Solved

Exchange 2007, Outlook 2007, SSL & Outlook Anywhere

Posted on 2012-04-10
2
419 Views
Last Modified: 2012-04-13
I have Exchange 2007 running on a Windows 2008 server.

I purchased a SSL certificate and used the following domains (using "mydomain" instead of my real domain)

exch.mydomain.net
mydomain.net
internalservername.mydomain.net

My Outlook Web Access works fine, no problems.

Here are my problems:

1. My internal machines, using Outlook 2007, say there is a certificate/security error, press yes to proceed and ignore the error.

2. Outlook 2007 OUTSIDE of the office will not connect at all.

======================
What I need to know is:

1. What should be included in the SSL certificate?

2. Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

3. How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

====================

Thank you for your help.
0
Comment
Question by:adrobnis
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 37828187
>> What should be included in the SSL certificate?

With a good working knowledge of Exchange's HTTP services, split DNS and how to set the URLs Exchange uses, you can get away with owa.domain.com and autodiscover.domain.com.

Other people will generally tell you to include ServerName.domain.local and autodiscover.domain.local, because it will work with the out-of-box Exchange configuration and eliminate all your certificate errors.

Your certificate is missing autodiscover.domain.com, which is going to be required for Outlook to self-configure externally or from non-domain clients.

>> Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

Make sure the RPC-over-HTTP proxy feature is installed (Server Manager), along with the various IIS components it will ask for as pre-requisites when you choose to install the feature. (If it's installed, you can assume the pre-reqs are, too).

In Exchange Management Console, locate the Client Access Server under Server Configuration, highlight it, and choose "Enable Outlook Anywhere" in the right-hand pane. Enter your external URL (owa.domain.com) and pick an authentication mode. Chances are you do not need SSL offloading - you would know if you did.

Monitor the Event log over the course of 15 minutes for the event to indicate Outlook Anywhere was properly installed.

That's all there is to it, really.

As I said before, if you want Outlook to auto-configure from outside the network during first-run or account setup, you're going to need autodiscover.domain.com listed. The only way around this is to redirect Autodiscover to a different URL (which is listed) using a SRV record in public DNS: http://support.microsoft.com/kb/940881. However, many public DNS hosts do not support SRV records, so I'd advise you just add the proper name to the certificate.

Note that the part which I suspect is failing is autodiscovery - if you went ahead and performed a manual configuration, you should find everything then works fine, but that does not give the full Outlook Anywhere experience.

>> How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

I cannot be 100% sure, but I suspect this is related to the Autodiscover Service Connection Point (SCP) which is used by Outlook installed on domain-joined machines to locate the Autodiscover service.

External clients will guess the autodiscover URL during configuration as either https://domain.com/Autodiscover/Autodiscover.xml or https://autodiscover.domain.com/Autodiscover/Autodiscover.xml. Except checking for a SRV record after checking those URLs, this is hard-coded into Outlook's behaviour, and the reason you should add that additional name to your certificate.

However, internally, the administrator can configure where to send Outlook for its autodiscover information using the SCP, which is controlled by a few attributes at the Exchange Management Shell.

Run Get-ClientAccessServer | fl name,*autodiscover* and observe the output of AutodiscoverServiceInternalUri.

If the URL returned is still at its default value, then the certificate error may be the result of the FQDN in that result not being listed on the certificate, either as the Common Name or one of the SANs (Subject Alternate Names).

You can change this URL so that it does match what's listed on the certificate: Set-ClientAccessServer "CAS-name" -AutodiscoverServiceInternalUri https://internalexchname.domain.com/Autodiscover/Autodiscover.xml

Personally, I am an advocate of setting up split DNS to represent autodiscover.domain.com and owa.domain.com internally as well as externally, then using those two URLs in the appropriate places for everything. This way, you don't lock your configuration to internal server names and duplicate work/add complications when you don't have to.

-Matt
0
 
LVL 1

Author Closing Comment

by:adrobnis
ID: 37845456
Great detail, great answer.  Thanks.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now