Autodiscover DNS Question
Hi all,
I installed a server running CAS & HT roles Friday (went with few hiccups, yay!). Now I am creating the certificate request and I got to thinking about the DNS implications of the external "autodiscover.company.com" DNS record and how my firewall
can handle the forwarding request.
First, I have my ISP hosting my DNS. Secondly, as is my understanding, with the way my firewall handles NAT, I cannot have two separate external DNS records forwarding to my single CAS.
Seeing as how both autodiscover.company.com and mail.company.com are hitting the same IP address internally and externally, can the autodiscover.company.com be an alias record? Or can I simply configure configure the Autodiscover service to use the
same URL as mail.company.com?
Thanks in advance! :)
October 18th, 2010 1:06pm
You should be able to create to different A records (mail. and autodiscover.) pointing to the same IP address without issues. You firewall is just looking at the IP traffic, doesn't really care about what names you are using. I have never seen
an external DNS only allow one name per IP address. I would use an A record for autodiscover instead of a CNAME. I have seen the CNAME cause issues in the past.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2010 1:16pm
That's what I was thinking, but my ISP (who also currently manages my firewall...I failed to mention that previously) says that there is NAT issues doing it that may. Knowing the tech I worked with, I think he's either full of excrement or he simply
set up our firewall, a FortiGate, in such a way that it won't handle requests this way...
I can't say either way; frankly, he's not very easy to work with. Our only real saving grace is that we are planning on changing things up with our ISP and firewall(s) within the next month or so. Heck, we're probably not even going to utilize the
autodiscover externally until then, anyway.
October 18th, 2010 1:34pm
I just don't understand what this has to do with the firewall. External DNS is going to translate a name to an IP address. It is going to get to the firewall via the IP not the name. There is only going to be one NAT translation in the
firewall: the external public IP to the internal IP of the CAS. If there is already a NAT rule for mail., then just make the external DNS change for autodiscover. and see what happens.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2010 1:43pm
...If there is already a NAT rule for mail., then just make the external DNS change for autodiscover. and see what happens.
That might be what I needed to hear. I'll try to throw that at him and see what he says. ;)
Thanks Tim!
October 18th, 2010 1:55pm
Oh, you know what? I understand now...
When we contacted him a couple of weeks ago it was in reference to creating a DNS record for legacy.company.com with an IP address separate from our current mail.company.com. I guess we can't NAT those two external IP addresses to one internal IP address.
So creating separate records for autodiscover. and mail. I'd like to think will be okay. I'll be sending off an e-mail to them shortly to create the record and the new firewall rule.
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2010 2:06pm
That is correct. The legacy will point to your older Exchange server. mail. and autodiscover. will point to your new CAS.Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
October 18th, 2010 2:41pm