Setting up Outlook Anywhere where internal and external DNS names are different?

I'm trying to get Outlook anywhere to work for external users.  I believe the culprit is our internal DNS namespace being different from our External DNS namespace.  And to make things even more fun, our internal NetBIOS namespace differs from our Internal Namespace; so, we have three DNS namespaces at play:

Internal FQDN:
internalzoo.com

Internal NetBIOS name:
pigpen

External FQDN:
externalzoo.com

I'm also a little confused about the SSL Certificate(s) involved as well.  As far as I know, we only have one valid cert installed for our webmail site, which is webmail.externalzoo.com...

On a test laptop (connected to the Internet via my cell phone's hotspot), I'm attempting to setup an Outlook Anywhere connection using Outlook 2013.  I start the setup wizard, enter the name, email address, and password.  The email address I'm using is 'user@externalzoo.com'  I get a security alert popup for 'autodiscover.externalzoo.com' that has an error in the section "The name on the security certificate is invalid or does not match the name on the site.  Do you want to proceed?"  I clicked on 'View Certificate' and the 'Issued to' field is 'Webmail.externalzoo.com.'  I cancelled that, and got back to the 'Do you want to proceed?' section.  I clicked YES, and am prompted for login credentials.  The username that auto-populates is 'user@externalzoo.com,' I enter the domain password for this user account, and the login attempt fails.

Thinking that 'user@externalzoo.com' isn't REALLY a domain account, but rather just an email address, I'm wondering how it would successfully authenticate in the first place?  So, as a test, I tried 'Use another account' thinking that the internal user account name is what's needed.  So, I enter 'user@internalzoo.com,' enter the domain password for that account, and get an error that reads, "There is a problem with the proxy server's security certificate.  The name on the security certificate is invalid or does not match the name of the target site mail.externalzoo.com."  Outlook is unable to connect to the proxy server.  (Error Code 10)"

('mail.externalzoo.com' is the name I set in the Outlook Anywhere properties in the Exchange Management Console, and is also where the DNS record 'autodiscover.externalzoo.com' points to).

I click OK to that above error, and get another error, "The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."  I click OK, and a 'Microsoft Exchange' box pops up.  The 'Microsoft Exchange Server' field reads 'exchangeserver.internalzoo.com' and 'Mailbox' reads '=SMTP:user@externalzoo.com.'  If I click on Check Name, I get an error, "The name cannot be resolved.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."  Thinking that 'exchangeserver.internalzoo.com' is an INTERNAL server unknown to the outside (and would not be able to be resolved by the laptop), I changed the server name to 'mail.exernalzoo.com' and hit check name.  I get the same error.

I then tried the steps again (the 'use another account' method) using the username 'pigpen\user' and get all of the same errors and behavior as above.


So, I'm not really sure where to go from here.  I don't even really know where this 'Autodiscover' information is coming from, and am not sure it's handing out the correct info?  And I'm not sure how to handle the different domain names in relation to the SSL Certs.

Some additional info/checklists:
The DNS record for 'autodiscover.externalzoo.com' is a CNAME record that points to 'mail.externalzoo.com'

Port 443 is open and tested to 'mail.externalzoo.com'

Outlook Anywhere is ENABLED in Exchange Management Console, with the 'External host name' set to 'mail.externalzoo.com' with Basic Authentication.

If I go to AD Sites and Services on a domain controller, and drill down to Services\Microsoft Exchange\[company name]\Administrative Groups\Exchange Administrative Group\Servers\[exchangeserver]\Protocols\Autodiscover\[Exchangeserver] there is nothing there.  I saw an article online about going here to view the Autodiscover info, but ours is empty.


Thank you in advance!
cwilson8212Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Have you run the Outlook Autodiscover test on the test site:

https://testconnectivity.microsoft.com/

If not - please do and post the results.

The site should help narrow down the problem.

Alan
0
cwilson8212Author Commented:
Thanks Alan.

Something else to note; externalzoo.com and www.externalzoo.com do NOT reside in our Internal network (where the Exchange Server is located), so it makes sense that the test failed against externalzoo.com (port 443).  mail.externalzoo.com, webmail.externalzoo.com DO reside/point to our internal network if that makes sense...

Here are the results of the AutoDiscover test:

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for
user@externalzoo.com.
Testing Autodiscover failed.
Additional Details
Elapsed Time: 23378 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Additional Details
Elapsed Time: 23378 ms.
Test Steps
Attempting to test potential Autodiscover URL https://externalzoo.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1602 ms.
Test Steps
Attempting to resolve the host name externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 1.2.3.4
Elapsed Time: 178 ms.
Testing TCP port 443 on host externalzoo.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 1423 ms.
Attempting to test potential Autodiscover URL https://autodiscover.externalzoo.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 533 ms.
Test Steps
Attempting to resolve the host name autodiscover.externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 5.6.7.8
Elapsed Time: 175 ms.
Testing TCP port 443 on host autodiscover.externalzoo.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 137 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 220 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.externalzoo.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.externalzoo.com, OU=Domain Control Validated, O=webmail.externalzoo.com, Issuer: SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 168 ms.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name autodiscover.externalzoo.com doesn't match any name found on the server certificate CN=webmail.externalzoo.com, OU=Domain Control Validated, O=webmail.externalzoo.com.
Elapsed Time: 1 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Additional Details
Elapsed Time: 21083 ms.
Test Steps
Attempting to resolve the host name autodiscover.externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 5.6.7.8
Elapsed Time: 17 ms.
Testing TCP port 80 on host autodiscover.externalzoo.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 21065 ms.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Additional Details
Elapsed Time: 74 ms.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.externalzoo.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
Additional Details
Elapsed Time: 74 ms.
Checking if there is an autodiscover CNAME record in DNS for your domain 'externalzoo.com' for Office 365.
Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
Tell me more about this issue and how to resolve it
Additional Details
There is no Autodiscover CNAME record for your domain 'externalzoo.com'.
Elapsed Time: 84 ms.
0
Alan HardistyCo-OwnerCommented:
If your SSL certificate includes webmail.externalzoo.com, then you need to use that as your Outlook Anywhere FQDN.

