Solved

Setting up Outlook Anywhere where internal and external DNS names are different?

Posted on 2014-09-11
16
4,210 Views
Last Modified: 2014-09-11
I'm trying to get Outlook anywhere to work for external users.  I believe the culprit is our internal DNS namespace being different from our External DNS namespace.  And to make things even more fun, our internal NetBIOS namespace differs from our Internal Namespace; so, we have three DNS namespaces at play:

Internal FQDN:
internalzoo.com

Internal NetBIOS name:
pigpen

External FQDN:
externalzoo.com

I'm also a little confused about the SSL Certificate(s) involved as well.  As far as I know, we only have one valid cert installed for our webmail site, which is webmail.externalzoo.com...

On a test laptop (connected to the Internet via my cell phone's hotspot), I'm attempting to setup an Outlook Anywhere connection using Outlook 2013.  I start the setup wizard, enter the name, email address, and password.  The email address I'm using is 'user@externalzoo.com'  I get a security alert popup for 'autodiscover.externalzoo.com' that has an error in the section "The name on the security certificate is invalid or does not match the name on the site.  Do you want to proceed?"  I clicked on 'View Certificate' and the 'Issued to' field is 'Webmail.externalzoo.com.'  I cancelled that, and got back to the 'Do you want to proceed?' section.  I clicked YES, and am prompted for login credentials.  The username that auto-populates is 'user@externalzoo.com,' I enter the domain password for this user account, and the login attempt fails.

Thinking that 'user@externalzoo.com' isn't REALLY a domain account, but rather just an email address, I'm wondering how it would successfully authenticate in the first place?  So, as a test, I tried 'Use another account' thinking that the internal user account name is what's needed.  So, I enter 'user@internalzoo.com,' enter the domain password for that account, and get an error that reads, "There is a problem with the proxy server's security certificate.  The name on the security certificate is invalid or does not match the name of the target site mail.externalzoo.com."  Outlook is unable to connect to the proxy server.  (Error Code 10)"

('mail.externalzoo.com' is the name I set in the Outlook Anywhere properties in the Exchange Management Console, and is also where the DNS record 'autodiscover.externalzoo.com' points to).

I click OK to that above error, and get another error, "The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."  I click OK, and a 'Microsoft Exchange' box pops up.  The 'Microsoft Exchange Server' field reads 'exchangeserver.internalzoo.com' and 'Mailbox' reads '=SMTP:user@externalzoo.com.'  If I click on Check Name, I get an error, "The name cannot be resolved.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."  Thinking that 'exchangeserver.internalzoo.com' is an INTERNAL server unknown to the outside (and would not be able to be resolved by the laptop), I changed the server name to 'mail.exernalzoo.com' and hit check name.  I get the same error.

I then tried the steps again (the 'use another account' method) using the username 'pigpen\user' and get all of the same errors and behavior as above.


So, I'm not really sure where to go from here.  I don't even really know where this 'Autodiscover' information is coming from, and am not sure it's handing out the correct info?  And I'm not sure how to handle the different domain names in relation to the SSL Certs.

Some additional info/checklists:
The DNS record for 'autodiscover.externalzoo.com' is a CNAME record that points to 'mail.externalzoo.com'

Port 443 is open and tested to 'mail.externalzoo.com'

Outlook Anywhere is ENABLED in Exchange Management Console, with the 'External host name' set to 'mail.externalzoo.com' with Basic Authentication.

If I go to AD Sites and Services on a domain controller, and drill down to Services\Microsoft Exchange\[company name]\Administrative Groups\Exchange Administrative Group\Servers\[exchangeserver]\Protocols\Autodiscover\[Exchangeserver] there is nothing there.  I saw an article online about going here to view the Autodiscover info, but ours is empty.


Thank you in advance!
0
Comment
Question by:cwilson8212
  • 9
  • 7
16 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40317784
Have you run the Outlook Autodiscover test on the test site:

https://testconnectivity.microsoft.com/

If not - please do and post the results.

The site should help narrow down the problem.

Alan
0
 

Author Comment

by:cwilson8212
ID: 40317849
Thanks Alan.

Something else to note; externalzoo.com and www.externalzoo.com do NOT reside in our Internal network (where the Exchange Server is located), so it makes sense that the test failed against externalzoo.com (port 443).  mail.externalzoo.com, webmail.externalzoo.com DO reside/point to our internal network if that makes sense...

Here are the results of the AutoDiscover test:

