• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 558
  • Last Modified:

Setup Outlook to work over HTTPS

Hi All,

A company has asked if I can setup their Outlook installs (Office 2010) to connect to there small business server 2011 when they are at home.

Ideally I'd like to do this over HTTPS.  But have no idea where to start.

Any suggestions?
0
detox1978
Asked:
detox1978
  • 24
  • 18
  • 5
  • +2
2 Solutions
 
MrC63Commented:
I would assume you want to use the native Outlook client by enabling Outlook Anywhere, via RPC over HTTP?  

Would you like the proper way to do it, complete with SSL certificates / security, or would you like the shortcut / less secure method.  I would recommend doing it properly, and the first step is to obtain a UCC (multi-domain) SSL certificate from GoDaddy or some other certificate authority. The cost for the SSL is generally in the $75 range (per year) through GoDaddy.  Not sure what others charge.

After you get the SSL certificate, there are about 4 or 5 things you need to do to make Outlook Anywhere work properly for remote clients.  I'll follow up with further steps when I know which way you want to proceed.

MrC
0
 
detox1978Author Commented:
Yes RPC over HTTP.  I have registered an SSL certificate with Godaddy.  So fire away with the steps.
0
 
detox1978Author Commented:
I've installed it and assigned it to the default website.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
MrC63Commented:
I want to be certain it's a UCC certificate?  It has to resolve properly / be accepted for at least 3 host names.  UCC certificates allow you to use up to 5 host names.
0
 
Pradeep DubeyConsultantCommented:
0
 
detox1978Author Commented:
I dont know about using multiple names, but i got the cheapest one they sell, which says "SAN UCC Support"?

http://uk.godaddy.com/compare/gdcompare3_ssl.aspx
0
 
MrC63Commented:
OK.  The first thing is to install the certificate.  Here's a guided, step by step demonstration:

http://www.netometer.com/video/tutorials/exchange-2010-how-to-install-GoDaddy-Multiple-Domain-SAN-UCC-Certificate/
0
 
detox1978Author Commented:
<pradeep08_81>
2) How to Configure Outlook for RPC-over-HTTP
http://www.youtube.com/watch?v=umSPbKBwfRw

error
I got the follow error message.  I guess this is because I haven't setup anything on Exchange or did use the correct Exchange proxy address
</pradeep08_81>

<MrC63>
Give me 10 mins to read it.
</MrC63>
0
 
MrC63Commented:
Detox, you should change your nickname to <xmlguy />  ;)
0
 
detox1978Author Commented:
MrC63, the videos need a subscription to netometer to watch them
0
 
MrC63Commented:
OK, I'll walk you through it.  I didn't think the Exchange 2010 required a subscription.
0
 
MrC63Commented:
Since you've purchased a GoDaddy UCC, the first step is to generate the CSR (signing request) to file with GoDaddy and generate the actual certificate.

The syntax is as follows, and it is run from the Exchange PowerShell (not from a command prompt!!).

New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

When you get into the "SubjectName" section, please be careful and replace all of the names you see there with the correct names for your client.    This is critical, and if you have questions about anything in that section, send a note through and I'll explain.  

I assume your server has Remote Web Workplace (RWW) installed, and if so then it should be using the public name of "remote.<publicdomain>.com".
0
 
detox1978Author Commented:
Yes they already had remote.companyname.com setup.  I installed the certificate using IIS, assigned it to the default website (which remote.companyname.com is on) then exported to a PFX file, imported to the computers personal certificates folder.

if i navigate to remote.companyname.com the valid certificate is displayed.

Do I still need to do powershell bit?
0
 
MrC63Commented:
Absolutely.  The RWW website might be using the proper certificate, however Exchange also needs to use it.

The syntax I provided above is critical when you generate the SSL at GoDaddy.  Hopefully it won't be too much of a hassle to re-generate / re-key the SSL, but you absolutely have to have it in the format I sent to you in order for Outlook Anywhere to work properly.
0
 
detox1978Author Commented:
Ok thanks, will give it a go.

When you download the certificate from goDaddy, they have the option to download in Exchange 2010 format.

Here are the instruction that came with the certificate - link
0
 
MrC63Commented:
The instructions you reference are provided to install the SSL certificate for the web side of things only, so that (e.g.) mobile devices / smart phones can access OWA via HTTPS using Active-Sync.  If you were only worried about SSL for these devices, then this would be fine.

