Exchange 2013 and Outlook clients not connecting

I have a new Windows 2012 server that I have installed Exchange 2013 on.  We moved email from GoDaddy to the internal server. Mail flows properly, I can login to OWA, I can connect with iPhones and Androids, I can connect to Outlook if they are in the office or if they connect to the VPN but Outlook will not connect if the users are outside the office.

I ran the Microsoft connectivity test and below is the results.  We are using a self-signed certificate (which should be fine for this small client).

Test Steps
        
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca.

       Testing Autodiscover failed.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 619 ms.

        
Test Steps
        
Attempting to resolve the host name kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.


 
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 246 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 189 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
        
Additional Details
       The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.






 
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 662 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.


 
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 137 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 258 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        
Additional Details
       Remote Certificate Subject: CN=kineticor-fs1.kineticor.local, Issuer: CN=kineticor-fs1.kineticor.local.
Elapsed Time: 169 ms.


 
Validating the certificate name.
       The certificate name was validated successfully.
        
Additional Details
       Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.


 
Certificate trust is being validated.
       Certificate trust validation failed.
        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor.local.
       A certificate chain couldn't be constructed for the certificate.
         Tell me more about this issue and how to resolve it

        
Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor.local
Elapsed Time: 42 ms.








 
Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.


 
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 68 ms.


 
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
       The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
        
Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.




 
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
       The Autodiscover SRV record wasn't found in DNS.
         Tell me more about this issue and how to resolve it

        
Additional Details
       Elapsed Time: 166 ms.









Any help on figuring this out would be greatly appreciated as I am lost.
WildEagleAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Self Signed can be done, but not sure why you would go this route as SSL certs a dirt cheap. Unless you have a Internal root CA which is issuing the certs you are going to run into certificate issues. You will also need to make sure that the self signed cert is on all machines connecting.

Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
        The Autodiscover SRV record wasn't found in DNS.

Do you have the SRV records created in your exteranal DNS?

Also what are your External URL's set to on your CAS Server? Are they set to mail.domain.com.....?

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
First, in order to connect remotely you require a 3rd party certificate, this is why your connectivity test is failing. Also you need to create a cname record for autodiscover.mail.com pointing to mail.domain.com.

Both of these names need to be identified as DNS names within your UCC/SAN cert. Once you have your cert you will need to import the cert into all of your CAS servers in your Exchange environment.

You will then need to enable the cert (on each individual server) using the powershell command below...

Enable-ExchangeCertificate -thumbprint xxxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"

Open in new window


You then need to update all of your external and internal URL (virtual directories) for mail.domain.com. You will also need to create a DNS record internally (split dns) for mail.domain.com and point it to your CAS server or Load Balanced IP (if you are load balancing CAS)

Once all of the above have been completed you should have passed the tests on the connectivity test externally.

Will.
0
 
WildEagleAuthor Commented:
Hi,

  Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.

Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.

Any other ideas?
0
 
WildEagleAuthor Commented:
After the SRV record finally took with GoDaddy it seems things are connecting properly now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.