommented:
You are correct.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now