Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

After outlook is connected Getting security alert for self signed cert but referencing a branch exchange server

Posted on 2014-01-08
6
Medium Priority
?
268 Views
Last Modified: 2014-01-13
Hi All

We have an exchange 2010 setup consisting of 3 mailbox servers in a DAG and a 2 node HT / CAS NLB that is all based at our London HQ (which is where i am based)

We also have a branch server in our Hong Kong office that is a single server running the HT / CAS / Mailbox roles, although currently it has no mailboxes as they are all still on databases in our DAG

When i open outlook on some machines i have noticed that about 30 seconds to a minute after the profile has connected i get a security alert telling me the security certificate was issues by a company you have not chosen to trust, an its referencing the standalone exchange server we have in our HK office.

Security Alert after outlook connects
I can't work out why it would be trying to connect me to that remote server as there is nothing on it, i did an rpcdiag and verified for mail i am connecting to our NLB FQDN in london and for public folders i am also connecting to a mailbox server in London.
I have checked the OAB and that is on the 3 Mailbox servers in London

If i click yes to proceed everything works fine and i dont have any issues or get prompted for anything else until i have to restart outlook, i would just like to understand why.

Anybody have any suggestions

Thanks
0
Comment
Question by:ncomper
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39766742
It will be connected to Autodiscover most likely.
Do you have the two sites in different AD sites?

Doing an Outlook Autodiscover test (hold down ctrl while right clicking on the icon in the system tray) could give you an indication of what is happening.

Simon.
0
 
LVL 5

Author Comment

by:ncomper
ID: 39767430
Hi Simon

Thanks for the help, you are correct, i see in the log tab the below 3 lines, we have one other branch office in the US with a single server with HT/CAS/Mailbox roles installed, again not actually used, in the autodiscover log i also see autodiscover entries for this server although i dont get any alerts for it.

entry in autodiscover log
Why would autodiscover be connecting to remote branch servers?

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39767611
That goes to my first post - AD Sites configuration.
Autodiscover is AD site aware. Therefore if you have your entire environment in a single AD site, then each server with the CAS role will be publishing its own autodiscover information to the domain - in effect you have an "Autodiscover war".

You can see the values being published thus:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Autodiscover is published to the domain at regular intervals by the server, therefore depending on which one last published will depend on the server the client queries.

The fix is multiple part.

1. Get your AD sites and services configured correctly - correct subnets etc.
2. Sort out SSL certificates for those CAS role holders. They should be trusted and have a unique URL internally and externally. You may have to use a split DNS system for that.
3. Correct the URL on the value I have written above so that the correct host name (matching the SSL certificate) is set.

There are various strategies to the above - you could have a host name per server, or you could go per site, or even a single host name per the entire Forest. I have seen all three done. It very much depends on bandwidth, how many users and personal preference.

Simon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Author Comment

by:ncomper
ID: 39768764
Thanks Simon

I have checked our AD sites and the Subnet that the HK exchange server is on is configured on the HK AD site,

We have 2 sites in London, each has its own AD site, the subnets are correctly associated with the relevant site.

The site that i am seeing this message come up on does not have any exchange servers, just a DC, the other london site has all our Kit.

Could it be that because there is no onsite exchange server it is just connecting to any exchange server out there rather than the main London site?

The way the AD links are setup is that there is site link between each remote sites and our main London HQ site, in a Hub and spoke model so based upon that i i would have expected any connections to have been directed to the exchange servers there rather than in Hong Kong

Thanks again

Nick
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39770833
If there is no Exchange server in the AD site then the client is going to query the first one that responds.
Therefore you need to ensure that all servers with the CAS role are configured correctly - so trusted SSL certificate and valid host name - even if this means they are using the same host name as another site.

Simon.
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39775984
Excellent as always, Thanks Simon
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question