There is a lot more involved to configure Exchange itself for Outlook Anywhere so that a true Outlook client can connect using RPC over HTTP.
0
 
detox1978Author Commented:
New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

Should there be a comma after o=MyBusiness
0
 
MrC63Commented:
Yes, my apologies.  I made a mistake when editing the text to remove the client's name that we previously used this for,
0
 
detox1978Author Commented:
A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
detox1978Author Commented:
I found this, if it's any help;

New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=DiversiĆ³n de Bicicleta, cn=mail1. DiversiondeBicicleta.com" -DomainName woodgrove.com, example.com -PrivateKeyExportable $true
0
 
MrC63Commented:
That should be the same as what I sent you other than my previous error.  The critical part is the "DomainName" part.  In the example you sent, they list two domain names.  In your case, you need to be certain this list of names includes (in order):

- the local, actual, fully qualified server name (with local domain, e.g. myserver.xyz.local)
- the local, unqualified server name (e.g. myserver)
- the public "remote" name (e.g. emote.xyz.com)
- the public autodiscover name (e.g. autodiscover.xyz.com)

Using the above as examples, it should read

-DomainName myserver.xyz.local, myserver, remote.xyz.com, autodiscover.xyz.com
0
 
detox1978Author Commented:
What extra domain names should I put on the certificate?

Is there a way to get a list of the current domains?
0
 
detox1978Author Commented:
I get the following error

A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
MrC63Commented:
Can you show the exact syntax of the command you're trying to run?
0
 
detox1978Author Commented:
0
 
detox1978Author Commented:
I found this article.

can you check your original syntax?
0
 
detox1978Author Commented:
any thoughts?
0
 
Simon Butler (Sembee)ConsultantCommented:
Offline support isn't allowed under the terms of this site.
Second, as this is SBS, things have to be done differently to regular Exchange installations.
Basically you create the certificate request in Exchange 2010 using the wizard, you complete the request using the same SSL wizards, but you install it (And enable it) using the SBS SSL wizard in the SBS management tool.

If you get all of the DNS entries configured correctly then Outlook 2010 will setup automatically.

I have instructions on the process on my web site here: http://semb.ee/ssl
And that includes a link to the SBS variation.

Simon.
0
 
MrC63Commented:
Thank you Modulus.  I certainly respect your input, and entirely acknowledge the potential risks involved.  My interest is purely to resolve the issue, and in this case would be very difficult to achieve through repeated messages.
0
 
detox1978Author Commented:
Thanks for the information.

I've already created the certificate.  So need to add the second domain name to it.


Any suggestions on how to do this?
0
 
detox1978Author Commented:
Is there a way to do with using the remote address instead of the autodiscover?

If it helps the domain name is registered with Godaddy, who support SRV records.
0
 
Cris HannaCommented:
Detox...things are much different regarding Certificates on SBS vs the standard server editions.
First of all, you do NOT need a UCC cert.

A single name cert from Godaddy is fine.

The first rule of SBS is USE THE WIZARDS...not shouting...just emphasizing.
If you look at the SBS Console, you'll see a "wizard" for Installing a Trusted SSL Cert.

I would talk to GoDaddy, see if they will revoke the Cert..then get a single name cert using the wizard on the SBS console.   Godaddy Certs actually involve an intermediate cert as well as the regular cert.   Sean Daniels of the SBS Product Team wrote an excellent blog on how to install Godaddy certs on SBS.   His blog is about SBS 2008 but still applies to SBS 2011.   http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx

That's all you need, assuming you used all the other wizards to "Connect to the Internet" and "Setup Your Internet Address".   If you did not use those, we should probably go back a bit.
0
 
MrC63Commented:
Outlook Anywhere is significantly different than OWA.  If OWA was the objective, a single-named certificate would be sufficient.  However, Outlook Anywhere must securely resolve to several names, both internal and external.  As a result, a UCC / SAN certificate is required.

Detox, here is an excellent link to help you create and configure your SAN certificate.  It will be much easier than the command line / powershell commands.

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

MrC
0
 
Cris HannaCommented:
@MrC63, I'm not sure what your experience level is with Microsoft's Small Business Server, but it appears at first glance that most of your experience is with standard or enterprise level products.  And in those cases your statements above may be true, but SBS is different on many levels.   Under normal circumstances Exchange would never be installed on a domain controller, but with Small Business Server it is.   SBS also contains many wizards to insure that things run properly given the unique setup.  I'm running Outlook Anywhere on my this laptop connected to SBS 2011, all my customers use Outlook Anywhere connecting to their SBS 2008 and SBS 2011 servers with a single name cert.  It's all that's required.   You may not even be aware that SBS has the ability to generate it's own Self Signed SSL cert if you don't care to purchase one and it's a single named cert created when you run the "Setup My Internet Address" wizard.   I've been designated by Microsoft as an MVP on the Small Business Server since 1997 and I'm co-author of a textbook on SBS 2008.  I have achieved the Genius level badge for Small Business Server on Experts Exchange and I am ranked #6 on the SBS forum.   I also moderate the SBS forums on TechNet.   So again let me re-iterate to the author, a San Cert is not required.   Get a single named cert from godaddy, install it on the SBS server using the wizard, then I can help you with configuring the client, if you need help with that.
0
 
MrC63Commented:
@Cris, I can certainly appreciate your credentials, and yes, I'm completely familiar with self-signed certificates.  When used, these will produce a warning to anyone outside the network -- I'm sure you already know that.

