Exchange 2010 Outlook Anywhere & External Autodiscovery

Hi,

Looking for some help in troubleshooting an issue I have with Outlook Anywhere and External Autodiscovery on our Exchange 2010 setup. We have 2 AD sites (same domain) with both sites having 2 combined CAS/HT servers and seperate mailbox servers. For the sake of this question, lets split them into site A and site B.  Although we are due to implement HLB at both sites soon, it's not currently setup yet. However, the DNS address that will be used by clients to point to the CAS array is setup, but just pointing at a single CAS/HT server for now.

Services that are working fine are: OWA+ECP (Internally and Externally), OAB (Internally and Externally), Internal Autodiscovery but not external autodiscovery, Outlook Anywhere for clients with mailboxes at site A work fine, but not for users with mailboxes at site B.

I'm unsure whether the issue with External Autodiscovery is linked to OA not working?

Outlook Anywhere
For users who's mailbox is at site B, when you open Outlook (2010), it sometimes looks like it connects, but then it quickly goes back to a disconnected state. Microsoft RCA reports the following:
Testing RPC/HTTP connectivity.
 
The RPC/HTTP test failed.
 
Test Steps
 
Attempting to resolve the host name webmail.company.com in DNS.
 
The host name resolved successfully.
 
Additional Details
 
IP addresses returned: 1.2.3.4
Testing TCP port 443 on host webmail.company.com to ensure it's listening and open.
 
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 
The certificate passed all validation requirements.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.company.com on port 443.
 
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
Additional Details
 
Remote Certificate Subject: CN=webmail.company.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=888888, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
 
The certificate name was validated successfully.
 
Additional Details
 
Host name webmail.company.com was found in the Certificate Subject Common name.
Certificate trust is being validated.
 
The certificate is trusted and all certificates are present in the chain.
 
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.company.com, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
 
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
 
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
 
Date validation passed. The certificate hasn't expired.

Additional Details
The certificate is valid. NotBefore = 4/18/2013 8:30:36 AM, NotAfter = 4/12/2016 4:21:45 PM
Checking the IIS configuration for client certificate authentication.
 
Client certificate authentication wasn't detected.
 
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://webmail.company.com/rpc/rpcproxy.dll?ExSvrNLB.ad.local:6002.
 
The HTTP authentication methods are correct.
 
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Negotiate, NTLM
Testing SSL mutual authentication with the RPC proxy server.
 
Mutual authentication was verified successfully.
 
Additional Details
Certificate common name webmail.company.com matches msstd:webmail.company.com.
Attempting to ping RPC proxy webmail.company.com.
 
RPC Proxy can't be pinged.
 
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
Connection: Keep-Alive
Content-Length: 58
Content-Type: text/html
Date: Wed, 25 Sep 2013 14:28:41 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET

-----------------------------------------------------------------------------------------------------------

External Autodiscovery
Results of MS RCA:

-----------------------------------------------------------------------------------------------------------

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for joe.bloggs@company.com.
 
Testing Autodiscover failed.
 
Test Steps
 
Attempting each method of contacting the Autodiscover service.
 
The Autodiscover service couldn't be contacted successfully by any method.
 
Test Steps
 
Attempting to test potential Autodiscover URL https://company.com/AutoDiscover/AutoDiscover.xml
 
Testing of this potential Autodiscover URL failed.
 
Test Steps
Attempting to resolve the host name company.com in DNS.

The host name resolved successfully.
 
Additional Details
 
IP addresses returned: 4.5.6.7
Testing TCP port 443 on host company.com to ensure it's listening and open.
 
The specified port is either blocked, not listening, or not producing the expected response.
 
 Tell me more about this issue and how to resolve it
 
Additional Details
 
A network error occurred while communicating with the remote host.
Attempting to test potential Autodiscover URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
 
Testing of this potential Autodiscover URL failed.
 
Test Steps
 
Attempting to resolve the host name autodiscover.company.com in DNS.
 
