Semperfi4000
asked on
Web Service
I could use some help and understanding, when moving Web Services and Autodisover
I am moving all Webservices (AS,OA,OWA) and AutoDiscover from CAS1 (2007) to CAS2 (2010)
Both are in different AD sites.
CAS1 goes out Gateway1, but will be shutdown,
CAS2 goes out a new Gateway2
The Cert will change, from owa.Orange.com (CAS1) , to owa.Apple.com (CAS2) a Wildcard Cert
I've done a test, by moving all WebServices to CAS2.
OWA worked , but ActiveSync failed
Test-OutlookWebservice –identity User1
1) A valid Autodiscover Service Connection point was found.
2) When contacting https://owa.Apple.com/Autodiscover/autodiscover.xml received the error The remote server returned an error: <401> unauthorized
Since I am using Wildcard Cert, do I need to do the following ? Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com . And will I have to create a New AudioDiscover on Apple ? since I am using a new Cert ?
any other suggestions on moving webservices and Autodiscover to a different CAS server, would be greatly appreciated.
Below, is my current config for CAS1 and CAS2
CAS1 (2007)
AutoDiscover. InternalUrl = Https://owa.Orange.com/autodiscover/autodiscover.xml
EWS InternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
ExternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
ActiveSync InternalUrl = Https://CAS1.Network.local/Mircosoft-Server-ActiveSync
ExternalUrl = Https://owa.Orange.com/Mircosoft-Server-ActiveSync
CAS2 (2010) will have a New Wildcard Cert.
AutoDiscover. InternalUrl = Https://CAS2.Network.local/autodiscover/autodiscover.xml
EWS InternalUrl = Https://CAS2.Network.local/EWS/Exchange.asmx
ActiveSync InternalUrl = Https://CAS2.Network.local/Mircosoft-Server-ActiveSync
I am moving all Webservices (AS,OA,OWA) and AutoDiscover from CAS1 (2007) to CAS2 (2010)
Both are in different AD sites.
CAS1 goes out Gateway1, but will be shutdown,
CAS2 goes out a new Gateway2
The Cert will change, from owa.Orange.com (CAS1) , to owa.Apple.com (CAS2) a Wildcard Cert
I've done a test, by moving all WebServices to CAS2.
OWA worked , but ActiveSync failed
Test-OutlookWebservice –identity User1
1) A valid Autodiscover Service Connection point was found.
2) When contacting https://owa.Apple.com/Autodiscover/autodiscover.xml received the error The remote server returned an error: <401> unauthorized
Since I am using Wildcard Cert, do I need to do the following ? Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com . And will I have to create a New AudioDiscover on Apple ? since I am using a new Cert ?
any other suggestions on moving webservices and Autodiscover to a different CAS server, would be greatly appreciated.
Below, is my current config for CAS1 and CAS2
CAS1 (2007)
AutoDiscover. InternalUrl = Https://owa.Orange.com/autodiscover/autodiscover.xml
EWS InternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
ExternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
ActiveSync InternalUrl = Https://CAS1.Network.local/Mircosoft-Server-ActiveSync
ExternalUrl = Https://owa.Orange.com/Mircosoft-Server-ActiveSync
CAS2 (2010) will have a New Wildcard Cert.
