Setting up Outlook Anywhere where internal and external DNS names are different?
Posted on 2014-09-11
I'm trying to get Outlook anywhere to work for external users. I believe the culprit is our internal DNS namespace being different from our External DNS namespace. And to make things even more fun, our internal NetBIOS namespace differs from our Internal Namespace; so, we have three DNS namespaces at play:
Internal NetBIOS name:
I'm also a little confused about the SSL Certificate(s) involved as well. As far as I know, we only have one valid cert installed for our webmail site, which is webmail.externalzoo.com...
On a test laptop (connected to the Internet via my cell phone's hotspot), I'm attempting to setup an Outlook Anywhere connection using Outlook 2013. I start the setup wizard, enter the name, email address, and password. The email address I'm using is 'email@example.com' I get a security alert popup for 'autodiscover.externalzoo.com' that has an error in the section "The name on the security certificate is invalid or does not match the name on the site. Do you want to proceed?" I clicked on 'View Certificate' and the 'Issued to' field is 'Webmail.externalzoo.com.' I cancelled that, and got back to the 'Do you want to proceed?' section. I clicked YES, and am prompted for login credentials. The username that auto-populates is 'firstname.lastname@example.org,' I enter the domain password for this user account, and the login attempt fails.
Thinking that 'email@example.com' isn't REALLY a domain account, but rather just an email address, I'm wondering how it would successfully authenticate in the first place? So, as a test, I tried 'Use another account' thinking that the internal user account name is what's needed. So, I enter 'firstname.lastname@example.org,' enter the domain password for that account, and get an error that reads, "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.externalzoo.com." Outlook is unable to connect to the proxy server. (Error Code 10)"
('mail.externalzoo.com' is the name I set in the Outlook Anywhere properties in the Exchange Management Console, and is also where the DNS record 'autodiscover.externalzoo.com' points to).
I click OK to that above error, and get another error, "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action." I click OK, and a 'Microsoft Exchange' box pops up. The 'Microsoft Exchange Server' field reads 'exchangeserver.internalzoo.com' and 'Mailbox' reads '=SMTP:email@example.com.' If I click on Check Name, I get an error, "The name cannot be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action." Thinking that 'exchangeserver.internalzoo.com' is an INTERNAL server unknown to the outside (and would not be able to be resolved by the laptop), I changed the server name to 'mail.exernalzoo.com' and hit check name. I get the same error.
I then tried the steps again (the 'use another account' method) using the username 'pigpen\user' and get all of the same errors and behavior as above.
So, I'm not really sure where to go from here. I don't even really know where this 'Autodiscover' information is coming from, and am not sure it's handing out the correct info? And I'm not sure how to handle the different domain names in relation to the SSL Certs.
Some additional info/checklists:
The DNS record for 'autodiscover.externalzoo.com' is a CNAME record that points to 'mail.externalzoo.com'
Port 443 is open and tested to 'mail.externalzoo.com'
Outlook Anywhere is ENABLED in Exchange Management Console, with the 'External host name' set to 'mail.externalzoo.com' with Basic Authentication.
If I go to AD Sites and Services on a domain controller, and drill down to Services\Microsoft Exchange\[company name]\Administrative Groups\Exchange Administrative Group\Servers\[exchangeserver]\Protocols\Autodiscover\[Exchangeserver] there is nothing there. I saw an article online about going here to view the Autodiscover info, but ours is empty.
Thank you in advance!