The host name resolved successfully.
 
Additional Details
 
IP addresses returned: 1.2.3.4
Testing TCP port 443 on host autodiscover.company.com to ensure it's listening and open.
 
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 
The certificate passed all validation requirements.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.company.com on port 443.
 
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
Additional Details
 
Remote Certificate Subject: CN=webmail.company.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=88888888, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
 
The certificate name was validated successfully.
 
Additional Details
 
Host name autodiscover.company.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
 
Date validation passed. The certificate hasn't expired.
 
Additional Details
 
The certificate is valid. NotBefore = 4/18/2013 8:30:36 AM, NotAfter = 4/12/2016 4:21:45 PM
Checking the IIS configuration for client certificate authentication.
 
Client certificate authentication wasn't detected.
 
Additional Details
 
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user joe.bloggs@company.com.
 
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
 
Additional Details
 
An HTTP 500 response was returned from Unknown.
Headers received:
Connection: Keep-Alive
Content-Length: 0
Cache-Control: private
Date: Wed, 25 Sep 2013 14:34:13 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Attempting to contact the Autodiscover service using the HTTP redirect method.
 
The attempt to contact Autodiscover using the HTTP Redirect method failed.
 
Test Steps
 
Attempting to resolve the host name autodiscover.company.com in DNS.
 
The host name resolved successfully.
 
Additional Details
 
IP addresses returned: 1.2.3.4
Testing TCP port 80 on host autodiscover.company.com to ensure it's listening and open.
 
The port was opened successfully.
The Microsoft Connectivity Analyzer is checking the host autodiscover.company.com for an HTTP redirect to the Autodiscover service.
 
The redirect (HTTP 301/302) response was received successfully.
 
Additional Details
 
Redirect URL: https://autodiscover.company.com/Autodiscover/Autodiscover.xml
Attempting to test potential Autodiscover URL https://autodiscover.company.com/Autodiscover/Autodiscover.xml
 
Testing of this potential Autodiscover URL failed.
 
Test Steps
 
Attempting to resolve the host name autodiscover.company.com in DNS.
 
The host name resolved successfully.
 
Additional Details
 
IP addresses returned: 1.2.3.4
Testing TCP port 443 on host autodiscover.company.com to ensure it's listening and open.
 
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 
The certificate passed all validation requirements.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.company.com on port 443.
 
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
Additional Details
 
Remote Certificate Subject: CN=webmail.company.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=8888888, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
 
The certificate name was validated successfully.
 
Additional Details
 
Host name autodiscover.company.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
 
Date validation passed. The certificate hasn't expired.
 
Additional Details
 
The certificate is valid. NotBefore = 4/18/2013 8:30:36 AM, NotAfter = 4/12/2016 4:21:45 PM
Checking the IIS configuration for client certificate authentication.
 
Client certificate authentication wasn't detected.
 
Additional Details
 
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/Autodiscover/Autodiscover.xml for user joe.bloggs@company.com.
 
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
 
Additional Details
 
An HTTP 500 response was returned from Unknown.
Headers received:
Connection: Keep-Alive
Content-Length: 0
Cache-Control: private
Date: Wed, 25 Sep 2013 14:34:14 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
 
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
 
Test Steps
 
Attempting to locate SRV record _autodiscover._tcp.company.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it

-----------------------------------------------------------------------------------------------------------

Any ideas welcome!

Thanks
Tony
HoricePlantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

suriyaehnopCommented:
Kindly look for this url http://support.microsoft.com/kb/940881
0
Simon Butler (Sembee)ConsultantCommented:
Autodiscover.example.com can only point at one location.
Does the second site have its own URL? If not then you are going to need to use proxying. That means no external URL configured in the second site.

Are you trying to use the same URLs across both sites?

