Outlook Webmail Proxy Certificate Issue
I have two sites with front end servers: one in the States and one in Europe.
Some background:
For each server's "inside" hostname we follow a convention; in this case each would be msxfe%sitename%%server instance%. So for the US it is msxfeus05.%ADDomain%, and for Europe it is msxfeeu03.%ADDomain%. This tells us that it is an Exchange
front-end in the US or Europe, with the US being the 5th instance (we numbered up starting with Exchange 2000) and Europe being the 3rd instance.
For the external address (for Outlook Anywhere access) we use two hostnames: webmailus.%publicdomain% and webmaileu.%publicdomain%. I have certificates for each server issued from Verisign, with the name being the publicly-accessed name (e.g.
webmailus.%publicdomain%). We have a certificate server inside the AD domain which handles client/server certificates for private (that is, internal) functions only.
In order for Outlook to function seamlessly whether a user is inside the network walls or out in the "real" world, I set their Outlook Anywhere settings in the mail profile to use the public name, and then create the appropriate DNS records internally and
externally. In IIS I've set up a redirect to send all requests to the root to the /owa directory using https. That way if a user types
http://%webmailserver%.%publicdomain% they are redirected to
https://%webmailserver%.%publicdomain%/owa and given the form for login.
For webmailus.%publicdomain% everything works just fine, and for webmaileu.%publicdomain% the web interface works fine. However, for Outlook clients inside the network using webmaileu as the Outlook Anywhere proxy, they are prompted to accept a certificate
for webmaileu.%publicdomain% with the warning that the hostname of the proxy doesn't match its certificate. For some reason, instead of sending proxy requests to webmaileu, Outlook is sending them to msxfeeu03.%ADDomain%. But for the life of me
I cannot figure out why.
In the setup for the Client Access servers, I have both the internal and external names set for their respective public names. That is, for Outlook Anywhere on msxfeeu03.%ADDomain% Outlook Anywhere's External Host Name is set to webmaileu.%publicdomain%.
(Naturally msxfeus05.%ADDomain% is set to webmailus.%publicdomain%.) The same on the OWA directory for Outlook Web Access: the Internal URL and External URL are both set to the public hostname. The same is also true for Exchange Active Sync.
The certificate for the site in IIS is set to the certificate issued from Verisign.
I've also checked our internal DNS to confirm that the records are the same for each front end. I have an A record for each within the zone for our AD Domain, and the zone for our public domain, and also have corresponding PTR records.
As I said, webmailus works fine. But for some reason internal requests for webmaileu (ONLY from Outlook Anywhere within Outlook, not from using webmail in a browser) are being sent to msxfeeu03, even though the proxy is set to webmaileu.%publicdomain%.
If anyone has an idea as to where I went wrong here I'd appreciate the input.
October 4th, 2010 3:23pm