• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 377
  • Last Modified:

Exchange SAN Certification

I have two CAS servers that's configured to respond to external autodiscover requests (via two seperate IP addresses).  One server URL is https://webmail1.domainname.com, the other https://webmail2.domainname.com.  Both servers reside on the same domain and site.  I have a mailbox that route to a CAS server that does not have an autodiscover name in the SAN cert, and I have another mailbox that route to a CAS that does have the name in a SAN cert.  The mailbox that is communicating with the CAS without autodiscover is referencing the CAS that has the autodiscover service.  Should both of the SAN certs reference autodiscover.domain.com ?
0
jahhan
Asked:
jahhan
  • 6
  • 6
1 Solution
 
Exchange_GeekCommented:
Let me honest in commenting that I was fairly amused to see why would you have two CAS with different URL on them. I'm sure you'd have a strong reasoning of setting up this way.

Now, to answer your question:

Mailboxes aren't routed cause of SAN Cert Name, instead they are guided cause of DNS entries for Autodiscover OR proxying of addresses.

So, there could be two issues here.

1) You're second server has AutoDiscoverInternalURI set up for say https://webmail.domain.com/autodiscover/autodiscover.xml AND you've got SRV OR A Record point for autodiscover.domain.com pointing to webmail.domain.com internally and externally.
2) You're first server doesn't have any info set for the above attribute.

Regards,
Exchange_Geek
0
 
jahhanAuthor Commented:
I ran get-clientacccessserver |fl, and my second server is pointing to the internal address of webmail (cas01.domainname.com)

Ex: https://cas01.domainname.com/Autodiscover/Autodiscover.xml 


The SRV or A record for autodiscover is pointing to webmail.
0
 
Exchange_GeekCommented:
So, the OL users would point to webmail.domain.com/auto........

Now, internally - why don't you build a CAS Array - get yourself a LB and have the queries routed to each server turn by turn?

Cause you have cannot have the DNS pointing to multiple A Records or SRV Records - so let it point to you CAS Array URL, and LB would in turn balance out the connections.

Regards,
Exchange_Geek
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
jahhanAuthor Commented:
So basically the setup I have is not supported?  

Is the setup I have ideal for a multiple domain environment?
0
 
Exchange_GeekCommented:
I never said not supported, let me explain it better - possibly i am not able to explain it you earlier.

Let's say you I a MOTEL which is about 1 km away from highway, and let's say you own a MOTEL that is 2 kms away from highway. A tourist who wants to take rest for the night is trying to look for a MOTEL and finds your 20-feet big advertisement on the highway, using the directions given on the AD, he reaches your MOTEL. You are all happy-happy and me sad-sad.

So, this is how OL works, you have only 1 autodiscover A or SRV Record that can point to 1 host entry.

Now, if that points to a CAS Array, that includes both the CAS Servers - this is as good as the AD having yours and mine address included, so let the tourist decide and come along to hire our MOTEL.

Using the CAS Array, OL would connect to a LB and LB would then distribute the connections equally (in Round Robin or Least connection manner)

What you are using is supported but a waste of CAS Server, since CAS1 won't get much of connections internally for OL - and CAS2 on the other hand would start complaining in some time, that it thinks you are being biased towards it.

Am i clear now?

Regards,
Exchange_Geek
0
 
jahhanAuthor Commented:
That make so much sense now.   So it is safe to say the system should only be using one SAN cert instead of two, and utilize one CAS Array or CAS load balancing to centralize traffic?  Is it possible to have two external URL's that we can have one set of mailbox owners use over the other?
0
 
Exchange_GeekCommented:
You'll need to have a seperate set of email address, cause autodiscover would use only 1 record as i mentioned externally too.

So, what you could do is to have users sign in with domainA.com -> pointing to autodiscover.domainA.com -> pointing to CAS1 and another set of users using domainB.com -> pointing to autodiscover.domainB.com -> pointing to CAS2.

OR

The fix is to end the misery of Autodiscover, here is how to disable Autodiscover on an OL Machine is.

Open the registry on the local workstation and navigate the below section:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\ Outlook\AutoDiscover
Then delete the below registry entries. NOTE: it’s always a good idea to backup the registry first before making changes!
“ExcludeHttpRedirect”
“ExcludeHttpsAutodiscoverDomain”
“ExcludeHttpsRootDomain”
“ExcludeScpLookup”
“ExcludeSrvLookup”
“ExcludeSrvRecord”
You mail also find another as below, delete this as well:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\ Outlook\AutoDiscover\RedirectServers
”autodiscover.domain.com”
Close the registry and then restart Outlook, it should now function correctly, to confirm this rerun the ‘Test Email Autoconfiguration’ with Outlook as per the above instructions.

Regards,
Exchange_Geek
0
 
jahhanAuthor Commented:
I am currently experiencing availability issues with calendar lookup service.  Mailbox owners on webmail1 are unable to get freebusy for webmail2 mailboxes, but webmail2 is able to lookup webmail1 freebusy.  Is my configuration setup a direct link to why freebusy is not working?  If I were to disable autodiscover through the registry would that resolve my freebusy problem?
0
 
Exchange_GeekCommented:
Mailbox for webmail1 wouldn't work as the autodiscover is working for webmail2. You'll also see the following issues

Webmail1 folks won't be able to set up their OOO / they won't be able to see Free/busy / they'll have issues with OAB / they'll have issues setting up their OL profiles automatically.

BTW give the autodiscover registry a shot and see if it works, just for troubleshooting sake - I've got my doubts, but hey it won't cost you a penny to perform it :)

Regards,
Exchange_Geek
0
 
jahhanAuthor Commented:
Does the registry change only apply to workstations in the office?  I have several people outside of the office using Outlookanywhere.  If I have an OutlookAnywhere client try the registry change, will it stop them from retrieving email?  Also should I have webmail1 and webmail2 users try the reg change or just webmail2?
0
 
Exchange_GeekCommented:
Registry change is for workstations precisely, there is no biasness if these machines are within the domain / at home.

Retrieving emails is a different concept, emails are accessed using msstd information. So, when your OL starts - autodiscover is used to access URL information such as OOO / UM / OAB / Free-busy NOT EMAILS. Emails are gathered by msstd location, what ever is mentioned there - if that location is accessible, your email flow will work. Period.

Regards,
Exchange_Geek
0
 
jahhanAuthor Commented:
Your explanation helped me understand that the current configuration is not an ideal setup for a single domain.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now