Solved

Setup Outlook to work over HTTPS

Posted on 2013-06-07
51
518 Views
Last Modified: 2013-07-04
Hi All,

A company has asked if I can setup their Outlook installs (Office 2010) to connect to there small business server 2011 when they are at home.

Ideally I'd like to do this over HTTPS.  But have no idea where to start.

Any suggestions?
0
Comment
Question by:detox1978
  • 24
  • 18
  • 5
  • +2
51 Comments
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
I would assume you want to use the native Outlook client by enabling Outlook Anywhere, via RPC over HTTP?  

Would you like the proper way to do it, complete with SSL certificates / security, or would you like the shortcut / less secure method.  I would recommend doing it properly, and the first step is to obtain a UCC (multi-domain) SSL certificate from GoDaddy or some other certificate authority. The cost for the SSL is generally in the $75 range (per year) through GoDaddy.  Not sure what others charge.

After you get the SSL certificate, there are about 4 or 5 things you need to do to make Outlook Anywhere work properly for remote clients.  I'll follow up with further steps when I know which way you want to proceed.

MrC
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Yes RPC over HTTP.  I have registered an SSL certificate with Godaddy.  So fire away with the steps.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
I've installed it and assigned it to the default website.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
I want to be certain it's a UCC certificate?  It has to resolve properly / be accepted for at least 3 host names.  UCC certificates allow you to use up to 5 host names.
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
Comment Utility
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
I dont know about using multiple names, but i got the cheapest one they sell, which says "SAN UCC Support"?

http://uk.godaddy.com/compare/gdcompare3_ssl.aspx
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
OK.  The first thing is to install the certificate.  Here's a guided, step by step demonstration:

http://www.netometer.com/video/tutorials/exchange-2010-how-to-install-GoDaddy-Multiple-Domain-SAN-UCC-Certificate/
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
<pradeep08_81>
2) How to Configure Outlook for RPC-over-HTTP
http://www.youtube.com/watch?v=umSPbKBwfRw

error
I got the follow error message.  I guess this is because I haven't setup anything on Exchange or did use the correct Exchange proxy address
</pradeep08_81>

<MrC63>
Give me 10 mins to read it.
</MrC63>
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Detox, you should change your nickname to <xmlguy />  ;)
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
MrC63, the videos need a subscription to netometer to watch them
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
OK, I'll walk you through it.  I didn't think the Exchange 2010 required a subscription.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Since you've purchased a GoDaddy UCC, the first step is to generate the CSR (signing request) to file with GoDaddy and generate the actual certificate.

The syntax is as follows, and it is run from the Exchange PowerShell (not from a command prompt!!).

New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

When you get into the "SubjectName" section, please be careful and replace all of the names you see there with the correct names for your client.    This is critical, and if you have questions about anything in that section, send a note through and I'll explain.  

I assume your server has Remote Web Workplace (RWW) installed, and if so then it should be using the public name of "remote.<publicdomain>.com".
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Yes they already had remote.companyname.com setup.  I installed the certificate using IIS, assigned it to the default website (which remote.companyname.com is on) then exported to a PFX file, imported to the computers personal certificates folder.

if i navigate to remote.companyname.com the valid certificate is displayed.

Do I still need to do powershell bit?
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Absolutely.  The RWW website might be using the proper certificate, however Exchange also needs to use it.

The syntax I provided above is critical when you generate the SSL at GoDaddy.  Hopefully it won't be too much of a hassle to re-generate / re-key the SSL, but you absolutely have to have it in the format I sent to you in order for Outlook Anywhere to work properly.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Ok thanks, will give it a go.

When you download the certificate from goDaddy, they have the option to download in Exchange 2010 format.

Here are the instruction that came with the certificate - link
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
The instructions you reference are provided to install the SSL certificate for the web side of things only, so that (e.g.) mobile devices / smart phones can access OWA via HTTPS using Active-Sync.  If you were only worried about SSL for these devices, then this would be fine.

There is a lot more involved to configure Exchange itself for Outlook Anywhere so that a true Outlook client can connect using RPC over HTTP.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "cn=remote.mybusiness.com, c=US, s=AZ, l=MyCity, o=MyBusiness ou=Administration" -DomainName server.domain.local, server, autodiscover.mybusiness.com, mybusiness.com -PrivateKeyExportable $True

Should there be a comma after o=MyBusiness
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Yes, my apologies.  I made a mistake when editing the text to remove the client's name that we previously used this for,
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
I found this, if it's any help;

New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=Diversión de Bicicleta, cn=mail1. DiversiondeBicicleta.com" -DomainName woodgrove.com, example.com -PrivateKeyExportable $true
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
That should be the same as what I sent you other than my previous error.  The critical part is the "DomainName" part.  In the example you sent, they list two domain names.  In your case, you need to be certain this list of names includes (in order):

- the local, actual, fully qualified server name (with local domain, e.g. myserver.xyz.local)
- the local, unqualified server name (e.g. myserver)
- the public "remote" name (e.g. emote.xyz.com)
- the public autodiscover name (e.g. autodiscover.xyz.com)

Using the above as examples, it should read

-DomainName myserver.xyz.local, myserver, remote.xyz.com, autodiscover.xyz.com
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
What extra domain names should I put on the certificate?

Is there a way to get a list of the current domains?
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
I get the following error

A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Can you show the exact syntax of the command you're trying to run?
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 2

Author Comment

by:detox1978
Comment Utility
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
I found this article.

can you check your original syntax?
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
any thoughts?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Offline support isn't allowed under the terms of this site.
Second, as this is SBS, things have to be done differently to regular Exchange installations.
Basically you create the certificate request in Exchange 2010 using the wizard, you complete the request using the same SSL wizards, but you install it (And enable it) using the SBS SSL wizard in the SBS management tool.

If you get all of the DNS entries configured correctly then Outlook 2010 will setup automatically.

I have instructions on the process on my web site here: http://semb.ee/ssl
And that includes a link to the SBS variation.

Simon.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Thank you Modulus.  I certainly respect your input, and entirely acknowledge the potential risks involved.  My interest is purely to resolve the issue, and in this case would be very difficult to achieve through repeated messages.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Thanks for the information.

I've already created the certificate.  So need to add the second domain name to it.


Any suggestions on how to do this?
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Is there a way to do with using the remote address instead of the autodiscover?

If it helps the domain name is registered with Godaddy, who support SRV records.
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
Detox...things are much different regarding Certificates on SBS vs the standard server editions.
First of all, you do NOT need a UCC cert.

A single name cert from Godaddy is fine.

The first rule of SBS is USE THE WIZARDS...not shouting...just emphasizing.
If you look at the SBS Console, you'll see a "wizard" for Installing a Trusted SSL Cert.

I would talk to GoDaddy, see if they will revoke the Cert..then get a single name cert using the wizard on the SBS console.   Godaddy Certs actually involve an intermediate cert as well as the regular cert.   Sean Daniels of the SBS Product Team wrote an excellent blog on how to install Godaddy certs on SBS.   His blog is about SBS 2008 but still applies to SBS 2011.   http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx

That's all you need, assuming you used all the other wizards to "Connect to the Internet" and "Setup Your Internet Address".   If you did not use those, we should probably go back a bit.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Outlook Anywhere is significantly different than OWA.  If OWA was the objective, a single-named certificate would be sufficient.  However, Outlook Anywhere must securely resolve to several names, both internal and external.  As a result, a UCC / SAN certificate is required.

Detox, here is an excellent link to help you create and configure your SAN certificate.  It will be much easier than the command line / powershell commands.

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

MrC
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
@MrC63, I'm not sure what your experience level is with Microsoft's Small Business Server, but it appears at first glance that most of your experience is with standard or enterprise level products.  And in those cases your statements above may be true, but SBS is different on many levels.   Under normal circumstances Exchange would never be installed on a domain controller, but with Small Business Server it is.   SBS also contains many wizards to insure that things run properly given the unique setup.  I'm running Outlook Anywhere on my this laptop connected to SBS 2011, all my customers use Outlook Anywhere connecting to their SBS 2008 and SBS 2011 servers with a single name cert.  It's all that's required.   You may not even be aware that SBS has the ability to generate it's own Self Signed SSL cert if you don't care to purchase one and it's a single named cert created when you run the "Setup My Internet Address" wizard.   I've been designated by Microsoft as an MVP on the Small Business Server since 1997 and I'm co-author of a textbook on SBS 2008.  I have achieved the Genius level badge for Small Business Server on Experts Exchange and I am ranked #6 on the SBS forum.   I also moderate the SBS forums on TechNet.   So again let me re-iterate to the author, a San Cert is not required.   Get a single named cert from godaddy, install it on the SBS server using the wizard, then I can help you with configuring the client, if you need help with that.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
@Cris, I can certainly appreciate your credentials, and yes, I'm completely familiar with self-signed certificates.  When used, these will produce a warning to anyone outside the network -- I'm sure you already know that.

As an aside, we've done 5 SBS installations in the past year and have been installing this product for clients for more than 10 years.  There are ways of making it work, and there are ways of making it work properly.  It's possible to configure OWA, and even Outlook Anywhere, without any SSL, as long as you don't mind the lack of security / encryption between external client and server.

