I have autodiscover configured to go to https://autodiscover.domain.com/autodiscover/autodiscover.xml this points to a VIP on an F5 load balancer.

My certificate is *.domain.com

I have a few SMTP domains not in the certificate

a user has joe.bloggs@anotherdomain.com but when I configure an outlook profile it hangs on search for server settings for about 5-10 minutes then eventually comes back with the message saying allow http to https redirect to https://autodiscover.domain.com/autodiscover/autodiscover.xml

i thought this process would be seamless rather than having to supress this with a reg

You need an DNS SRV record,

_autodiscover._tcp.anotherdomain.com resovled to 0 0 443 autodiscover.domain.com

this is for internal email not outlook anywhere do i need the SRV on internal DNS too?

Yes, it applies to internal client as well.

Btw, internal client is also using Outlook Anywhere.

Great thanks for the answer, I just thought any internal client would use the autodiscover scp from AD... we do not have all smtp domains as internal DNS zones so do I need to create them to get around this?

If your client PC are domain joined, they will always use SCP before DNS.

In this case you need this,

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

This is what I have set already, it looks like we may have an issue with autodiscover internally as we are seeing the redirect error so the SCP is failing, I am seeing certificate issues on RCA,  I think because the certificate revocation check has failed as we have blocked outbound internet access on the CAS servers for web traffic

CRL should not cause that.

Can you post your autodiscover test log here?

The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
	The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
	Additional Details   The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. Elapsed Time: 659 ms.

this happens internally as well, however I can browse to https://autodiscover.domain.com/autodiscover/healthcheck.htm from a web browser on an external and internal IE client (no cert errors and chain is good)...

I see no errors on event logs on servers, we are going through F5 load balancer and have isolated each CAS 1 by 1 so don't think its a particular server error, this was working yesterday but nothing has changed to my knowledge, only thing I can see if the revocation check has failed on the c

update: someone has installed Symantec endpoint on the CAS's but it is disabled, I will try to remove this...

From the client running Outlook, ctrl-right-click the Outlook icon in the system tray, Test Email AutoConfiguration, start Test.

Take a look at the Log tab

I would if I had any...this is a vanilla deployment and unable to connect any outlook clients at the moment since this started happening.

this seems to be all ssl traffic not just autodiscover

You can configure your Outlook manually while AutoDiscover is not working.