• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 817
  • Last Modified:

Outlook Anywhere, Autodiscover, Certificates

Trying to get Outlook Anywhere and Autodiscover to work.

Output from https://www.testexchangeconnectivity.com/ is attached.

During the discover process the certificate that is located on our firewall (GTA) is found, and not the certificate that we purchased and installed on the new (and the old) exchange server.

Errors out on name not in the cert

Internet->gta firewall->barracuda 300 spam firewall->Exchange Server 2010 running in co-exist mode with exchange 2003

Anyone with experience in setting up something similar?

Where to start the process of getting this to work?

Vince Glisson
Vince Glisson
1 Solution
did you but a UCC certificate or a single name certificate?  For exchange to work properly you will need the UCC certificate with all the SAN names in your organization.  such as autodiscover.domain.com - legacy.domain.com - mail.domain.com - etc...
Vince GlissonAuthor Commented:
UCC with legacy and autodiscover
Follow this artcile step by step

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

So is gta or barracuda publishing the namespace externally?  You have to have a valid certificate for those names on anything a client is going to actually hit.  If you are having clients hit gta or something before Client Access then you in a sense have an unsecure chain.    Autodiscover for instance does your external DNS record and wherever that points it, it attempts to establish a secure connection to that namespace 'autodiscover.domain.com'.  If there isn't a secure answer (server has a cert with that namespace as the subject or SAN) then it won't be a secure connection and you'll get cert errors.

As an example if you have ISA/TMG
autodiscover does DNS look up for mail.domain.com
DNS points to TMG/ISA
TMG/ISA has a web publishing rule that is attached to a web listener
web listener has a valid SSL certificate with mail.domain.com in it
request is forwarded to CAS
CAS has a valid SSL certificate with mail.domain.com

if TMG/ISA did not have that certificate it would be broken.

You can either fix your certs on gta/barracuda or Nat those connections directly to the client access server(obviously not super secure)
Vince GlissonAuthor Commented:
On the barracuda i attempted to upload the certificate from the Adavanced tab --> Secure Aministration page, choosing Trusted CA, it then asks for the certificate and the private key (2 seperate files to upload)

The only two files i received from godaddy have extensions of .p7b and .crt.

I have not be able to upload either of these to the barracuda 300.

Is there a file that contains the private key that i am missing?

Vince GlissonAuthor Commented:

The GTA has an internal cert that the autodiscover process is hitting, the name on the GTA cert is not in the UCC cert we purchased nor do i want it in there as we will be switching from GTA to another firewall vendor next year. I beleive i need to allow the request to go through the firewall (on 443) so it hits the server that has the name that matches the autodiscover process.



Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now