AutoDiscover. InternalUrl = Https://CAS2.Network.local/autodiscover/autodiscover.xml
EWS InternalUrl = Https://CAS2.Network.local/EWS/Exchange.asmx
ActiveSync InternalUrl = Https://CAS2.Network.local/Mircosoft-Server-ActiveSync
there is command line code in Exchange 2007 said :
set-ClientAccessServer -identity "ServerName" -internalURL https://CAS2.Network.local/autodiscover/autodiscover.xml
its should be available , also try to test your exchange using :
www.testexchangeconnectivity.com
test RPC over HTTP (outlook anywhere ) and post the result here , it will simplify everything
set-ClientAccessServer -identity "ServerName" -internalURL https://CAS2.Network.local/autodiscover/autodiscover.xml
its should be available , also try to test your exchange using :
www.testexchangeconnectivity.com
test RPC over HTTP (outlook anywhere ) and post the result here , it will simplify everything
I see that you have already configured Split DNS for your CAS2007
->owa.Orange.com is pointing to your internal IP of your CAS2007
First do the same for owa.Apple.com
->owa.Apple.com should point to your internal IP of your CAS2010
If you are not sure how to create a Split DNS :
- Create an internal DNS zone with the same name as the one showing in your existing certificate (Apple.com) ,create an A record for owa, so you have owa.Apple.com pointing it to your local IP address of CAS2010
You get 401 because you already set :
[PS] C:\>Get-ClientAccessServer -Identity "ExCaS2010" | Set-ClientAccessServer -AutoDiscoverServiceIntern alUri "https://owa.Apple.com/autodiscover/autodiscover.xml "
BUT either you did not configure your split dns correctly or you have wrong setting on your autodiscover virtual directory under IIS
Also do not forget to change the internal urls of the following v'dirs
[PS] C:\>Get-WebServicesVirtual Directory -Identity "ExCaS2010" | Set-WebServicesVirtualDire ctory -InternalUrl "https://owa.Apple.com/ews/exchange.asmx"
[PS] C:\>Get-OabVirtualDirector y -Identity "ExCaS2010" | Set-OabVirtualDirectory -InternalUrl "http://owa.Apple.com/oab"
[PS] C:\>Get-ActiveSyncVirtualD irectory -Identity "ExCaS2010" | Set-ActiveSyncVirtualDirec tory -InternalUrl "https://owa.Apple.com/Microsoft-Server-ActiveSync"
Run the same cmdlets above again but change InternalUrl to ExternalUrl to fix your external URLs
[PS] C:\>iisreset
Finally > YES for OA you will need to run this:
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com
http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx
->owa.Orange.com is pointing to your internal IP of your CAS2007
First do the same for owa.Apple.com
->owa.Apple.com should point to your internal IP of your CAS2010
If you are not sure how to create a Split DNS :
- Create an internal DNS zone with the same name as the one showing in your existing certificate (Apple.com) ,create an A record for owa, so you have owa.Apple.com pointing it to your local IP address of CAS2010
You get 401 because you already set :
[PS] C:\>Get-ClientAccessServer
BUT either you did not configure your split dns correctly or you have wrong setting on your autodiscover virtual directory under IIS
Also do not forget to change the internal urls of the following v'dirs
[PS] C:\>Get-WebServicesVirtual
[PS] C:\>Get-OabVirtualDirector
[PS] C:\>Get-ActiveSyncVirtualD
Run the same cmdlets above again but change InternalUrl to ExternalUrl to fix your external URLs
[PS] C:\>iisreset
Finally > YES for OA you will need to run this:
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com
http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx
As stated you can't use a wildcard certificate to secure autodiscover, it's well documented.
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
@Radweld this is only you statement and it is not correct !
Maybe you read that Outlook Anywhere won't work with a self-signed certificate > true
BUT wildcard certificate are OK except for some legacy mobile devices and those with Windows Mobile 5.0
http://technet.microsoft.com/en-us/library/dd351044.aspx
Please check your facts before making such statements
Maybe you read that Outlook Anywhere won't work with a self-signed certificate > true
BUT wildcard certificate are OK except for some legacy mobile devices and those with Windows Mobile 5.0
http://technet.microsoft.com/en-us/library/dd351044.aspx
Please check your facts before making such statements
ASKER
Sirakov, thank you for your reply. I'm still getting an error. It appears to be an autodiscover issue. When preforming a test, it says ,that it can't find
Attempting to test potential Autodiscover URL https://apple.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Testing TCP port 443 on host merge.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response
Attempting to test potential Autodiscover URL https://autodiscover.apple.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
I know port 443 is open on our TMG
Queston: If CAS1 cert owa.orange.com , for domain orange.com. also has domain apple.com for authorized domain and alaises. will this be an issue for CAS2, using a Wildcard Cert for owa.apple.com ?
I only have an internal url for autodiscover, Is an External url for autodiscover required ? I don't currently have an External URL for Orange.com, and it works.
Thank you
Attempting to test potential Autodiscover URL https://apple.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Testing TCP port 443 on host merge.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response
Attempting to test potential Autodiscover URL https://autodiscover.apple.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
I know port 443 is open on our TMG
Queston: If CAS1 cert owa.orange.com , for domain orange.com. also has domain apple.com for authorized domain and alaises. will this be an issue for CAS2, using a Wildcard Cert for owa.apple.com ?
I only have an internal url for autodiscover, Is an External url for autodiscover required ? I don't currently have an External URL for Orange.com, and it works.