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for
user@externalzoo.com.
Testing Autodiscover failed.
Additional Details
Elapsed Time: 23378 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Additional Details
Elapsed Time: 23378 ms.
Test Steps
Attempting to test potential Autodiscover URL https://externalzoo.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1602 ms.
Test Steps
Attempting to resolve the host name externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 1.2.3.4
Elapsed Time: 178 ms.
Testing TCP port 443 on host externalzoo.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 1423 ms.
Attempting to test potential Autodiscover URL https://autodiscover.externalzoo.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 533 ms.
Test Steps
Attempting to resolve the host name autodiscover.externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 5.6.7.8
Elapsed Time: 175 ms.
Testing TCP port 443 on host autodiscover.externalzoo.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 137 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 220 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.externalzoo.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.externalzoo.com, OU=Domain Control Validated, O=webmail.externalzoo.com, Issuer: SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 168 ms.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name autodiscover.externalzoo.com doesn't match any name found on the server certificate CN=webmail.externalzoo.com, OU=Domain Control Validated, O=webmail.externalzoo.com.
Elapsed Time: 1 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Additional Details
Elapsed Time: 21083 ms.
Test Steps
Attempting to resolve the host name autodiscover.externalzoo.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 5.6.7.8
Elapsed Time: 17 ms.
Testing TCP port 80 on host autodiscover.externalzoo.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 21065 ms.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Additional Details
Elapsed Time: 74 ms.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.externalzoo.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
Additional Details
Elapsed Time: 74 ms.
Checking if there is an autodiscover CNAME record in DNS for your domain 'externalzoo.com' for Office 365.
Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
Tell me more about this issue and how to resolve it
Additional Details
There is no Autodiscover CNAME record for your domain 'externalzoo.com'.
Elapsed Time: 84 ms.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40317870
If your SSL certificate includes webmail.externalzoo.com, then you need to use that as your Outlook Anywhere FQDN.

You also need to setup an SRV record pointing to webmail.externalzoo.com as you don't have Autodiscover included in your SSL certificate as per the following article:

http://support.microsoft.com/kb/940881

Once you have the RV record setup, re-run the test using webmail.externalzoo.com and see how that goes.
0
 

Author Comment

by:cwilson8212
ID: 40318134
I'm having a hard time with the syntax of the SRV record.  We're using a service called Dynamic DNS.  It has 4 fields; HOST, TTL, TYPE, DATA.
I've got:
HOST = autodiscover.externalzoo.com
TTL = 600 (default value)
TYPE = SRV
DATA = 0 0 443 _autodiscover._tcp.externalzoo.com

Is that correct?  If so, how does it know to contact webmail.externalzoo.com for the settings?  Should the string tcp.externalzoo.com be changed to webmail.externalzoo.com in the 'Data' section?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 40318178
Ah - that's not right.

Should be along these lines:

Host: _autodiscover._tcp
TTL: 600 should be fine
TYPE: SRV
DATA: 0 0 443 webmail.externalzoo.com
0
 

Author Comment

by:cwilson8212
ID: 40318200
Ok, I've got that modified and in place.  Do I also need a CNAME record for autodiscover.externalzoo.com pointing to webmail.externalzoo.com?  I've seen some things mentioning needing that.

Thanks for all the help so far.
0
 

Author Comment

by:cwilson8212
ID: 40318211
Update - I didn't create the CNAME record that I asked you about previously, but the MS Autodiscover test is working now.  So, that is good!

However, I'm still getting some errors in the Outlook setup pertaining to "An encrypted connection to your mail server is not available."  The unencrypted method fails as well.

I'll run the Outlook Connectivity test and see if I see anything there.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 40318224
You need port 443 open and forwarded on your firewall to the Exchange server for things to work.

If you haven't got that open and forwarded, please configure the firewall accordingly.

Alan

P.S. Good call on the autodiscover CNAME record.  It isn't needed and should be there.  Just one autodiscover pointer should be there.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:cwilson8212
ID: 40318230
Got this in the Outlook Connectivity test:

Testing HTTP Authentication Methods for URL https://webmail.externalzoo.com/rpc/rpcproxy.dll?exchangeserver.internalzoo.com:6002.
       The HTTP authentication test failed.
       
      Additional Details
       
A Web exception occurred because an HTTP 501 - NotImplemented response was received from Unknown.
HTTP Response Headers:
Content-Length: 0
Date: Thu, 11 Sep 2014 22:12:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Elapsed Time: 52 ms.

??
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 40318234
Did you install the HTTP over RPC Proxy Component yet?

http://technet.microsoft.com/en-gb/library/bb123889(v=exchg.80).aspx

Alan
0
 

Author Comment

by:cwilson8212
ID: 40318261
Wow, nope.  I checked that yesterday and everything under Networking services was checked (which seemed odd), but now when I go into it, nothing is checked.  Ok, I'll install that (need to find the SP2 media or equivalent that it's asking for) and I'll check back.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40318266
No probs.
0
 

Author Comment

by:cwilson8212
ID: 40318324
Ok, I've got that installed (I did not reboot the Exchange Server or restart any services).  Getting a new error now in the Outlook Connectivity test:

Testing HTTP Authentication Methods for URL https://webmail.externalzoo.com/rpc/rpcproxy.dll?exchangeserver.internalzoo.com:6002.
       The HTTP authentication test failed.
       
      Additional Details
       
Exception details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()
Elapsed Time: 54 ms.
0
 

Author Comment

by:cwilson8212
ID: 40318331
Now that that RPC over HTTP service is installed, are there any additional settings (in IIS, etc?) that need to be set?  Is 443 the only port that needs to be open to the Exchange Server?
0
 

Author Comment

by:cwilson8212
ID: 40318344
Hey Alan, it's working!
As a blessing in disguise I got sidetracked for about 30 mins, and maybe that was enough time for the changes to take place on the Exchange Server?

One note on this for anyone reading:  While the email address I used in the wizard was 'user@externalzoo.com,' the username I had to use to actually authenticate and get it to work was 'user@internalzoo.com

Thanks Alan!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40318372
Excellent.  Sorry - got sidetracked fixing an SBS 2008 server.

Glad it's all working for you :)

Thanks for the points.

Alan
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now