Solved

Exchange 2007, Outlook 2007, SSL & Outlook Anywhere

Posted on 2012-04-10
2
423 Views
Last Modified: 2012-04-13
I have Exchange 2007 running on a Windows 2008 server.

I purchased a SSL certificate and used the following domains (using "mydomain" instead of my real domain)

exch.mydomain.net
mydomain.net
internalservername.mydomain.net

My Outlook Web Access works fine, no problems.

Here are my problems:

1. My internal machines, using Outlook 2007, say there is a certificate/security error, press yes to proceed and ignore the error.

2. Outlook 2007 OUTSIDE of the office will not connect at all.

======================
What I need to know is:

1. What should be included in the SSL certificate?

2. Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

3. How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

====================

Thank you for your help.
0
Comment
Question by:Adam D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 37828187
>> What should be included in the SSL certificate?

With a good working knowledge of Exchange's HTTP services, split DNS and how to set the URLs Exchange uses, you can get away with owa.domain.com and autodiscover.domain.com.

Other people will generally tell you to include ServerName.domain.local and autodiscover.domain.local, because it will work with the out-of-box Exchange configuration and eliminate all your certificate errors.

Your certificate is missing autodiscover.domain.com, which is going to be required for Outlook to self-configure externally or from non-domain clients.

>> Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

Make sure the RPC-over-HTTP proxy feature is installed (Server Manager), along with the various IIS components it will ask for as pre-requisites when you choose to install the feature. (If it's installed, you can assume the pre-reqs are, too).

In Exchange Management Console, locate the Client Access Server under Server Configuration, highlight it, and choose "Enable Outlook Anywhere" in the right-hand pane. Enter your external URL (owa.domain.com) and pick an authentication mode. Chances are you do not need SSL offloading - you would know if you did.

Monitor the Event log over the course of 15 minutes for the event to indicate Outlook Anywhere was properly installed.

That's all there is to it, really.

As I said before, if you want Outlook to auto-configure from outside the network during first-run or account setup, you're going to need autodiscover.domain.com listed. The only way around this is to redirect Autodiscover to a different URL (which is listed) using a SRV record in public DNS: http://support.microsoft.com/kb/940881. However, many public DNS hosts do not support SRV records, so I'd advise you just add the proper name to the certificate.

Note that the part which I suspect is failing is autodiscovery - if you went ahead and performed a manual configuration, you should find everything then works fine, but that does not give the full Outlook Anywhere experience.

>> How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

I cannot be 100% sure, but I suspect this is related to the Autodiscover Service Connection Point (SCP) which is used by Outlook installed on domain-joined machines to locate the Autodiscover service.

External clients will guess the autodiscover URL during configuration as either https://domain.com/Autodiscover/Autodiscover.xml or https://autodiscover.domain.com/Autodiscover/Autodiscover.xml. Except checking for a SRV record after checking those URLs, this is hard-coded into Outlook's behaviour, and the reason you should add that additional name to your certificate.

However, internally, the administrator can configure where to send Outlook for its autodiscover information using the SCP, which is controlled by a few attributes at the Exchange Management Shell.

Run Get-ClientAccessServer | fl name,*autodiscover* and observe the output of AutodiscoverServiceInternalUri.

If the URL returned is still at its default value, then the certificate error may be the result of the FQDN in that result not being listed on the certificate, either as the Common Name or one of the SANs (Subject Alternate Names).

You can change this URL so that it does match what's listed on the certificate: Set-ClientAccessServer "CAS-name" -AutodiscoverServiceInternalUri https://internalexchname.domain.com/Autodiscover/Autodiscover.xml

Personally, I am an advocate of setting up split DNS to represent autodiscover.domain.com and owa.domain.com internally as well as externally, then using those two URLs in the appropriate places for everything. This way, you don't lock your configuration to internal server names and duplicate work/add complications when you don't have to.

-Matt
0
 
LVL 1

Author Closing Comment

by:Adam D
ID: 37845456
Great detail, great answer.  Thanks.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question