Solved

Exchange 2007, Outlook 2007, SSL & Outlook Anywhere

Posted on 2012-04-10
2
418 Views
Last Modified: 2012-04-13
I have Exchange 2007 running on a Windows 2008 server.

I purchased a SSL certificate and used the following domains (using "mydomain" instead of my real domain)

exch.mydomain.net
mydomain.net
internalservername.mydomain.net

My Outlook Web Access works fine, no problems.

Here are my problems:

1. My internal machines, using Outlook 2007, say there is a certificate/security error, press yes to proceed and ignore the error.

2. Outlook 2007 OUTSIDE of the office will not connect at all.

======================
What I need to know is:

1. What should be included in the SSL certificate?

2. Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

3. How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

====================

Thank you for your help.
0
Comment
Question by:adrobnis
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 37828187
>> What should be included in the SSL certificate?

With a good working knowledge of Exchange's HTTP services, split DNS and how to set the URLs Exchange uses, you can get away with owa.domain.com and autodiscover.domain.com.

Other people will generally tell you to include ServerName.domain.local and autodiscover.domain.local, because it will work with the out-of-box Exchange configuration and eliminate all your certificate errors.

Your certificate is missing autodiscover.domain.com, which is going to be required for Outlook to self-configure externally or from non-domain clients.

>> Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

Make sure the RPC-over-HTTP proxy feature is installed (Server Manager), along with the various IIS components it will ask for as pre-requisites when you choose to install the feature. (If it's installed, you can assume the pre-reqs are, too).

In Exchange Management Console, locate the Client Access Server under Server Configuration, highlight it, and choose "Enable Outlook Anywhere" in the right-hand pane. Enter your external URL (owa.domain.com) and pick an authentication mode. Chances are you do not need SSL offloading - you would know if you did.

Monitor the Event log over the course of 15 minutes for the event to indicate Outlook Anywhere was properly installed.

That's all there is to it, really.

As I said before, if you want Outlook to auto-configure from outside the network during first-run or account setup, you're going to need autodiscover.domain.com listed. The only way around this is to redirect Autodiscover to a different URL (which is listed) using a SRV record in public DNS: http://support.microsoft.com/kb/940881. However, many public DNS hosts do not support SRV records, so I'd advise you just add the proper name to the certificate.

Note that the part which I suspect is failing is autodiscovery - if you went ahead and performed a manual configuration, you should find everything then works fine, but that does not give the full Outlook Anywhere experience.

>> How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

I cannot be 100% sure, but I suspect this is related to the Autodiscover Service Connection Point (SCP) which is used by Outlook installed on domain-joined machines to locate the Autodiscover service.

External clients will guess the autodiscover URL during configuration as either https://domain.com/Autodiscover/Autodiscover.xml or https://autodiscover.domain.com/Autodiscover/Autodiscover.xml. Except checking for a SRV record after checking those URLs, this is hard-coded into Outlook's behaviour, and the reason you should add that additional name to your certificate.

However, internally, the administrator can configure where to send Outlook for its autodiscover information using the SCP, which is controlled by a few attributes at the Exchange Management Shell.

Run Get-ClientAccessServer | fl name,*autodiscover* and observe the output of AutodiscoverServiceInternalUri.

If the URL returned is still at its default value, then the certificate error may be the result of the FQDN in that result not being listed on the certificate, either as the Common Name or one of the SANs (Subject Alternate Names).

You can change this URL so that it does match what's listed on the certificate: Set-ClientAccessServer "CAS-name" -AutodiscoverServiceInternalUri https://internalexchname.domain.com/Autodiscover/Autodiscover.xml

Personally, I am an advocate of setting up split DNS to represent autodiscover.domain.com and owa.domain.com internally as well as externally, then using those two URLs in the appropriate places for everything. This way, you don't lock your configuration to internal server names and duplicate work/add complications when you don't have to.

-Matt
0
 
LVL 1

Author Closing Comment

by:adrobnis
ID: 37845456
Great detail, great answer.  Thanks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now