teomcam
asked on
DNS entries for Exchange 2010 in CPANEL
We have 2 public IPs (Note to moderation:below IPs and addresses have been editted) to the outside of organization. We also have Exchange 2010 running recently but we are not sure if our Exchange related entries are correct in the our website hosting company's CPANEL. If you can have alook at the screen shots from cpanel and give me an advise to fix them, that would be much appreciated.
Note: We are sending and receiving emnails from 2 IPs (2x ADSL1 connection)
Could you check the entries below and tell me please if anything need to be fixed according to issues below.
-Mobile devices such as IPhone cannot be configured for email at the moment.
- Users cannot configure their outlooks from outside (home)
- Rest of everyting is OK, incoming outgoing email etc..
Note: We are sending and receiving emnails from 2 IPs (2x ADSL1 connection)
Could you check the entries below and tell me please if anything need to be fixed according to issues below.
-Mobile devices such as IPhone cannot be configured for email at the moment.
- Users cannot configure their outlooks from outside (home)
- Rest of everyting is OK, incoming outgoing email etc..
ASKER
For the mail server sections remove the https:// and the /owa. It should just read as
mail.iqld.edu.au
Also no need for the domain\username if you have entered the domain in the box above
mail.iqld.edu.au
Also no need for the domain\username if you have entered the domain in the box above
Just read pwindell post and realised I have just told you what he mentioned in the last section of it...
In terms of your cPanel I would consider replacing your autodiscover A records with SRV records, otherwise the setup looks fine
In terms of your cPanel I would consider replacing your autodiscover A records with SRV records, otherwise the setup looks fine
ASKER
You would need to get your ISP to change the PTR record to match your SMTP banner for both IPs
Can you run this to test the Activesync (choose the Activesync option)
https://www.testexchangeconnectivity.com/
Can you run this to test the Activesync (choose the Activesync option)
https://www.testexchangeconnectivity.com/
ASKER
Please find ActiveSync test results as word document. BTW we are using TMG 2010.
ActiveSyncTest-Details.doc
ActiveSyncTest-Details.doc
If you entered an SRV record on your Cpanel that would straighten up the autodiscover errors, I can't see from here whether or not your Cpanel supports them.
The cert erros may be down to the fact you don't have a SAN cert but that won't bother the iPhone
Have you published a rule in the TMG for the activesync and OWA?
The cert erros may be down to the fact you don't have a SAN cert but that won't bother the iPhone
Have you published a rule in the TMG for the activesync and OWA?
ASKER
I will contact hosting company and I will ask the about SRV records for autodiscover as I am not able to access Advanced DNS Records.
OWA has been published by the installer of TMG but I just heard from you that must be seperate activesync publish rule!
This screenshot from TMG's firewall. I think we do not have activesync rule isn't it?
OWA has been published by the installer of TMG but I just heard from you that must be seperate activesync publish rule!
This screenshot from TMG's firewall. I think we do not have activesync rule isn't it?
Sorry that should be Activesync/owa, the rule is there so providing that it is pointing to your CAS server that should be fine.
Does your OWA work?
Are you using a SAN certificate on your Exchange?
Do you have any Activesync policies set on your Exchange server?
Does your OWA work?
Are you using a SAN certificate on your Exchange?
Do you have any Activesync policies set on your Exchange server?
ASKER
Hi,
I am using UC certificate from Globalsign. OWA works with no problem. I also can access owa via typing https://autodiscover.iqld.edu.au with no problem.
Activesync policy is default and I do not have any other policy.
I am using UC certificate from Globalsign. OWA works with no problem. I also can access owa via typing https://autodiscover.iqld.edu.au with no problem.
Activesync policy is default and I do not have any other policy.
Hi
Apologies for the delay, been working
What names do you have listed for the UC cert?
Have you recently migrated from an older mail system?
Also what response do you get when you perform the following test from a web browser
https://mail.iqld.edu.au/oma
Any joy with having the SRV record setup on your DNS?
Apologies for the delay, been working
What names do you have listed for the UC cert?
Have you recently migrated from an older mail system?
Also what response do you get when you perform the following test from a web browser
https://mail.iqld.edu.au/oma
Any joy with having the SRV record setup on your DNS?
ASKER
Hi,
https://mail.iqld.edu.au/oma works fine with the browser.
In UC Certificate
mail.iqld.edu.au
autodiscover.iqld.edu.au
server internal IP
server name
browser shows following link when I see the login screen of owa
https://mail.iqld.edu.au/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.iqld.edu.au%2fowa%2foma
https://mail.iqld.edu.au/oma works fine with the browser.
In UC Certificate
mail.iqld.edu.au
autodiscover.iqld.edu.au
server internal IP
server name
browser shows following link when I see the login screen of owa
https://mail.iqld.edu.au/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.iqld.edu.au%2fowa%2foma
Can you just review my last post as there were a few other questions in there.