As an aside, we've done 5 SBS installations in the past year and have been installing this product for clients for more than 10 years.  There are ways of making it work, and there are ways of making it work properly.  It's possible to configure OWA, and even Outlook Anywhere, without any SSL, as long as you don't mind the lack of security / encryption between external client and server.

Now let's get back to the topic at hand and help this client.  He already has a SAN certificate. GoDaddy is always loathe to refund a certificate that has been issued and keyed so why bother making him jump through those hoops.  Let's help him create it properly and get it installed.  That should be our focus.
0
 
Cris HannaCommented:
At this point the author can choose which path he wants to go down, I'll await his response.
I've had numerous clients get GoDaddy to do exactly what I suggested.

I wasn't suggesting using the self signed cert, I'm simply suggesting using a single domain cert from a trusted provider such as GoDaddy as that's all that's required, the 2 minutes worth of work to install the cert and the intermediate cert using the wizard and everything works as expected.
0
 
detox1978Author Commented:
sorry the delay in replying and thanks for the info.

I installed the single URL certificate using the wizard and added the domain name to an RPC regkey (highlighted by a link on www.testexchangeconnectivity.com's results).

This has everything working well and users can send and recieve, however the users do get the SSL warning message.  When you click view it's says the URL is autodiscover.mydomain.com.  I've set everywhere to use remote.mydomain.com, so I can only guess Outlook ignores the proxy URL and uses autodiscover.mydomain.com to make the actual connection.

So I guess I just need to work out how to request a certificate with the extra URLs.  Is the link you shared relevant for SBS 2011 and do I need to put the certificates in a specific order?

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/



Thanks again
0
 
MrC63Commented:
That's exactly what I expected you would get if you did not use a SAN certificate.  Although it works, it also produces SSL warnings.  Obviously this is not a desirable result.

Follow the links in my earlier message to generate the SAN certificate request.  Make sure the local server name, the public server name, and both the local and public autodiscover names are included in the SAN request.

That will resolve your SSL warnings.
0
 
Cris HannaCommented:
Susan Bradley, commonly known as the SBS Diva and another of the SBS MVP's wrote a great blog piece on AutoDiscover and DNS and SBS 2011, that I would highly encourage you to read before going much further  http://msmvps.com/blogs/bradley/archive/2008/12/18/autodiscover-and-dns.aspx

I would also encourage you to then re-run the "Setup My internet address" wizard so that we can insure that remote.domainname.com is what IIS and Exchange are expecting.   Then this will regenerate the Self Signed SSL Cert.   If you want to test things with that cert you can install that cert on one of the remote machines doing Outlook Anywhere using these instructions  http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx (they are the same for SBS 2011)

If you still have issues after that, you should run the "Fix My Network" Wizard in the SBS Console.  

Then you can install the Trusted Third Party SSL cert using the Wizard in the SBS Console
0
 
detox1978Author Commented:
Is there a way to have outlook use remote.mydomain.com instead of autodiscover.mydomain.com, as that's why the SSL is displaying the error.

My DNS is with GoDaddy who allow SRV records.
0
 
MrC63Commented:
Only if it's a SAN certificate, or only if you key the certificate using "remote.xyz.com".
0
 
detox1978Author Commented:
when you say key the certificate, I'm not sure I follow.  Somewhere outlook must be desciding to use autodiscover.mydomaim.com.  Is there a way to force it to use remote.mydomain.com?
0
 
MrC63Commented:
Outlook / Exchange will use all those names, and the certificate must match each of the names in order to avoid SSL warnings.  That's where the SAN certificate comes in.
0
 
detox1978Author Commented:
Could I create a SRV record for _autodiscover and point it at remote.mydomain.com?

See the solution part of this link?
0
 
Cris HannaCommented:
As the instructions point out in the Blog from Susan Bradley...you don't need a SAN cert and you don't need an A record for autodiscover

Create the SRV record @ Godaddy DNS using the example that she has in her blog
0
 
MrC63Commented:
@Detox, I respect Cris's credentials, and I don't want to publicly disagree with him.  All I can say is, if you get a SAN, these problems will disappear.  Or you can read more theory and blog posts.  I'm fine with either, and if you choose to get a SAN, then I will be here to ensure your SBS server / O/A works as expected.

MrC
0
 
detox1978Author Commented:
MrC, no one is saying you are wrong, we agree using a san address would resolve the issue.  It's just the certificate is already generated.

I'll give it a test later this week and report back.

D
0
 
detox1978Author Commented:
managed to get it working by setting up the DNS SRV record for _autodiscover, which pointed at remote.mydomain.com, so it doesnt need a SAN certificate.

Many thanks for sticking with me on this one.


D
0
 
detox1978Author Commented:
Setting up the DNS SRV was the solutions I went with, as it meant I didnt need to get a SAN  certificate to fix the issue, but I acknowledge your solution would also have worked MrC63.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 24
  • 18
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now