Link to home
Create AccountLog in
Avatar of David Stevens
David StevensFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Problem with external Outlook 2016 clients using old SSL certificate

I have a client with a SBS 2011 server who changed the email domain from mail.XXX-uk.com to remote.XXX.com. The internet domain name wizard was run reflecting the new domain and hence the new remote domain name of remote.XXX.com and a new verified SSL certificate was installed. Outlook Web Access and Remote Web Workplace work fine. All the internal clients appear to be connecting fine but the 2 remote clients which are Outlook 2016 are not connecting when using Outlook Anywhere and they get an error message "there is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site mail.XXX-uk.com." The actual target should be remote.XXX,com.
I did have a problem with the mail.XXX being stuck on the Exchange 2010 smtp service but it appears to be cleared now.
Avatar of David Favor
David Favor
Flag of United States of America image

Really difficult to guess without real hostnames for testing.

What you'll have to do is first test the SSL setup for each host in your proxy chain, using a public tester like SSL Labs tester.

If this works (I'm guessing it will), then you'll likely require all the Outlook clients accessing may be updated.

My guess is you may have clients missing some ciphers or some other code out of date, since some clients work + others fail.

Also keep in mind, remote clients will be connecting via a completely different path of proxies than internal clients, so be sure you verify all SSL certs are exactly the same on all proxies or are passing through SSL connections correctly. Proxies can be a bit complex to get working.

Tip: Try connecting to your external proxy using an up to date client, like Thunderbird, to see if that works.
Avatar of David Stevens

ASKER

Ah i should of made this question Private i see. However with my limited knowledge i ran a "Get-AutodiscoverVirtualDirectory" command and it returned NAME: Autodiscover SERVER: Servername INTERNALURL: https://mail.XXX-uk.com/autodisco......
Better to use a public tester against your public server + then expose the proxy server IP + run against this one too.

The differences in reports will likely surface the problem.

If there's no difference, then the problem is likely someone has an old client + they require to update something, that's been fixed a long time.
Does the firewall have the certificate installed? Sounds like it might need to be updated.
ASKER CERTIFIED SOLUTION
Avatar of David Stevens
David Stevens
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account