In short everything looks ok and there is nothing obvious as to why this isn't working for you, it could be an inheritable permissions issue but this normally only occurs post migration (which I you haven't confirmed yet) - can you check your application event log for any active-sync related permission errors. I can't recall the event id but I will look it up when I am back in my office.
This would explain the iPhone issue
The Outlook anywhere issue is down to your DNS needing an SRV record creating and your certificate not being authorised (it is likely that the latter is the root of the issue) so you need to confirm the names on your UC cert here and get your SRV setup and then test using the https://www.testexchangeconnectivity.com/
Thanks
In short everything looks ok and there is nothing obvious as to why this isn't working for you, it could be an inheritable permissions issue but this normally only occurs post migration (which I you haven't confirmed yet) - can you check your application event log for any active-sync related permission errors. I can't recall the event id but I will look it up when I am back in my office.
This would explain the iPhone issue
The Outlook anywhere issue is down to your DNS needing an SRV record creating and your certificate not being authorised (it is likely that the latter is the root of the issue) so you need to confirm the names on your UC cert here and get your SRV setup and then test using the https://www.testexchangeconnectivity.com/
Thanks
ASKER
We have made transition 2 years back. Iphone never worked (actually newly needed) and have decided to solve that issue now. All logs are clean, except Get Engine Files warning whihc related to Forefront protection for Exchange.
Should I create SRV record on my Active Directory DNS server? If yes how? or should I ask ISP to create this?
UC Certificate contains (Copied from certificate) from Globalsign
DNS Name=mail.iqld.edu.au
IP Address=192.168.25.90
DNS Name=192.168.25.90
DNS Name=iqldes2010.iqld.local
DNS Name=mail.iqld.local
DNS Name=autodiscover.iqld.edu .au
Note: I just had run ExRCA test
Under Autodoscovery only 1 error came up and it says following;
An HTTP 403 error was received because ISA Server denied the specified URL.
I have checked path in TMG server and path is /*
What would cause this issue?
Should I create SRV record on my Active Directory DNS server? If yes how? or should I ask ISP to create this?
UC Certificate contains (Copied from certificate) from Globalsign
DNS Name=mail.iqld.edu.au
IP Address=192.168.25.90
DNS Name=192.168.25.90
DNS Name=iqldes2010.iqld.local
DNS Name=mail.iqld.local
DNS Name=autodiscover.iqld.edu
Note: I just had run ExRCA test
Under Autodoscovery only 1 error came up and it says following;
An HTTP 403 error was received because ISA Server denied the specified URL.
I have checked path in TMG server and path is /*
What would cause this issue?
ASKER
I just tryed by using internal wireless and used the server name in screenshot as server name sucessfully logged in with iphone. I also found this under OWA publishing rule. Should I replace this with https://mail.iqld.edu.au ?
Try the link within this post on Technet, this seems to explain your scenario pretty well - I'm no expert in TMG but I think the redirection is causing you the Activesync issues
http://social.technet.microsoft.com/Forums/sv-SE/Forefrontedgegeneral/thread/25a1e54d-20fd-42f4-8233-f60378c0cd8d
http://social.technet.microsoft.com/Forums/sv-SE/Forefrontedgegeneral/thread/25a1e54d-20fd-42f4-8233-f60378c0cd8d
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No worries, thanks very much for your time. I will check the both links. Hopefully I can find a solution. Now I am going to close this topic as I already took a lot of time from you.
Kind regards
Kind regards
ASKER
Thanks
No need to worry about the time taken up...
Post a new question if you need to and we can get this sorted
Post a new question if you need to and we can get this sorted
However,...outgoing mail is only going to use one of the IP#s. Incoming and outgoing are entirely separate and independent of each other. Make sure that whoever Hosts your Public DNS Records properly setup the Pointer Record so that the IP# of the outgoing mail resolves back to the same FQDN used on the right side of the "@" in the User's "return" Email Address. If this isn't done correctly everyone's SPAM Filtering Systems will reject your attempts to send mail to them. I believe you can use http://www.mxtoolbox.com to test these settings and it will report what it finds wrong, if anything.
For the mobile devices you just have to get OWA to work properly from the outside. ActiveSync runs off of OWA,..so if OWA works, it should work. So if you can use OWA manually "as a human" from outside your network using a web browser,...then the ActiveSync should also work with the mobile devices. OWA is just a glorified SSL (HTTPS) web site,...so it is more-or-less them same as setting up any HTTPS Site to work Publicly.
When you configure the Mobile Devices you will use the OWA's FQDN as the ServerName. Do not give it the entire URL,...just the FQDN. So if the OWA URL is https://owa.mycompany.org/exchange then the FQDN would just be owa.mycompany.org
When giving the user credentials you need to include the Netbios verion of the Domain Name,...if you are given a specific Box for that then fine,..if not, then include it in front of the UserName (domainname\username).