Solved

Setup Outlook to work over HTTPS

Posted on 2013-06-07
51
532 Views
Last Modified: 2013-07-04
Hi All,

A company has asked if I can setup their Outlook installs (Office 2010) to connect to there small business server 2011 when they are at home.

Ideally I'd like to do this over HTTPS.  But have no idea where to start.

Any suggestions?
0
Comment
Question by:detox1978
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 24
  • 18
  • 5
  • +2
51 Comments
 
LVL 4

Expert Comment

by:MrC63
ID: 39230062
I would assume you want to use the native Outlook client by enabling Outlook Anywhere, via RPC over HTTP?  

Would you like the proper way to do it, complete with SSL certificates / security, or would you like the shortcut / less secure method.  I would recommend doing it properly, and the first step is to obtain a UCC (multi-domain) SSL certificate from GoDaddy or some other certificate authority. The cost for the SSL is generally in the $75 range (per year) through GoDaddy.  Not sure what others charge.

After you get the SSL certificate, there are about 4 or 5 things you need to do to make Outlook Anywhere work properly for remote clients.  I'll follow up with further steps when I know which way you want to proceed.

MrC
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230075
Yes RPC over HTTP.  I have registered an SSL certificate with Godaddy.  So fire away with the steps.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230076
I've installed it and assigned it to the default website.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 4

Expert Comment

by:MrC63
ID: 39230079
I want to be certain it's a UCC certificate?  It has to resolve properly / be accepted for at least 3 host names.  UCC certificates allow you to use up to 5 host names.
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39230086
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230098
I dont know about using multiple names, but i got the cheapest one they sell, which says "SAN UCC Support"?

http://uk.godaddy.com/compare/gdcompare3_ssl.aspx
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230115
OK.  The first thing is to install the certificate.  Here's a guided, step by step demonstration:

http://www.netometer.com/video/tutorials/exchange-2010-how-to-install-GoDaddy-Multiple-Domain-SAN-UCC-Certificate/
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230128
<pradeep08_81>
2) How to Configure Outlook for RPC-over-HTTP
http://www.youtube.com/watch?v=umSPbKBwfRw

error
I got the follow error message.  I guess this is because I haven't setup anything on Exchange or did use the correct Exchange proxy address
</pradeep08_81>

<MrC63>
Give me 10 mins to read it.
</MrC63>
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230136
Detox, you should change your nickname to <xmlguy />  ;)
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230138
MrC63, the videos need a subscription to netometer to watch them
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230152
OK, I'll walk you through it.  I didn't think the Exchange 2010 required a subscription.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230190
Since you've purchased a GoDaddy UCC, the first step is to generate the CSR (signing request) to file with GoDaddy and generate the actual certificate.

The syntax is as follows, and it is run from the Exchange PowerShell (not from a command prompt!!).

New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

When you get into the "SubjectName" section, please be careful and replace all of the names you see there with the correct names for your client.    This is critical, and if you have questions about anything in that section, send a note through and I'll explain.  

I assume your server has Remote Web Workplace (RWW) installed, and if so then it should be using the public name of "remote.<publicdomain>.com".
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230231
Yes they already had remote.companyname.com setup.  I installed the certificate using IIS, assigned it to the default website (which remote.companyname.com is on) then exported to a PFX file, imported to the computers personal certificates folder.

if i navigate to remote.companyname.com the valid certificate is displayed.

Do I still need to do powershell bit?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230241
Absolutely.  The RWW website might be using the proper certificate, however Exchange also needs to use it.

The syntax I provided above is critical when you generate the SSL at GoDaddy.  Hopefully it won't be too much of a hassle to re-generate / re-key the SSL, but you absolutely have to have it in the format I sent to you in order for Outlook Anywhere to work properly.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230262
Ok thanks, will give it a go.

When you download the certificate from goDaddy, they have the option to download in Exchange 2010 format.

Here are the instruction that came with the certificate - link
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230271
The instructions you reference are provided to install the SSL certificate for the web side of things only, so that (e.g.) mobile devices / smart phones can access OWA via HTTPS using Active-Sync.  If you were only worried about SSL for these devices, then this would be fine.

There is a lot more involved to configure Exchange itself for Outlook Anywhere so that a true Outlook client can connect using RPC over HTTP.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230333
New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

Should there be a comma after o=MyBusiness
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230363
Yes, my apologies.  I made a mistake when editing the text to remove the client's name that we previously used this for,
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230379
A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230403
I found this, if it's any help;

New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=Diversión de Bicicleta, cn=mail1. DiversiondeBicicleta.com" -DomainName woodgrove.com, example.com -PrivateKeyExportable $true
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230419
That should be the same as what I sent you other than my previous error.  The critical part is the "DomainName" part.  In the example you sent, they list two domain names.  In your case, you need to be certain this list of names includes (in order):

- the local, actual, fully qualified server name (with local domain, e.g. myserver.xyz.local)
- the local, unqualified server name (e.g. myserver)
- the public "remote" name (e.g. emote.xyz.com)
- the public autodiscover name (e.g. autodiscover.xyz.com)

Using the above as examples, it should read

-DomainName myserver.xyz.local, myserver, remote.xyz.com, autodiscover.xyz.com
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230525
What extra domain names should I put on the certificate?

