Avatar of Webcc
WebccFlag for United States of America asked on

Outlook Anywhere for internal users

It appears that Outlook Anywhere is an all or nothing proposition.  Internal clients are connecting to automatically to OA and cannot be turned off just internally.  Want them to have access externally.  Internally we are getting Cert errors because we only have a cert for mail.domain.com.  Is the best solution to purchase another cert for "servername.domain.local" and adding autodiscover to it as well?  Let me know if there are any other workarounds.

Tks.
ExchangeOutlookDNS

Avatar of undefined
Last Comment
albert_miquel

8/22/2022 - Mon
albert_miquel

You have two ways

Fiesta purchase a certificate that have two ñames original and .local

The other way is to change internal server access  with

Get-MailboxDatabase | Set-MailboxDatabase -RPCClientAccessServer “fqdn.Publicname.com"
That menas that the server internally will try to access outlook internally with the fandango.publicname.com

Then you add a dns entre on dns domain controllers that points to the internal ip

The result is that outlook tríes to access the fqdn And resolved the internal ip ,then conects and the certificate matches the name is using, so no moré warnings appear
xObIA

Can you not just disable RPC over HTTP? This will stop the cert windows displaying, and still give external access to OWA.

Tools>Account Settings>Change>More Settings>Connection>Untick Outlook anywhere

Or enter the exchange proxy settings!

Luke
ASKER
Webcc

Albert, so after running the powershell cmd the entry in DNS would be:
mail.domain.com   A                  10.0.0.240
mail                        CNAME          cfc01.domain.local  (our exchange server)              


Luke, don't want to disable OA because some users in the field want to use it.

What do you mean enter the exchange proxy settings?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Malli Boppe

You can't purchase servername.domain.local.
You need to buy a SAN certificate with webmail.domain.com and autodiscover.domain.com.
Also you  need to setup split DNS
ASKER
Webcc

How do I setup split DNS?
Malli Boppe

Below link would guide you how to setup the split DNS.Also in the exchange webapp configuration you need to point both the internal and external URl's to webmail.domain.com

http://exchange.sembee.info/network/split-dns.asp
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
albert_miquel

Not crate a zone mail.domain.com instead of domain.com
Then create a host a without name.

In a 10.0.0.240
If you do that the rest of domain.com will not have to be recreated www.domain.com etc
albert_miquel

yoy have to put the public name , the case is that you say with the same name the internal connection and the external conection , so the certificate is the same and you use a special internal dns to force all internal users to access to the internal ip , my external server is remote.mydomain.com here is the example that how i do
Dibujo.jpg
ASKER CERTIFIED SOLUTION
Simon Butler (Sembee)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Webcc

Exchange 2010.
 
If I deselect RPC over HTTPS in Outlook it just enables it again.  Shouldn't internal users be just connecting through unencapsulated RPC?

Setup Split DNS and changed all internal WEB services to external address per "http://semb.ee/hostnames" document.  

Have an SSL Cert for "mail.domain.com", do I need another at least for "autodiscover.domain.com"?

Thks
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Simon Butler (Sembee)

Outlook Anywhere enabled in Outlook doesn't mean they are using it. If you have Outlook Anywhere enabled then all clients will have that configuration pushed out to them.

Hold down CTRL while you right click on the Outlook icon in the system tray. Choose Connection Status. If it says HTTP, then Outlook Anywhere is being used.

Also you cannot have two SSL certificates on the same web site. If you don't have a UCC type certificate then you either need to change the certificate or implement SRV records for Autodiscover.

Simon.
ASKER
Webcc

Yes that's what I found out about Outlook Anywhere.

So, I cannot add another certificate just for Autodiscover?  How do you implement SRV records for Autodiscover.
Simon Butler (Sembee)

SRV records for Autodiscover: http://semb.ee/srv

Although if your external DNS provider doesn't support them you will have to change the SSL certificate.

Simon.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.