For various routing and security reasons, we've decided it would be best if all internal Outlook 2013 clients access the in-house Exchange 2013 server (at another site) from an external connection (using Outlook Anywhere) instead of going through the site-to-site VPN.
Assume internal hostname is internal.company.com and external hostname is external.company.com
To achieve this, the following steps have been taken:
1. CNAME setup in internal DNS pointing autodiscover to external.company.com
2. Autodiscover SPC in AD sites and services changed to external.company.com
3. Run Set-OutlookProvider expr -certprincipalname:"msstd:external.company.com" on the Exchange server.
Initial test machines worked fine - but as we started to roll out we saw some odd results.
Machines that had routes to the mail server via the VPN had their Outlook Anywhere proxy set to internal.company.com - and they worked fine.
Machines that didn't have routes to the mail server had their OA proxy set to external.company.com - autodiscover worked fine, but then after that they couldn't authenticate.
Most oddly, a non-domain machine on an external connection that can't even resolve the internal hostname, let alone connect to it, has had its proxy set to internal.company.com - and it works!?
Can someone clarify what might be happening here?