Solved

Hosted Exchange issues Autodiscover and redirect

Posted on 2016-07-14
13
42 Views
Last Modified: 2016-08-25
G'day guys,

I spent awhile on the phone to the hosted exchange provider trying to resolve this but he could not.

Basically what happens is that I have a bunch of clients who use Hosted Exchange services. Now most clients use me or some other 3rd party to host their websites, DNS, etc but I generally like to move every client to Hosted Exchange because I just can't compete and it means it becomes someone else's responsibility to make sure that it is up and running 24/7.

Now this works fine, up until the following scenario.

Joe Bloggs has a domain called joebloggs.com

Website is hosted with me. DNS management is with my hosting provider, along with domain registration.
IP of the server is 103.241.2.211 (this is a shared cPanel server, I'm just one of the resellers on this server).

I use Hosted Exchange through iiNet - https://iihelp.iinet.net.au/DNS_records_for_Hosted_Exchange
Followed the DNS records to the letter.

So for the DNS I would have something like this:

WEBSITE
joebloggs.com. 14400 A 103.241.2.211
www.joebloggs.com. 14400 CNAME joebloggs.com.

Open in new window


EMAIL
joebloggs.com. 14400 MX 10 smtp.exchange.iinet.net.au.
autodiscover.joebloggs.com. 14400 CNAME autodiscvr.exchange.iinet.net.au.
webmail.joebloggs.com. 14400 CNAME exchange.iinet.net.au
joebloggs.com 14400 TXT "v=spf1 redirect=exchange.iinet.net.au"

Open in new window


Now my issues are these:

1) When configuring Outlook or similar to connect through using the Autodiscover feature it always complains that the SSL Certificate is wrong - it picks up the SSL Certificate in use at 103.241.2.211 (keep in mind it is shared hosting so that could be anything)

2) If I try to use the webmail.joebloggs.com in the URL bar, it will error with a certificate issue because it clearly doesn't match the name attributed to the the exchange.iinet.net.au

So my question(s) are these:

1) How do I fix the autodiscover so that rather then picking up the SSL certificate used at 103.241.2.211 it picks up the certificate used at the Hosted Exchange provider??

2) How do I setup a tailored DNS record like webmail.joebloggs.com to redirect me without causing a SSL Certificate issue? I'm happy for the URL to change, I just want my clients to type in something familiar to them.

Thanks in advance.

Steven Swarts
TechCare
0
Comment
Question by:sjswarts
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41711779
Instead of using a CNAME record for autodiscover, use a SRV record instead.  That should resolve the ssl cert error for that part.

Create that record as follows:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: autodiscvr.exchange.iinet.net.au
Weight: 0
Priority: 0

Also make sure that your DNS Zone doesn't have any wildcard "*" A or CNAME records.

For the webmail issue, you can use a redirect instead of a CNAME.  The URL will change in the user's browser, but at least it won't have the SSL error.  Configure a redirect in cPanel > Domains > Redirects
1
 
LVL 1

Expert Comment

by:Raghu Addanki
ID: 41711792
That's by design. It checks www or domain.com first and moves on to discover a record Autodiscover.

That is why you see invalid or failed lookup wrt SSL.

I am currently driving and if no one else help you with how it works and how to correct records I would do in next 3 hours.

But you get a good grip on it here meanwhile:

http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
1
 
LVL 16

Expert Comment

by:FOX
ID: 41712860
I hope it is not throwing an error because of your typo

autodiscover.joebloggs.com. 14400 CNAME autodiscvr.exchange.iinet.net.au.<< Do you intentionally have the o missing in autodiscover in your CNAME

autodiscover.exchange.iinet.net.au
0
 

Author Comment

by:sjswarts
ID: 41713014
@foxluv if you look at the link provided by iiNet (Hosted Exchange Provider) they have it set like that for whatever reason.

Also it's missing more then just the o :p
0
 

Author Comment

by:sjswarts
ID: 41713121
@Jeffrey Kane

You seem to be on the right track. I was sure that I read somewhere today that I shouldn't use SRV records, but maybe that is only when you have a SSL certificate for autodiscover.domain.com  - https://www.reddit.com/r/exchangeserver/comments/3qm2l8/autodiscoverdomaincom_is_getting_ssl_certificate/

As it stands I've removed the autodiscover and replaced it with this (keep in mind this is cPanel so it's a little different)

_autodiscover._tcp 3600 0 0 443 autodiscvr.exchange.iinet.net.au.

Open in new window


cPanel SRV vs CNAME autodiscover
Attached is a screen shot of my options and also what I originally had.

However when I do this it still doesn't autodiscover correctly on my Android phone (might work on others). What I mean is that it correctly asks me if it should use the found SRV record pointing to autodiscover.exchange.iinet.net.au but then it doesn't populate the server field correctly which obviously fails because it fills it with joebloggs.com rather then exchange.iinet.net.au.

I am fixing my Outlook to try it locally at my office so I will report back with any findings.

As for the redirects that does work. However I found that you missed a step, first you need to create a subdomain and then you have option to redirect that subdomain. For our example:

Create subdomain webmail.joebloggs.com

Redirect webmail.joebloggs.com permanently (301) to exchange.iinet.net.au

Then it works beautifully. Is this what you meant? Be nice if that extra step wasn't there.
0
 

Author Comment

by:sjswarts
ID: 41713795
@Raghu Addanki

Thanks for that article. I presumed that was the case.

I guess the only way it is possible for me to resolve this then is to get my clients to buy a dedicated IP for their public website?? Make sure they don't utilise SSL certificate OR have a current one??

A shared IP (which is commonly used for cheap website hosting) appears to cause this issue.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Expert Comment

by:Raghu Addanki
ID: 41713828
Perfect sjswarts!
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41714452
Make sure they don't utilise SSL certificate OR have a current one??

No, you missed a fine point in that article -- you want to make sure that if you do have an SSL certificate on your public web site that it includes the ROOT (ie, joebloggs.com) as well as www.joebloggs.com.  Then it won't throw a certificate error.
1
 

Author Comment

by:sjswarts
ID: 41714456
@Jeffrey - don't all www certificates automatically secure root domains?

For example:

Buy 2 year SSL Certificate for www.joebloggs.com and it covers both https://www.joebloggs.com and https://joebloggs.com

Although I presume that this is not the case for any other subdomains.
0
 

Author Comment

by:sjswarts
ID: 41714459
@Jeffrey why doesn't the SRV record work to configure autocomplete properly?

I noticed that if I only have the SRV record it fills the "Server" section to my android device with "joebloggs.com".

But if I use the autodiscover A record it fills it just fine and works like a charm, of course not if there isn't a dedicated IP for the public website or a current SSL certificate.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points (awarded by participants)
ID: 41714476
Unfortunately this seems to be a problem with Android: https://goo.gl/cLPjqZ

But when creating the autodiscover record in cPanel be sure that the Name field has the following:
_autodiscover._tcp.joebloggs.com.

I just tested creating one in cPanel and it actually added the domain name automatically after I entered the _autodiscover._tcp. part
1
 

Author Comment

by:sjswarts
ID: 41714635
Hmmm interesting find.

I'll have to investigate further, but thanks for the heads up.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41769947
author abandoned
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now