Exchange 2010 Change SSL

We just renewed our exchange 2010 ssl and since you can't use internal address on the SSL we are getting an error when outlook is connecting to exchange.  I've changed all internal URL to use our webmail FQDN which is on the SSL cert. We are still getting the following error (see snap shots below) that references the original internal netbios name (server.domain.loc)

One thing i noticed when testing the new internal URLS is it asks for a username/password when going to it with a browser. when i use the internal netbios name it loads right up....

example
https://webmail.domain/autodiscover/autodiscover.xml
"You do not have permission to view this directory or page."

https://server.domain.loc/autodiscover/autodiscover.xml
"his XML file does not appear to have any style information associated with it. The document tree is shown below."


Outlook 2010 error
Outlook 2007 Error
AlliedAdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nadav SolomonCommented:
Do you have reverse proxy (load-balancer) or is your exchange open straight from outside?
If you do, put the outside certificate on it and not on your exchange servers, if you don't I think you can copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly and configure internal url's in the exchange (autodiscover.xml) to point to the same fqdn's as outside.

Good luck.
0
AlliedAdminAuthor Commented:
No reverse proxy (load-balancer) and email is internal/external is routed through a spam firewall. I changed the internal URL's using this guide.

http://www.petenetlive.com/KB/Article/0000036.htm
0
Nadav SolomonCommented:
same as i said, the article tells you to change your internal fqdn's to the public domain:
-InternalUrl https://mail.publicdomain.co.uk
what it doesnt tell you is that all your INTERNAL users will go from now on to your exchange server through your firewall since they will resolve the exchange to its external address (thus overloading your firewall for no good reason) this is why i suggested:
copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly (to the internal IP addresses)... this will not overload your firewall.
Good luck :D
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AlliedAdminAuthor Commented:
Tru,  We have internal DNS setup... mail.publicdomain.com would resolve to internal IP address...  that's not he issue i'm trying to fix.  thanks for your help though.
0
Nadav SolomonCommented:
Ok, so when you run:
Get-WebServicesVirtualDirectory |fl identity,internalurl
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Get-OwaVirtualDirectory|select InternalUrl
Get-OabVirtualDirectory|select InternalUrl
Get-ecpVirtualDirectory|select InternalUrl
Get-MailboxDatabase|select rpcclientaccessserver

they point to your "external" fqdn?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlexantSystemsCommented:
Add a SRV record to your external DNS domain

  This is a sample of what it should look like if you mail server was email.noname.com

 For GoDaddy under the SRV (Service)
 _autodiscover _tcp  @ 0 0 443 email.noname.com 1 hour

 For DynDNS
 _autodiscover._tcp.noname.com 14400 SRV 0 0 443 email.noname.com

 For GoDadddy the setup is

 Name: @
 Target: email.noname.com
 Protocol: _tcp
 Service: _autodiscover
 Priority: 0
 Weight: 0
 Port: 443
 TTL: 1 Hour

 For DynDns Setup
 Host name is _autodiscover._tcp
 TTL is: 14400
 Record Type is: SRV
 Data is:  0 0 443 email.noname.com

Do not attempt to add this record to your Active Directory DNS

 In your active directory add the following zone in your active directory Forward Lookup Zones as a Primary Zone
 email.noname.com
 add in an "A Record" in the zone with a blank name and an IP  address of your internal exchange server.
 Once it is in, ping from a workstation email.noname.com and it should return your internal IP address of your exchange server. If someone from the outside should pings email.noname.com it should return your public IP address.

 On the workstation you are testing from run a elevated command prompt (Admin) flush you DNS with the following command (restarting the workstation will also flush you DNS cache).

 IPCONFIG /flushdns
 
 You should no longer get the warning when you start Outlook.
0
AlliedAdminAuthor Commented:
All but the last one points to the fqdn

Get-MailboxDatabase|select rpcclientaccessserver

RpcClientAccessServer
---------------------
server.domain.loc
server.domain.loc
server.domain.loc


I'm starting to wonder if a restart is in order. Don't know how many random MS issues I've fixed by simply restarting the server lol
0
AlliedAdminAuthor Commented:
AlexantSystems,

i tried that as a quick work around using the article below and it didn't work.  Given the fact the end user would just get a different error message i didn't investigate further.

https://support.microsoft.com/en-us/kb/2772058

"Note When the SRV record is used by an Outlook client, the user may receive the following message that advises the user of the redirection that is about to occur. We recommend that the user select the Don't ask me about this website again check box so that the message is not displayed again."
0
AlexantSystemsCommented:
You can use this tool from Digicert to fix your setting on the Exchange server

https://www.digicert.com/internal-domain-name-tool.htm
0
Nadav SolomonCommented:
Just set the rpcclientserver to the mailbox databases through Powershell
0
Nadav SolomonCommented:
Get-Mailboxdatabase | Set-Mailboxdatabase -RpcClientAccessServer fqdnoftheserver
0
AlexantSystemsCommented:
If you are still getting the message after adding the ALL of the DNS records then something is not set right on your Exchange server. The tool I posted from Digicert should show you where the problem is. .
0
AlliedAdminAuthor Commented:
Thanks all for you help,  i reran all the commands and restarted the server. After the restart everything seems to be working perfectly!    thanks all!
0
AlliedAdminAuthor Commented:
thanks!
0
Nadav SolomonCommented:
Glad I could help, thanks for the feedback.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.