Now let's get back to the topic at hand and help this client.  He already has a SAN certificate. GoDaddy is always loathe to refund a certificate that has been issued and keyed so why bother making him jump through those hoops.  Let's help him create it properly and get it installed.  That should be our focus.
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
At this point the author can choose which path he wants to go down, I'll await his response.
I've had numerous clients get GoDaddy to do exactly what I suggested.

I wasn't suggesting using the self signed cert, I'm simply suggesting using a single domain cert from a trusted provider such as GoDaddy as that's all that's required, the 2 minutes worth of work to install the cert and the intermediate cert using the wizard and everything works as expected.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
sorry the delay in replying and thanks for the info.

I installed the single URL certificate using the wizard and added the domain name to an RPC regkey (highlighted by a link on www.testexchangeconnectivity.com's results).

This has everything working well and users can send and recieve, however the users do get the SSL warning message.  When you click view it's says the URL is autodiscover.mydomain.com.  I've set everywhere to use remote.mydomain.com, so I can only guess Outlook ignores the proxy URL and uses autodiscover.mydomain.com to make the actual connection.

So I guess I just need to work out how to request a certificate with the extra URLs.  Is the link you shared relevant for SBS 2011 and do I need to put the certificates in a specific order?

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/



Thanks again
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
That's exactly what I expected you would get if you did not use a SAN certificate.  Although it works, it also produces SSL warnings.  Obviously this is not a desirable result.

Follow the links in my earlier message to generate the SAN certificate request.  Make sure the local server name, the public server name, and both the local and public autodiscover names are included in the SAN request.

That will resolve your SSL warnings.
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 300 total points
Comment Utility
Susan Bradley, commonly known as the SBS Diva and another of the SBS MVP's wrote a great blog piece on AutoDiscover and DNS and SBS 2011, that I would highly encourage you to read before going much further  http://msmvps.com/blogs/bradley/archive/2008/12/18/autodiscover-and-dns.aspx

I would also encourage you to then re-run the "Setup My internet address" wizard so that we can insure that remote.domainname.com is what IIS and Exchange are expecting.   Then this will regenerate the Self Signed SSL Cert.   If you want to test things with that cert you can install that cert on one of the remote machines doing Outlook Anywhere using these instructions  http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx (they are the same for SBS 2011)

If you still have issues after that, you should run the "Fix My Network" Wizard in the SBS Console.  

Then you can install the Trusted Third Party SSL cert using the Wizard in the SBS Console
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Is there a way to have outlook use remote.mydomain.com instead of autodiscover.mydomain.com, as that's why the SSL is displaying the error.

My DNS is with GoDaddy who allow SRV records.
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Only if it's a SAN certificate, or only if you key the certificate using "remote.xyz.com".
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
when you say key the certificate, I'm not sure I follow.  Somewhere outlook must be desciding to use autodiscover.mydomaim.com.  Is there a way to force it to use remote.mydomain.com?
0
 
LVL 4

Expert Comment

by:MrC63
Comment Utility
Outlook / Exchange will use all those names, and the certificate must match each of the names in order to avoid SSL warnings.  That's where the SAN certificate comes in.
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
Could I create a SRV record for _autodiscover and point it at remote.mydomain.com?

See the solution part of this link?
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
As the instructions point out in the Blog from Susan Bradley...you don't need a SAN cert and you don't need an A record for autodiscover

Create the SRV record @ Godaddy DNS using the example that she has in her blog
0
 
LVL 4

Assisted Solution

by:MrC63
MrC63 earned 200 total points
Comment Utility
@Detox, I respect Cris's credentials, and I don't want to publicly disagree with him.  All I can say is, if you get a SAN, these problems will disappear.  Or you can read more theory and blog posts.  I'm fine with either, and if you choose to get a SAN, then I will be here to ensure your SBS server / O/A works as expected.

MrC
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
MrC, no one is saying you are wrong, we agree using a san address would resolve the issue.  It's just the certificate is already generated.

I'll give it a test later this week and report back.

D
0
 
LVL 2

Author Comment

by:detox1978
Comment Utility
managed to get it working by setting up the DNS SRV record for _autodiscover, which pointed at remote.mydomain.com, so it doesnt need a SAN certificate.

Many thanks for sticking with me on this one.


D
0
 
LVL 2

Author Closing Comment

by:detox1978
Comment Utility
Setting up the DNS SRV was the solutions I went with, as it meant I didnt need to get a SAN  certificate to fix the issue, but I acknowledge your solution would also have worked MrC63.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Outlook Free & Paid Tools
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now