stop users accessing exchange using local servername/owa

Hi ,

I have replaced my SSL UCC cert and we can't use internal server names on the cert.

I have heeded security advice and all users accessing email internally and externally through OWA now need to log on using Forms Based Authentication.

This is fine for both URL's
https://mail.domain.org/owa and https://local-exchange-server/owa  except the local servername URL will throw up a certificate error.

Is there a way to actually stop users accessing OWA using the local URL?

Appreciate any help
LVL 13
leegclystvaleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Not really, because you need the host name to resolve for Exchange to work correctly.

Furthermore, you cannot put any code on to the server to redirect the users as that would load AFTER the SSL certificate.

This is a behaviour problem rather than a technical problem. Tell users to use the correct name for an error free approach.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
You can change your internal URL to https://mail.domain.org/owa and set the internal url path to new URL using PS. Follow this.

http://social.technet.microsoft.com/wiki/contents/articles/5163.managing-exchange-2010-externalinternal-url-s-via-powershell.aspx
0
leegclystvaleAuthor Commented:
Thanks Simon,

A shame though.

Most can't be bothered to change it and will just ignore the Certificate error providing they can still access email ok.
This is the downside of letting users log on locally to a domain laptop using domain credentials as domain desktops are obviously fine as can change URL centrally.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

leegclystvaleAuthor Commented:
How does that help me Amit?
0
AmitIT ArchitectCommented:
Once you change it, then it won't be connecting via server name. Test in the lab first. I used same way for my client. Normally, I change this during installation.
0
leegclystvaleAuthor Commented:
"it"?

Thanks for trying
0
leegclystvaleAuthor Commented:
Thanks for the info Simon.
0
AmitIT ArchitectCommented:
I didn't understand, what do you mean by trying? Though you accepted the answer already, but I don't understand, what it solves for you, without trying my solution.
0
leegclystvaleAuthor Commented:
Once you change it, then it won't be connecting via server name. Test in the lab first. I used same way for my client. Normally, I change this during installation.

But the point is, your "clients" can still access email using the https://localservername/owa if they were happy to accept cert errors, hence my question on how to stop access.

Unless Simon is wrong of course....
0
Simon Butler (Sembee)ConsultantCommented:
Changing the URLs within Exchange will not stop users from being able to access OWA with the server's real name. The address still works. Once they have gone past the SSL prompt then they will be redirected by Exchange to the correct URL, but that happens AFTER the SSL prompt.

Simon.
0
AmitIT ArchitectCommented:
I am not saying Simon is wrong. I am saying, there is alternate option for your issue. Why, I said to test in Lab, just to verify, whatever you are looking is working or not. As changing in production is always risky. The solution, I gave is well tested and works. Other way is to add server name in SAN cert to avoid that error.
0
leegclystvaleAuthor Commented:
Amit, you are missing the point totally.  MY exchange URL's all works and I have already done all the internal URL, external URL configuration work and also the 3rd party UCC SAN names etc.

If you can add my internal exchange server name to my Godaddy UCC SAN cert then I'd be impressed!

The only way I could avoid cert errors with local URL is what Simon has advised in previous posts by making a new virtual directory in IIS and issuing a local CA cert for the local URL. I didn't want that, so chose only one FBA route and OWA directory, hence my question about stopping access to local servername URL altogether

Thanks for clarifying again Simon.
0
AmitIT ArchitectCommented:
apologies for any oversight.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.