Is there a way to get a list of the current domains?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230579
I get the following error

A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39230582
Can you show the exact syntax of the command you're trying to run?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230601
0
 
LVL 2

Author Comment

by:detox1978
ID: 39230664
I found this article.

can you check your original syntax?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39231244
any thoughts?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39231537
Offline support isn't allowed under the terms of this site.
Second, as this is SBS, things have to be done differently to regular Exchange installations.
Basically you create the certificate request in Exchange 2010 using the wizard, you complete the request using the same SSL wizards, but you install it (And enable it) using the SBS SSL wizard in the SBS management tool.

If you get all of the DNS entries configured correctly then Outlook 2010 will setup automatically.

I have instructions on the process on my web site here: http://semb.ee/ssl
And that includes a link to the SBS variation.

Simon.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39232832
Thank you Modulus.  I certainly respect your input, and entirely acknowledge the potential risks involved.  My interest is purely to resolve the issue, and in this case would be very difficult to achieve through repeated messages.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39236041
Thanks for the information.

I've already created the certificate.  So need to add the second domain name to it.


Any suggestions on how to do this?
0
 
LVL 2

Author Comment

by:detox1978
ID: 39236176
Is there a way to do with using the remote address instead of the autodiscover?

If it helps the domain name is registered with Godaddy, who support SRV records.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39237502
Detox...things are much different regarding Certificates on SBS vs the standard server editions.
First of all, you do NOT need a UCC cert.

A single name cert from Godaddy is fine.

The first rule of SBS is USE THE WIZARDS...not shouting...just emphasizing.
If you look at the SBS Console, you'll see a "wizard" for Installing a Trusted SSL Cert.

I would talk to GoDaddy, see if they will revoke the Cert..then get a single name cert using the wizard on the SBS console.   Godaddy Certs actually involve an intermediate cert as well as the regular cert.   Sean Daniels of the SBS Product Team wrote an excellent blog on how to install Godaddy certs on SBS.   His blog is about SBS 2008 but still applies to SBS 2011.   http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx

That's all you need, assuming you used all the other wizards to "Connect to the Internet" and "Setup Your Internet Address".   If you did not use those, we should probably go back a bit.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39237590
Outlook Anywhere is significantly different than OWA.  If OWA was the objective, a single-named certificate would be sufficient.  However, Outlook Anywhere must securely resolve to several names, both internal and external.  As a result, a UCC / SAN certificate is required.

Detox, here is an excellent link to help you create and configure your SAN certificate.  It will be much easier than the command line / powershell commands.

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

MrC
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39237976
@MrC63, I'm not sure what your experience level is with Microsoft's Small Business Server, but it appears at first glance that most of your experience is with standard or enterprise level products.  And in those cases your statements above may be true, but SBS is different on many levels.   Under normal circumstances Exchange would never be installed on a domain controller, but with Small Business Server it is.   SBS also contains many wizards to insure that things run properly given the unique setup.  I'm running Outlook Anywhere on my this laptop connected to SBS 2011, all my customers use Outlook Anywhere connecting to their SBS 2008 and SBS 2011 servers with a single name cert.  It's all that's required.   You may not even be aware that SBS has the ability to generate it's own Self Signed SSL cert if you don't care to purchase one and it's a single named cert created when you run the "Setup My Internet Address" wizard.   I've been designated by Microsoft as an MVP on the Small Business Server since 1997 and I'm co-author of a textbook on SBS 2008.  I have achieved the Genius level badge for Small Business Server on Experts Exchange and I am ranked #6 on the SBS forum.   I also moderate the SBS forums on TechNet.   So again let me re-iterate to the author, a San Cert is not required.   Get a single named cert from godaddy, install it on the SBS server using the wizard, then I can help you with configuring the client, if you need help with that.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39238507
@Cris, I can certainly appreciate your credentials, and yes, I'm completely familiar with self-signed certificates.  When used, these will produce a warning to anyone outside the network -- I'm sure you already know that.

As an aside, we've done 5 SBS installations in the past year and have been installing this product for clients for more than 10 years.  There are ways of making it work, and there are ways of making it work properly.  It's possible to configure OWA, and even Outlook Anywhere, without any SSL, as long as you don't mind the lack of security / encryption between external client and server.

