Link to home
Start Free TrialLog in
Avatar of Frosty555
Frosty555Flag for Canada

asked on

Exchange 2013 - certificate warning for local outlook clients

I've just finished setting up a Microsoft Exchange 2013 environment. We have two servers in two different sites, each site has a domain controller and an exchange server.

We're doing the "internal URL set to the same as the external URL" style of making our SSL certificate work.

The exchange servers are internally known as:

exchangeA.mycompany.local
exchangeB.mycompany.local

And externally, they are known as:

siteA.mycompany.com
siteB.mycompany.com

So on my Internal DNS, I created a zone for "mycompany.com", and set up the records accordingly

siteA.mycompany.com   -->   [[local IP of exchangeA.mycompany.local]]
siteB.mycompany.com   -->   [[local IP of exchangeA.mycompany.local]]

And on my external DNS server (e.g. my web hosting provider), I set up the records:

siteA.mycompany.com   -->   [[WAN IP address of site A's router]]
siteB.mycompany.com   -->   [[WAN IP address of site B's router]]

I also updated the InternalURL / ExternalURL for all virtual directories in the Exchange Administration Center / EAC.

Everything is ALMOST working. Smartphones, Outlook from OUTSIDE the office, and Web access all work fine.

What's not working is regular Outlook clients on the local network:

When I am INSIDE the company on the local network, and I attempt to connect a Microsoft Outlook client to Exchange, I get a certificate warning. It appears Outlook is auto-discovering the "exchangeA.mycompany.local" internal name, instead of the "SiteA.mycompany.com" external name.

The outlook client still works if I push past that warning... but it pops up every time you open Outlook and is incredibly annoying.

User generated image
Did I miss something?
SOLUTION
Avatar of Marc Dekeyser
Marc Dekeyser
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Chris
i would also change how you have the DNS zones setup

create full pinpoint zones for then so you would have a zone called sitea.mycompany.com with a single A record in there
Avatar of Frosty555

ASKER

Geminon - you lost me... I do have two Exchange servers both of them are holding the Client Access role. AFAIK CAS Arrays do not exist in Exchange 2013 anymore (see: http://www.vmhosts.co.uk/load-balancing-cas-servers-in-exchange-2013/)

Round-robin DNS is a new concept to me... and where are these SCP records? I didn't see them anywhere in DNSMGMT.MSC on my domain controller

How exactly do you think my DNS records should be configured?

One other thing I should mention is that I do have a third hostname  "mail.mycompany.com", which is currently pointing to the same IP address as "sitea.mycompany.com" both internally and externally, but I didn't think it was really relevant. "mail.mycompany.com" is where the employees go when they want to access the webmail remotely. It is also named on the SSL certificate

The SSL cert names these hostnames:

sitea.mycompany.com
siteb.mycompany.com
mail.mycompany.com
autodiscover.mycompany.com
mycompany.com
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Pointed me in the right direction