Link to home
Start Free TrialLog in
Avatar of aangerson
aangerson

asked on

Exchange Server 2016 certifiate error

Please read all details before posting a solution  as I have seen many that do not fix the issue.
I am in the process of migrating from Exchange 2010 to 2016.
I have 2 exchange 2016 servers up and running and have migrated some test mailboxes. Mail flow works no problem/Webmail works no certificate errors but when the client opens Outlook 2010 they receive this error both Internally and Externally. I have the proper patches applied to outlook as this error happens with other version of Office/Outlook.
"there is a problem with the proxy server's security certificate error code 10"
I am aware that this error seems to be coming from the proxy settings in outlook which is currently resolving to the internal server name. Server.XXXX.com-
I currently have a valid  third party certificate installed on the 2016 Server for Webamil.XXXX.com and have all of the virtual directories pointing to this address.
I do have the settings for outlook anywhere set to internal - Server.XXXX.com and external to the Webmail address as I have read this is how it should be configured.
Also I have tested changing the External to Webmail.XXX.com and still receive the error.
I believe the issue is with check box in Outlook that says Only connect to proxy servers that have this principal name in the certificate" which is the internal server name.
Do I need to add the internal servers to the Published certificate?

Any help is appreciated.
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

You can't add internal server name to 3rd party certificate but You can create new revers lookup zone in your local DNS
name it like your external email server (same as in certificate) for example   exchange.mydomain.com
Insert create A record and point it to your local Exchange IP address
 Create second forward lookup zone  autodiscover.yourlocaldoman.local (use your internal DNS name)
Inside leave only your DNS (or more if you have more)

like
(same as parent folder)        Name Server (NS)       dnsserver.yourdomain.local

This will allow you to ping your local exchange using external name from inside and ask your local DNS server(s) about connection.

Try to go to local owa from inside using External address and check if there is a certificate error

Then create new profile in Outlook. In proxy setting use(external name)  https://exchange.yourdomain.com  and in SSL connector use same address msstd:exchange.yourdomain.com


This is my setup and is working with no problem.
I hope that inside your certificate you have your all names registered

exchange.yourdomaon.com
autodiscover.yourdoamn.com

and you have A record in External DNS for autodiscover and Exchange server pointing to your External IP and also you have SPF record pointed to your exchange name is MX IP address.
It should work now.
Hi,

just to add to @Tom Cieslik reply

If you choose to go that way, make sure to create ALL DNS records in that zone, as you have them on public DNS server. If you forgot to add record for some website or something, that you have in public DNS, then computers in your LAN will never be able to get to them, since they will ask only your private DNS server.

Regards,
Ivan.
@Ivan
Yes, but that's only if you're using same certificate to get your website. If not then there is no point to add ALL to certificate since is going to be used only for Exchange
ASKER CERTIFIED SOLUTION
Avatar of Viral Rathod
Viral Rathod
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,

@Tom Cieslik

Maybe I was not clear :) I don't mean to add names to certificate, but to add names to internal dns zone, that you have created.
If you don't add names to internal zone, and you have some additional names in public dns zone, then your internal users wont be able to get to those resources, sites...

Regards,
Ivan.
Avatar of aangerson
aangerson

ASKER

Tom and others

 Thanks for your reply. I am a bit confused though. So i'll will provide more details as this may help. I have a split DNS Internal/External.
 I am running in a 2016 ( 2 servers with DAG) and 2010 Coexistence as I am going to start moving mailbox to the 2016n once the error is resolved. As it stand the DNS records are set as the following.

Webmail.XXX.com points to the 2016 server- both Internal and external records_ moble device use this address to connect
Autodiscover.XXX.com points to the 2016 server- both Internal and external records


I have set ALL of the virtual directories internal and external configuration to Webmail.XXX.com ( per Viral's comment above). I currently own a third party certificate for webmail which has been configured on both 2016 Exchange servers

 The only Virtual Directory that has the internal setting set to Server.XXX.com is Outlook Anywhere. Do to the error that i am receiving i have tested changing this to webmail.xxx.com as the message i am recving states that it is looking for webmail. This did not resolve the issues.

According to Symantec support who we buy our certificates from they said you can add  Server.XXX.com to the existing certificate its called a replacement.

I don't understand how creating a reverse DNS is going to solve the issue and also already have the webmail record configured. If you can please explain  in more detail.
Dont worry, there is no need to add domain.xxxx.com in certificate the certificate warning is expected.

See in our case we don't have autodiscover.xxxxx.com in our certificate ,we have webmail.xxxx.com in our certificate

So now when you are starting outlook autodicover is not getting name in certificate so we are getting certificate warning.
Now to fix this issue we need to create SRV record which will point Autodiscover.domain.com to our certificate name webmail.domain.com.User generated image
To create SRV record you need to delete A record which resolves to server name

Autodiscover.domain.com A records need to delete.
While creating SRV records the host offering service should be webmail.domain.com
Externally also you have to create SRV records,

Following Records must be there in External DNS

Previously,

FQDN      DNS record type      Value
domain.com                                     MX                       Mail.domain.com
mail.domain.com                       A                       172.16.10.11
autodiscover.domain.com         A                        172.16.10.11 -  (Deleted)

After creating SRV records,

FQDN      DNS record type      Value
domain.com                     MX                      Mail.contoso.com
mail.domain.com              A                       172.16.10.11
mail. domain. com      SRV                   _autodiscover
Since you need detailed explanation please refer following articles which shows how autodiscover works and why need to create SRV records

information and to fix this issue

https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/
So as it turns out I was able to add the Webmail.xxx.com to the Outlook anywhere internal setting and that seemed to resolve the issues. Thanks for your assistance.
Thanks Viral. Both internal and external  Outlook anywhere servers need to be the same