Outlook Anywhere for internal users

It appears that Outlook Anywhere is an all or nothing proposition.  Internal clients are connecting to automatically to OA and cannot be turned off just internally.  Want them to have access externally.  Internally we are getting Cert errors because we only have a cert for mail.domain.com.  Is the best solution to purchase another cert for "servername.domain.local" and adding autodiscover to it as well?  Let me know if there are any other workarounds.

Tks.
WebccAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

albert_miquelit managerCommented:
You have two ways

Fiesta purchase a certificate that have two ñames original and .local

The other way is to change internal server access  with

Get-MailboxDatabase | Set-MailboxDatabase -RPCClientAccessServer “fqdn.Publicname.com"
That menas that the server internally will try to access outlook internally with the fandango.publicname.com

Then you add a dns entre on dns domain controllers that points to the internal ip

The result is that outlook tríes to access the fqdn And resolved the internal ip ,then conects and the certificate matches the name is using, so no moré warnings appear
0
xObIACommented:
Can you not just disable RPC over HTTP? This will stop the cert windows displaying, and still give external access to OWA.

Tools>Account Settings>Change>More Settings>Connection>Untick Outlook anywhere

Or enter the exchange proxy settings!

Luke
0
WebccAuthor Commented:
Albert, so after running the powershell cmd the entry in DNS would be:
mail.domain.com   A                  10.0.0.240
mail                        CNAME          cfc01.domain.local  (our exchange server)              


Luke, don't want to disable OA because some users in the field want to use it.

What do you mean enter the exchange proxy settings?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Malli BoppeCommented:
You can't purchase servername.domain.local.
You need to buy a SAN certificate with webmail.domain.com and autodiscover.domain.com.
Also you  need to setup split DNS
0
WebccAuthor Commented:
How do I setup split DNS?
0
Malli BoppeCommented:
Below link would guide you how to setup the split DNS.Also in the exchange webapp configuration you need to point both the internal and external URl's to webmail.domain.com

http://exchange.sembee.info/network/split-dns.asp
0
albert_miquelit managerCommented:
Not crate a zone mail.domain.com instead of domain.com
Then create a host a without name.

In a 10.0.0.240
If you do that the rest of domain.com will not have to be recreated www.domain.com etc
0
albert_miquelit managerCommented:
yoy have to put the public name , the case is that you say with the same name the internal connection and the external conection , so the certificate is the same and you use a special internal dns to force all internal users to access to the internal ip , my external server is remote.mydomain.com here is the example that how i do
Dibujo.jpg
0
Simon Butler (Sembee)ConsultantCommented:
Which version of Exchange is this?
Outlook Anywhere is only required for internal users for Exchange 2013. If you using an older version then the clients shouldn't be using it. If they are, then something else is wrong.

Many people think that the certificate prompts are coming from Outlook Anywhere when in fact they could be coming from elsewhere.

Do you have a trusted SSL certificate in place now? If so, just reconfigure Exchange to use the external name internally.

http://semb.ee/hostnames

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WebccAuthor Commented:
Exchange 2010.
 
If I deselect RPC over HTTPS in Outlook it just enables it again.  Shouldn't internal users be just connecting through unencapsulated RPC?

Setup Split DNS and changed all internal WEB services to external address per "http://semb.ee/hostnames" document.  

Have an SSL Cert for "mail.domain.com", do I need another at least for "autodiscover.domain.com"?

Thks
0
Simon Butler (Sembee)ConsultantCommented:
Outlook Anywhere enabled in Outlook doesn't mean they are using it. If you have Outlook Anywhere enabled then all clients will have that configuration pushed out to them.

Hold down CTRL while you right click on the Outlook icon in the system tray. Choose Connection Status. If it says HTTP, then Outlook Anywhere is being used.

Also you cannot have two SSL certificates on the same web site. If you don't have a UCC type certificate then you either need to change the certificate or implement SRV records for Autodiscover.

Simon.
0
WebccAuthor Commented:
Yes that's what I found out about Outlook Anywhere.

So, I cannot add another certificate just for Autodiscover?  How do you implement SRV records for Autodiscover.
0
Simon Butler (Sembee)ConsultantCommented:
SRV records for Autodiscover: http://semb.ee/srv

Although if your external DNS provider doesn't support them you will have to change the SSL certificate.

Simon.
0
albert_miquelit managerCommented:
create an srv record on your dns zone
type srv
Service: _autodiscover
Protocol: _tcp
port: 443
Host: mail.contoso.com

if you these outlook autodiscover will work with onlky one certificate
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.