It is the certificate that is the problem.
If you are still getting trust errors in IE then you didn't install it correctly.
Exchange 2013 is completely web services based and uses SSL heavily. The URLs configured in the server need to match the SSL certificate. Even in a lab I will use trusted SSL certificates - if internal or controlled use only a one year single name SSL certificate can be found pretty cheaply and saves a lot of headaches for a very small outlay.
Simon.
Hello
its not enough information.
check internal and external url from client. /try open from ie/
Get-WebservicesVirtualDirectory |Fl internalURL,ExternalURL
Get-OwaVirtualDirectory |Fl internalURL,ExternalURL
Get-ecpVirtualDirectory |Fl internalURL,ExternalURL
Get-ActiveSyncVirtualDirectory |Fl internalURL,ExternalURL
Get-OABVirtualDirectory |Fl internalURL,ExternalURL
Get-ClientAccessServer |Fl internalURL,ExternalURL
Get-OutlookAnywhere |Fl *inter*,*exter*
Thanks for the response. I hear Simon loud and clear that I might be banging my head using a self-signed, but I'm trying to learn this new architecture. More information on the server:
InternalUrl : https://mail.domain.mydomain.com/EWS/Exchange.asmx
ExternalUrl :
[PS] C:\Windows\system32>Get-OwaVirtualDirectory |Fl internalURL,ExternalURL
InternalUrl : https://mail.domain.mydomain.com/owa
ExternalUrl :
[PS] C:\Windows\system32>Get-ecpVirtualDirectory |Fl internalURL,ExternalURL
InternalUrl : https://mail.domain.mydomain.com/ecp
ExternalUrl :
[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory |Fl internalURL,ExternalURL
InternalUrl :
https://mail.domain.mydomain.com/Microsoft-Server-ActiveSync
ExternalUrl :
[PS] C:\Windows\system32>Get-OABVirtualDirectory |Fl internalURL,ExternalURL
InternalUrl : https://mail.domain.mydomain.com/OAB
ExternalUrl :
[PS] C:\Windows\system32>Get-ClientAccessServer |Fl internalURL,ExternalURL
[PS] C:\Windows\system32>Get-OutlookAnywhere |Fl *inter*,*exter*
InternalHostname : mail.domain.mydomain.com
InternalClientAuthenticationMethod : Ntlm
InternalClientsRequireSsl : False
ExternalHostname :
ExternalClientAuthenticationMethod : Negotiate
ExternalClientsRequireSsl : False
Self signed certificates are not supported for Outlook ANywhere. You need a proper cert with the correct names added to it.
Either:
- Buy a cert
- Install windows CA onto one of your servers in that lab, and issue the cert from that CA.
Hello
if lab scenario only, create new self signed cert with all domain mail.domain.mydomain.com, mail.mydomain.com and from gpo install all client to trusted cert and need work.
Or get one for free from sites like StartSSL/Comodo/etc :)
As long as it is a trusted CA issued cert :) Do you also need to install a non-production issuing root as part of those free certs?
Hello
if lab scenario only, create new self signed cert with all domain mail.domain.mydomain.com, mail.mydomain.com and from gpo install all client to trusted cert and need work.
Thanks to all for the response. So basically, the cert being used by Exchange can definitely not be used. Is this correct? So I either need to:
1. Purchase a trusted SSL and install it on the Exchange Server in place of the one generated by Exchange (not sure how to do that but will start searching).
2. Or use Certificate Services, which had to have been installed on the Exchange box to generate the first cert. Use that to generate another cert, apply it to the Exchange Server default site and install it on the client (will have to look for how to do that as well).
Am I understanding correctly? In other words, the default cert cannot be used under any circumstances?
Thanks for the help.
Hi,
This self-signed certificate is used to encrypt communications between the Client Access server and the Mailbox server. Outlook Anywhere won't work with a self-signed certificate on the Client Access server.
More detailed information about certificate ,you can refer to the below link:
In addiction,you can follow the below article to create a SSL certificate request:
http://exchangeserverpro.com/create-ssl-certificate-request-exchange-2013/
Regards,
David