Avatar of David Stevens
David Stevens
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Problem with external Outlook 2016 clients using old SSL certificate

I have a client with a SBS 2011 server who changed the email domain from mail.XXX-uk.com to remote.XXX.com. The internet domain name wizard was run reflecting the new domain and hence the new remote domain name of remote.XXX.com and a new verified SSL certificate was installed. Outlook Web Access and Remote Web Workplace work fine. All the internal clients appear to be connecting fine but the 2 remote clients which are Outlook 2016 are not connecting when using Outlook Anywhere and they get an error message "there is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site mail.XXX-uk.com." The actual target should be remote.XXX,com.
I did have a problem with the mail.XXX being stuck on the Exchange 2010 smtp service but it appears to be cleared now.
ExchangeOutlookSBSSSL / HTTPS

Avatar of undefined
Last Comment
David Stevens

8/22/2022 - Mon
David Favor

Really difficult to guess without real hostnames for testing.

What you'll have to do is first test the SSL setup for each host in your proxy chain, using a public tester like SSL Labs tester.

If this works (I'm guessing it will), then you'll likely require all the Outlook clients accessing may be updated.

My guess is you may have clients missing some ciphers or some other code out of date, since some clients work + others fail.

Also keep in mind, remote clients will be connecting via a completely different path of proxies than internal clients, so be sure you verify all SSL certs are exactly the same on all proxies or are passing through SSL connections correctly. Proxies can be a bit complex to get working.

Tip: Try connecting to your external proxy using an up to date client, like Thunderbird, to see if that works.
David Stevens

ASKER
Ah i should of made this question Private i see. However with my limited knowledge i ran a "Get-AutodiscoverVirtualDirectory" command and it returned NAME: Autodiscover SERVER: Servername INTERNALURL: https://mail.XXX-uk.com/autodisco......
David Favor

Better to use a public tester against your public server + then expose the proxy server IP + run against this one too.

The differences in reports will likely surface the problem.

If there's no difference, then the problem is likely someone has an old client + they require to update something, that's been fixed a long time.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Michael B. Smith

Does the firewall have the certificate installed? Sounds like it might need to be updated.
ASKER CERTIFIED SOLUTION
David Stevens

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.