You also need to setup an SRV record pointing to webmail.externalzoo.com as you don't have Autodiscover included in your SSL certificate as per the following article:

http://support.microsoft.com/kb/940881

Once you have the RV record setup, re-run the test using webmail.externalzoo.com and see how that goes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cwilson8212Author Commented:
I'm having a hard time with the syntax of the SRV record.  We're using a service called Dynamic DNS.  It has 4 fields; HOST, TTL, TYPE, DATA.
I've got:
HOST = autodiscover.externalzoo.com
TTL = 600 (default value)
TYPE = SRV
DATA = 0 0 443 _autodiscover._tcp.externalzoo.com

Is that correct?  If so, how does it know to contact webmail.externalzoo.com for the settings?  Should the string tcp.externalzoo.com be changed to webmail.externalzoo.com in the 'Data' section?
0
Alan HardistyCo-OwnerCommented:
Ah - that's not right.

Should be along these lines:

Host: _autodiscover._tcp
TTL: 600 should be fine
TYPE: SRV
DATA: 0 0 443 webmail.externalzoo.com
0
cwilson8212Author Commented:
Ok, I've got that modified and in place.  Do I also need a CNAME record for autodiscover.externalzoo.com pointing to webmail.externalzoo.com?  I've seen some things mentioning needing that.

Thanks for all the help so far.
0
cwilson8212Author Commented:
Update - I didn't create the CNAME record that I asked you about previously, but the MS Autodiscover test is working now.  So, that is good!

However, I'm still getting some errors in the Outlook setup pertaining to "An encrypted connection to your mail server is not available."  The unencrypted method fails as well.

I'll run the Outlook Connectivity test and see if I see anything there.
0
Alan HardistyCo-OwnerCommented:
You need port 443 open and forwarded on your firewall to the Exchange server for things to work.

If you haven't got that open and forwarded, please configure the firewall accordingly.

Alan

P.S. Good call on the autodiscover CNAME record.  It isn't needed and should be there.  Just one autodiscover pointer should be there.
0
cwilson8212Author Commented:
Got this in the Outlook Connectivity test:

Testing HTTP Authentication Methods for URL https://webmail.externalzoo.com/rpc/rpcproxy.dll?exchangeserver.internalzoo.com:6002.
       The HTTP authentication test failed.
       
      Additional Details
       
A Web exception occurred because an HTTP 501 - NotImplemented response was received from Unknown.
HTTP Response Headers:
Content-Length: 0
Date: Thu, 11 Sep 2014 22:12:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Elapsed Time: 52 ms.

??
0
Alan HardistyCo-OwnerCommented:
Did you install the HTTP over RPC Proxy Component yet?

http://technet.microsoft.com/en-gb/library/bb123889(v=exchg.80).aspx

Alan
0
cwilson8212Author Commented:
Wow, nope.  I checked that yesterday and everything under Networking services was checked (which seemed odd), but now when I go into it, nothing is checked.  Ok, I'll install that (need to find the SP2 media or equivalent that it's asking for) and I'll check back.
0
Alan HardistyCo-OwnerCommented:
No probs.
0
cwilson8212Author Commented:
Ok, I've got that installed (I did not reboot the Exchange Server or restart any services).  Getting a new error now in the Outlook Connectivity test:

Testing HTTP Authentication Methods for URL https://webmail.externalzoo.com/rpc/rpcproxy.dll?exchangeserver.internalzoo.com:6002.
       The HTTP authentication test failed.
       
      Additional Details
       
Exception details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()
Elapsed Time: 54 ms.
0
cwilson8212Author Commented:
Now that that RPC over HTTP service is installed, are there any additional settings (in IIS, etc?) that need to be set?  Is 443 the only port that needs to be open to the Exchange Server?
0
cwilson8212Author Commented:
Hey Alan, it's working!
As a blessing in disguise I got sidetracked for about 30 mins, and maybe that was enough time for the changes to take place on the Exchange Server?

One note on this for anyone reading:  While the email address I used in the wizard was 'user@externalzoo.com,' the username I had to use to actually authenticate and get it to work was 'user@internalzoo.com

Thanks Alan!
0
Alan HardistyCo-OwnerCommented:
Excellent.  Sorry - got sidetracked fixing an SBS 2008 server.

Glad it's all working for you :)

Thanks for the points.

Alan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.