Solved

Exchange 2007, Outlook 2007, SSL & Outlook Anywhere

Posted on 2012-04-10
2
421 Views
Last Modified: 2012-04-13
I have Exchange 2007 running on a Windows 2008 server.

I purchased a SSL certificate and used the following domains (using "mydomain" instead of my real domain)

exch.mydomain.net
mydomain.net
internalservername.mydomain.net

My Outlook Web Access works fine, no problems.

Here are my problems:

1. My internal machines, using Outlook 2007, say there is a certificate/security error, press yes to proceed and ignore the error.

2. Outlook 2007 OUTSIDE of the office will not connect at all.

======================
What I need to know is:

1. What should be included in the SSL certificate?

2. Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

3. How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

====================

Thank you for your help.
0
Comment
Question by:Adam D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 37828187
>> What should be included in the SSL certificate?

With a good working knowledge of Exchange's HTTP services, split DNS and how to set the URLs Exchange uses, you can get away with owa.domain.com and autodiscover.domain.com.

Other people will generally tell you to include ServerName.domain.local and autodiscover.domain.local, because it will work with the out-of-box Exchange configuration and eliminate all your certificate errors.

Your certificate is missing autodiscover.domain.com, which is going to be required for Outlook to self-configure externally or from non-domain clients.

>> Step-by-step instructions on how to enable Outlook Anywhere on the server (in case I missed something) and how to connect to the server through Outlook when OUTSIDE the office.

Make sure the RPC-over-HTTP proxy feature is installed (Server Manager), along with the various IIS components it will ask for as pre-requisites when you choose to install the feature. (If it's installed, you can assume the pre-reqs are, too).

In Exchange Management Console, locate the Client Access Server under Server Configuration, highlight it, and choose "Enable Outlook Anywhere" in the right-hand pane. Enter your external URL (owa.domain.com) and pick an authentication mode. Chances are you do not need SSL offloading - you would know if you did.

Monitor the Event log over the course of 15 minutes for the event to indicate Outlook Anywhere was properly installed.

That's all there is to it, really.

As I said before, if you want Outlook to auto-configure from outside the network during first-run or account setup, you're going to need autodiscover.domain.com listed. The only way around this is to redirect Autodiscover to a different URL (which is listed) using a SRV record in public DNS: http://support.microsoft.com/kb/940881. However, many public DNS hosts do not support SRV records, so I'd advise you just add the proper name to the certificate.

Note that the part which I suspect is failing is autodiscovery - if you went ahead and performed a manual configuration, you should find everything then works fine, but that does not give the full Outlook Anywhere experience.

>> How to fix the Outlook problem INSIDE the network.  Why would Outlook INSIDE the network have a security error?

I cannot be 100% sure, but I suspect this is related to the Autodiscover Service Connection Point (SCP) which is used by Outlook installed on domain-joined machines to locate the Autodiscover service.

External clients will guess the autodiscover URL during configuration as either https://domain.com/Autodiscover/Autodiscover.xml or https://autodiscover.domain.com/Autodiscover/Autodiscover.xml. Except checking for a SRV record after checking those URLs, this is hard-coded into Outlook's behaviour, and the reason you should add that additional name to your certificate.

However, internally, the administrator can configure where to send Outlook for its autodiscover information using the SCP, which is controlled by a few attributes at the Exchange Management Shell.

Run Get-ClientAccessServer | fl name,*autodiscover* and observe the output of AutodiscoverServiceInternalUri.

If the URL returned is still at its default value, then the certificate error may be the result of the FQDN in that result not being listed on the certificate, either as the Common Name or one of the SANs (Subject Alternate Names).

You can change this URL so that it does match what's listed on the certificate: Set-ClientAccessServer "CAS-name" -AutodiscoverServiceInternalUri https://internalexchname.domain.com/Autodiscover/Autodiscover.xml

Personally, I am an advocate of setting up split DNS to represent autodiscover.domain.com and owa.domain.com internally as well as externally, then using those two URLs in the appropriate places for everything. This way, you don't lock your configuration to internal server names and duplicate work/add complications when you don't have to.

-Matt
0
 
LVL 1

Author Closing Comment

by:Adam D
ID: 37845456
Great detail, great answer.  Thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In-place Upgrading Dirsync to Azure AD Connect
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question