Thank you
can you telnet locally to server IP on port 443?
externalURL required if you are using outlook from outside of company.
if problem with TMG :
please read this article its may help you to check your TMG
http://www.isaserver.org/tutorials/publishing-outlook-web-access-microsoft-forefront-tmg.html
externalURL required if you are using outlook from outside of company.
if problem with TMG :
please read this article its may help you to check your TMG
http://www.isaserver.org/tutorials/publishing-outlook-web-access-microsoft-forefront-tmg.html
You should use a uc cert however you can configure things to work with wildcards..
http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
Does owa work ok?
http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
Does owa work ok?
ASKER
Yea Owa works fine .
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
do you have SRV Record in domain DNS ?
if there is not you need to add it in domain management for your domain provider :
add svc record type _tcp name autodiscover.yourdomain.co m
other wise it will never work SRV record is more important that A record , after add it wait 15 minutes then go to www.testexchangeconnectivity.com
its must work , other wise post the result here .
if there is not you need to add it in domain management for your domain provider :
add svc record type _tcp name autodiscover.yourdomain.co
other wise it will never work SRV record is more important that A record , after add it wait 15 minutes then go to www.testexchangeconnectivity.com
its must work , other wise post the result here .
ASKER
ahh ha --- I think both siraokov and Jordannet make sense... It will be a few days before I can test again. I have to work with our Network Engineer on the TMG side. One orange.com we did use an A record, but it didn't go through a TMG, whereas apple.com will.
so update us , to help you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
An HTTP 403 error was received because ISA Server denied the specified URL
Like i said check your TMG publishing rules ... there is nothing to do with SRV records
Srv record is queried if autodiscover.domain.com fails. In your case the same works OK and certificate is validated also OK
Like i said check your TMG publishing rules ... there is nothing to do with SRV records
Srv record is queried if autodiscover.domain.com fails. In your case the same works OK and certificate is validated also OK
ASKER
Hello Sirakov, I was just working with our Network Engineer.. And as you sugguested, he didn't have "All Network (and local Host)" configured. Then Tested the Rules, and they were successful. I am planning another Test later this week...
Thank you
Thank you
ASKER
Unfortunately, I am in a position where I have to cancel all Testing. I don’t have a Test environment, and testing in our Production Environment is becoming disruptive to our users.
On 17th, I will be moving Orange.com to Apple.com. So, now it’s an all or nothing type deal. I’ve attached a diagram (orange) current config, and Apple (new config). I can only hope I have everything covered , when I preform move the Web Services.
Thank you
Orange.vsd
Apple.vsd
On 17th, I will be moving Orange.com to Apple.com. So, now it’s an all or nothing type deal. I’ve attached a diagram (orange) current config, and Apple (new config). I can only hope I have everything covered , when I preform move the Web Services.
Thank you
Orange.vsd
Apple.vsd
ASKER
follow up - this turned out to be a disaster.
Nothing worked.
We moved webservices from a CAS server (Cherry) AD site 2, owa.Orange.com (exch 2007)
to
CAS server (Plum) AD Site 1, owa.Apple.com ( exch 2010 ) through a TMG.
Going through a TMG created authentication problems, nothing would work. Authentication worked, (Owa) if you accessed https//localhost:443
So, the end result ( was for now ) to use the Exch 2007 CAS (cherry) owa.Orange.com that doesn’t have a TMG. And use owa.apple.com instead.
my orginal question was, can i use wildcard cert, and you can , and it works. so I am awaring points to sirakov
Nothing worked.
We moved webservices from a CAS server (Cherry) AD site 2, owa.Orange.com (exch 2007)
to
CAS server (Plum) AD Site 1, owa.Apple.com ( exch 2010 ) through a TMG.
Going through a TMG created authentication problems, nothing would work. Authentication worked, (Owa) if you accessed https//localhost:443
So, the end result ( was for now ) to use the Exch 2007 CAS (cherry) owa.Orange.com that doesn’t have a TMG. And use owa.apple.com instead.
my orginal question was, can i use wildcard cert, and you can , and it works. so I am awaring points to sirakov
ASKER
it answered my orginal issue
did you migrate from Exchange 2007 to 2010? one thing you may not be aware of is that a mailbox server must has a CAS and HTS in the same site and you cannot render mailboxes hosted on Exchange 2010 on a 2007 CAS and vise versa. You should be aware of this restricton.
An overview of the certificate generation process.
http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx
Transitioning Exchange 2007 client access to 2010
http://technet.microsoft.com/en-us/library/dd351133.aspx