Now let's get back to the topic at hand and help this client.  He already has a SAN certificate. GoDaddy is always loathe to refund a certificate that has been issued and keyed so why bother making him jump through those hoops.  Let's help him create it properly and get it installed.  That should be our focus.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39238555
At this point the author can choose which path he wants to go down, I'll await his response.
I've had numerous clients get GoDaddy to do exactly what I suggested.

I wasn't suggesting using the self signed cert, I'm simply suggesting using a single domain cert from a trusted provider such as GoDaddy as that's all that's required, the 2 minutes worth of work to install the cert and the intermediate cert using the wizard and everything works as expected.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39242872
sorry the delay in replying and thanks for the info.

I installed the single URL certificate using the wizard and added the domain name to an RPC regkey (highlighted by a link on www.testexchangeconnectivity.com's results).

This has everything working well and users can send and recieve, however the users do get the SSL warning message.  When you click view it's says the URL is autodiscover.mydomain.com.  I've set everywhere to use remote.mydomain.com, so I can only guess Outlook ignores the proxy URL and uses autodiscover.mydomain.com to make the actual connection.

So I guess I just need to work out how to request a certificate with the extra URLs.  Is the link you shared relevant for SBS 2011 and do I need to put the certificates in a specific order?

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/



Thanks again
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39243049
That's exactly what I expected you would get if you did not use a SAN certificate.  Although it works, it also produces SSL warnings.  Obviously this is not a desirable result.

Follow the links in my earlier message to generate the SAN certificate request.  Make sure the local server name, the public server name, and both the local and public autodiscover names are included in the SAN request.

That will resolve your SSL warnings.
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 300 total points
ID: 39243070
Susan Bradley, commonly known as the SBS Diva and another of the SBS MVP's wrote a great blog piece on AutoDiscover and DNS and SBS 2011, that I would highly encourage you to read before going much further  http://msmvps.com/blogs/bradley/archive/2008/12/18/autodiscover-and-dns.aspx

I would also encourage you to then re-run the "Setup My internet address" wizard so that we can insure that remote.domainname.com is what IIS and Exchange are expecting.   Then this will regenerate the Self Signed SSL Cert.   If you want to test things with that cert you can install that cert on one of the remote machines doing Outlook Anywhere using these instructions  http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx (they are the same for SBS 2011)

If you still have issues after that, you should run the "Fix My Network" Wizard in the SBS Console.  

Then you can install the Trusted Third Party SSL cert using the Wizard in the SBS Console
0
 
LVL 2

Author Comment

by:detox1978
ID: 39251656
Is there a way to have outlook use remote.mydomain.com instead of autodiscover.mydomain.com, as that's why the SSL is displaying the error.

My DNS is with GoDaddy who allow SRV records.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39251663
Only if it's a SAN certificate, or only if you key the certificate using "remote.xyz.com".
0
 
LVL 2

Author Comment

by:detox1978
ID: 39251717
when you say key the certificate, I'm not sure I follow.  Somewhere outlook must be desciding to use autodiscover.mydomaim.com.  Is there a way to force it to use remote.mydomain.com?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39251720
Outlook / Exchange will use all those names, and the certificate must match each of the names in order to avoid SSL warnings.  That's where the SAN certificate comes in.
0
 
LVL 2

Author Comment

by:detox1978
ID: 39251728
Could I create a SRV record for _autodiscover and point it at remote.mydomain.com?

See the solution part of this link?
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39251734
As the instructions point out in the Blog from Susan Bradley...you don't need a SAN cert and you don't need an A record for autodiscover

Create the SRV record @ Godaddy DNS using the example that she has in her blog
0
 
LVL 4

Assisted Solution

by:MrC63
MrC63 earned 200 total points
ID: 39252302
@Detox, I respect Cris's credentials, and I don't want to publicly disagree with him.  All I can say is, if you get a SAN, these problems will disappear.  Or you can read more theory and blog posts.  I'm fine with either, and if you choose to get a SAN, then I will be here to ensure your SBS server / O/A works as expected.

MrC
0
 
LVL 2

Author Comment

by:detox1978
ID: 39252383
MrC, no one is saying you are wrong, we agree using a san address would resolve the issue.  It's just the certificate is already generated.

I'll give it a test later this week and report back.

D
0
 
LVL 2

Author Comment

by:detox1978
ID: 39299377
managed to get it working by setting up the DNS SRV record for _autodiscover, which pointed at remote.mydomain.com, so it doesnt need a SAN certificate.

Many thanks for sticking with me on this one.


D
0
 
LVL 2

Author Closing Comment

by:detox1978
ID: 39299384
Setting up the DNS SRV was the solutions I went with, as it meant I didnt need to get a SAN  certificate to fix the issue, but I acknowledge your solution would also have worked MrC63.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2016 suddenly stopped working 15 54
Mail not being received 19 28
Auto BCC 8 27
Exchange 2013 - Using Thunderbird as client 3 27
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question