Exchange 2010 Change SSL

AlliedAdmin
AlliedAdmin used Ask the Experts™
on
We just renewed our exchange 2010 ssl and since you can't use internal address on the SSL we are getting an error when outlook is connecting to exchange.  I've changed all internal URL to use our webmail FQDN which is on the SSL cert. We are still getting the following error (see snap shots below) that references the original internal netbios name (server.domain.loc)

One thing i noticed when testing the new internal URLS is it asks for a username/password when going to it with a browser. when i use the internal netbios name it loads right up....

example
https://webmail.domain/autodiscover/autodiscover.xml
"You do not have permission to view this directory or page."

https://server.domain.loc/autodiscover/autodiscover.xml
"his XML file does not appear to have any style information associated with it. The document tree is shown below."


Outlook 2010 error
Outlook 2007 Error
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Do you have reverse proxy (load-balancer) or is your exchange open straight from outside?
If you do, put the outside certificate on it and not on your exchange servers, if you don't I think you can copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly and configure internal url's in the exchange (autodiscover.xml) to point to the same fqdn's as outside.

Good luck.

Author

Commented:
No reverse proxy (load-balancer) and email is internal/external is routed through a spam firewall. I changed the internal URL's using this guide.

http://www.petenetlive.com/KB/Article/0000036.htm
same as i said, the article tells you to change your internal fqdn's to the public domain:
-InternalUrl https://mail.publicdomain.co.uk
what it doesnt tell you is that all your INTERNAL users will go from now on to your exchange server through your firewall since they will resolve the exchange to its external address (thus overloading your firewall for no good reason) this is why i suggested:
copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly (to the internal IP addresses)... this will not overload your firewall.
Good luck :D
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Tru,  We have internal DNS setup... mail.publicdomain.com would resolve to internal IP address...  that's not he issue i'm trying to fix.  thanks for your help though.
Ok, so when you run:
Get-WebServicesVirtualDirectory |fl identity,internalurl
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Get-OwaVirtualDirectory|select InternalUrl
Get-OabVirtualDirectory|select InternalUrl
Get-ecpVirtualDirectory|select InternalUrl
Get-MailboxDatabase|select rpcclientaccessserver

they point to your "external" fqdn?
Add a SRV record to your external DNS domain

  This is a sample of what it should look like if you mail server was email.noname.com

 For GoDaddy under the SRV (Service)
 _autodiscover _tcp  @ 0 0 443 email.noname.com 1 hour

 For DynDNS
 _autodiscover._tcp.noname.com 14400 SRV 0 0 443 email.noname.com

 For GoDadddy the setup is

 Name: @
 Target: email.noname.com
 Protocol: _tcp
 Service: _autodiscover
 Priority: 0
 Weight: 0
 Port: 443
 TTL: 1 Hour

 For DynDns Setup
 Host name is _autodiscover._tcp
 TTL is: 14400
 Record Type is: SRV
 Data is:  0 0 443 email.noname.com

Do not attempt to add this record to your Active Directory DNS

 In your active directory add the following zone in your active directory Forward Lookup Zones as a Primary Zone
 email.noname.com
 add in an "A Record" in the zone with a blank name and an IP  address of your internal exchange server.
 Once it is in, ping from a workstation email.noname.com and it should return your internal IP address of your exchange server. If someone from the outside should pings email.noname.com it should return your public IP address.

 On the workstation you are testing from run a elevated command prompt (Admin) flush you DNS with the following command (restarting the workstation will also flush you DNS cache).

 IPCONFIG /flushdns
 
 You should no longer get the warning when you start Outlook.

Author

Commented:
All but the last one points to the fqdn

Get-MailboxDatabase|select rpcclientaccessserver

RpcClientAccessServer
---------------------
server.domain.loc
server.domain.loc
server.domain.loc


I'm starting to wonder if a restart is in order. Don't know how many random MS issues I've fixed by simply restarting the server lol

Author

Commented:
AlexantSystems,

i tried that as a quick work around using the article below and it didn't work.  Given the fact the end user would just get a different error message i didn't investigate further.

https://support.microsoft.com/en-us/kb/2772058

"Note When the SRV record is used by an Outlook client, the user may receive the following message that advises the user of the redirection that is about to occur. We recommend that the user select the Don't ask me about this website again check box so that the message is not displayed again."
You can use this tool from Digicert to fix your setting on the Exchange server

https://www.digicert.com/internal-domain-name-tool.htm
Just set the rpcclientserver to the mailbox databases through Powershell
Get-Mailboxdatabase | Set-Mailboxdatabase -RpcClientAccessServer fqdnoftheserver
If you are still getting the message after adding the ALL of the DNS records then something is not set right on your Exchange server. The tool I posted from Digicert should show you where the problem is. .

Author

Commented:
Thanks all for you help,  i reran all the commands and restarted the server. After the restart everything seems to be working perfectly!    thanks all!

Author

Commented:
thanks!
Glad I could help, thanks for the feedback.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial