Autodiscover issue Exchange server

Exchange server is installed with SSL certificated for OWA so that mobile device and browser can connect without warning.
But seems due to autodiscover issue outlook 2010 is constantly popping up alert, I was reading about UC/SAN certificate for solution - is there anyway to resolve this issue or have to get UC/SAN certificate if server is installed with SSL certificate.

Thanks
joyjohnAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
FocISConnect With a Mentor Commented:
Outlook may be attempting to address your server by multiple different names - each will have to be specified on the UC Certificate.  To complicate things, certificates are no longer able to have "internal" names (mail.domain.local) listed on them - and if outlook is trying to use an internal-only name, that may be a bigger problem for SSL.

As a work around, I've been known to "zero out" the resolution for affected workstations by simply adding lines to the hosts file (c:\windows\system32\drivers\etc\hosts) such that names don't resolve for that workstation.  example:
0.0.0.0   mail.domain.local
0.0.0.0   autodiscover.domain.com

The only way i can think of to avoid a UC cert is to make sure your server is identified only as one name, on the lan and wan (mail.domain.com, for example)
0
 
Gareth GudgerConnect With a Mentor Commented:
You really need to do a SAN cert. It is much easier in the long run. If you use Exchange Management Console it handles all the preparation for you.

1. Open EMC
2. Expand Microsoft Exchange On-Premises
3. Select Server Configuration
4. In the Actions Pane on the far right click New Exchange Certificate.

As you walk through this wizard and fill out what services you plan to use, and what their FQDNs will be, Exchange will typically recommend a SAN certificate and generate a CSR for you.

I use GoDaddy.com for SAN certs because they are normally the cheapest.

Then when you get you certificate, go back through the steps above and click Import Exchange Certificate from the Action Pane instead of New (be aware some certificate providers may want you to load intermediate certs and they should post instructions on how to install these through the Certificates MMC snap-in).

Then you can assign services, such as IIS, to the newly added certificate in the Exchange Certificates window, under Server Configuration.

Also, as a side note, internal URLs can no longer be used on a SAN certificate for certs that expire after 2015. The easiest way to combat this is to make all your InternalURLs match the ExternalURLs. And then use split-brain DNS, where you have your external DNS namespace on your internal DNS servers with A records that point to the internal IPs.
0
 
Cliff GaliherConnect With a Mentor Commented:
A UCC/SAN certificate is not required. You do need to configure your autodiscover, EWS, and OAB URL's to match the name on the certificate. That can ne done via PowerShell. you may also need to configure a split-brain DNS zone on your internal DNS servers if your router doesn't support loopback traffic or if you prefer to avoid it.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/EWS/Exchange.asmx”

Set-oabvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/oab”

Set-owavirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/owa”

Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/ecp”

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Just change the mail.yourdomain.com part to match the name in your SSL certificate and the problem should go away.

Alan
0
 
joyjohnAuthor Commented:
sorry for late reply.

for this server there's only 1 purchased certificate "mail.abcxyz.com" installed and it is working.
so just changing "mail.abcxyz.com" on all above commands should be fine? hope it is not going to create any problem on current settings, thanks
0
 
Gareth GudgerCommented:
Yes. It will work fine.

However, you may need to create a non-authoritative DNS zone on your internal servers, which point all these records to the internal IPs of the server instead.
0
 
Alan HardistyCo-OwnerCommented:
It will be just fine - run the command and it will update the relevant settings and solve your problem.

Alan
0
All Courses

From novice to tech pro — start learning today.