Simon.
0
HoricePlantAuthor Commented:
Hi Simon - Sorry, forgot one (major) thing.... we have a TMG 2010 server in a DMZ which handles all web services (OWA, ECP, EWS, Autodiscovery etc). So the External URL on all CAS servers is null (blank), as per Microsoft recommendations. Effectively, non of the CAS servers are internet facing.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

HoricePlantAuthor Commented:
Also - we have this in the TMG log for the client that tries to connect to OA...

Allowed Connection TMG-SERVER 25/09/2013 17:01:48
Log type: Web Proxy (Reverse)
Status: 401 Unauthorized
Rule: Outlook Anywhere
Source: External (1.1.1.1:49704)
Destination: Local Host (<internal-IP-of-CAS-server:443)
Request: RPC_OUT_DATA http://webmail.company.com/rpc/rpcproxy.dll?CAS-Array-name.domain.Local:6001 
Filter information: Req ID: 0c8eb2ce; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

.....and.....


Allowed Connection TMG-SERVER 25/09/2013 17:03:08
Log type: Web Proxy (Reverse)
Status: 500 Internal Server Error
Rule: Outlook Anywhere
Source: External (1.1.1.1:49644)
Destination: Local Host (<internal-IP-of-CAS-server:443)
Request: POST http://autodiscover.company.com/autodiscover/autodiscover.xml 
Filter information: Req ID: 0c8eb2e5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
0
Simon Butler (Sembee)ConsultantCommented:
Are you trying to use the same TMG server for both sites?

Simon.
0
HoricePlantAuthor Commented:
Yes, there is only one TMG server. The Outlook Anywhere publishing rule has a server farm with all CAS servers in it (4 in total, 2 from site A and 2 from site B).
0
Simon Butler (Sembee)ConsultantCommented:
Pity you didn't mention TMG in the original question, as I wouldn't have touched it (never used TMG). It looks like the TMG is struggling to connect to the second server. Have you tested Outlook Anywhere internally to confirm it works for that second server?

Simon.
0
HoricePlantAuthor Commented:
Hi Simon,

Would you not recommend using TMG to publish Exchange web services, or is it only because you’ve never used TMG? How would you test Outlook Anywhere internally… if I open Outlook then it connects directly to the CAS server (but not using RPC over HTTP). Can I force a client on the internal network to use RPC over HTTP to a particular CAS server?
0
Simon Butler (Sembee)ConsultantCommented:
I haven't used it, so I cannot answer questions on it.
Recommending it is another matter - depends if you need the additional security it provides or not. Depends whether you are a target. If you are just selling widgets then probably not, if you are a bank or other financial group or someone with data that could be valuable, then maybe you do.

Exchange has a lot of testing tools built in - these all start in EMS with the test- command - so if you type test- and then press tab you will see them listed one at a time. You can get the full pramaters from Technet.

test-outlookwebservices, test-outlookconnectivity etc.

Simon.
0
HoricePlantAuthor Commented:
Okay - thanks for your feedback Simon. One last question for you... since Microsoft don't support the use of CAS in a DMZ, what would you normally deploy for a reverse proxy for Exchange web services?
0
Simon Butler (Sembee)ConsultantCommented:
I haven't used a reverse proxy of any description for some time. Port 443 only straight thought to the CAS role.

Simon.
0
HoricePlantAuthor Commented:
The use of TMG 2010 is a requirement for our company. Any further feedback on how to implement TMG 2010 as a reverse proxy server for Exchange 2010 would be very much welcomed...

Simon - many thanks for your input. Should anyone else be able to help, I will distribute the points accordingly when the question is answered.
0
Simon Butler (Sembee)ConsultantCommented:
You will need to ask a new question on how to implement TMG 2010. Due to the nature of this site is unlikely anyone else will look at the question now - questions that are more than 24 hours old rarely get new people posting.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HoricePlantAuthor Commented:
Yep - I think you're right Simon.

I'll restructure the question and post as a Forefront-ISA topic.

Thanks again,
Tony
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.