jdevroy
asked on
Microsoft Exchange 2013 disjointed DNS - Multiple Client Access Servers
All,
Presently I am in the middle of upgrading to Exchange 2013 and I am having a few problems. The most annoying one is with internal and external DNS. We use a internal TLD company.local, this was setup before I got here and generally is not worth the trouble to try and fix, as we have quite a large number of systems.
Anyway because of changes in using internal names on public certificates, see link below, I cannot request a certificate from a public CA with company.local as a SAN.
GoDaddy
In light of this I decided to setup two Client Access servers, one public and one private. The private server would use an internal certificate from my internal CA. The public server would use a UCC certificate from Godaddy with my public addresses for mail, owa, and autodiscover.
MX1.company.local = Client Access (Private)/Mailbox
MX2.company.local = Client Access (Public)
Now my Exchange 2013 test users (including myself) are getting errors saying certificate for (MX2.company.local) is not valid. This is true, because they are connecting to the internal domain name. Also, we are constantly being prompted for our username and password. Frequently we type the correct combination and it comes up again.
I have attempted to remove all references to MX2.company.local from internal server virtual directories for mx2.company.local and point Outlook anywhere on MX2 to MX1. So at present the internal virtual directories on MX2 are blank, only public directories are filled out, and MX1 only has internal directories. This still has not worked.
Please help this is extremely painful.
Presently I am in the middle of upgrading to Exchange 2013 and I am having a few problems. The most annoying one is with internal and external DNS. We use a internal TLD company.local, this was setup before I got here and generally is not worth the trouble to try and fix, as we have quite a large number of systems.
Anyway because of changes in using internal names on public certificates, see link below, I cannot request a certificate from a public CA with company.local as a SAN.
GoDaddy
In light of this I decided to setup two Client Access servers, one public and one private. The private server would use an internal certificate from my internal CA. The public server would use a UCC certificate from Godaddy with my public addresses for mail, owa, and autodiscover.
MX1.company.local = Client Access (Private)/Mailbox
MX2.company.local = Client Access (Public)
Now my Exchange 2013 test users (including myself) are getting errors saying certificate for (MX2.company.local) is not valid. This is true, because they are connecting to the internal domain name. Also, we are constantly being prompted for our username and password. Frequently we type the correct combination and it comes up again.
I have attempted to remove all references to MX2.company.local from internal server virtual directories for mx2.company.local and point Outlook anywhere on MX2 to MX1. So at present the internal virtual directories on MX2 are blank, only public directories are filled out, and MX1 only has internal directories. This still has not worked.
Please help this is extremely painful.
From which version?
ASKER
What do you mean which version?
From which Exchange version you are upgrading?
ASKER
I see. From Exchange 2010.
ASKER
That doesn't help much, in my situation all of my computers are joined to the domain company.local, and the DNS server is for company.local. I also have a company.com DNS server for public queries. So public connections for ActiveSync go to mail.company.com.
I have the proper dns suffix searches configured for my domain, so I am not sure how anything there would help either.
I have the proper dns suffix searches configured for my domain, so I am not sure how anything there would help either.
ASKER
The above being the case I think my phrasing of Disjointed namespace may be incorrect, the primary DNS suffix is the same as the DNS Domain Name. I apologize for my misuse of the phrase disjointed.
ASKER
I just found this article. Indicating that my configuration is not appropriate.
Apparently I either need to configure Forefront TMG or reconfigure my domain name system.
In this case ForeFront TMG acts as a reverse proxy, besides using IIS as a reverse proxy are there any other options?
Thanks.
Apparently I either need to configure Forefront TMG or reconfigure my domain name system.
In this case ForeFront TMG acts as a reverse proxy, besides using IIS as a reverse proxy are there any other options?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.