The above steps look right to me
I have a question about the way my windows server 2012 resolves the internal and external addresses. Right now I have an intern domain: yyy.example.local, external domain: yyy.example.com. I have an exchange certificate for my external domain yyy.example.com and that is working fine for the exchange users. When the users approach exchange internally they receive an error because the certificate name doesn't match the internal address which is logical.
My question is: How can I let my internal address redirect to my external address. So when users approach Exchange internal they will receive the right external address without any errors. I've tried the options below, but this does the opposite. It will link my external address to my internal.
1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert: remote.yyy.org
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name: remote.yyy.org/xxx
4. you can not change autodiscover from GUI - open shell and put in: Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri remote.yyy.org/autodiscover/autodiscover.xml CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to
Do you guys have any suggestions?
The above steps look right to me
I have tried the above steps, but this gives an opposite result. I want to resolve my internal adres yyy.local as my external adres yyy.com
Split dns means having external resolve to the external ip when outside and the internal ip when internal, that way the name remains the same and the cert works in both places.
my cert is registered for the name *.yyy.com and my external domain match this name so that's ok. My internal domain however is yyy.local and ofcourse doesn't match the cert name and this is causing the cert error when opening Outlook. I thought this could be resolved with an DNS split solution. Am I wrong?
No, you point your internal clients at the external address which resolves to your internal ip that way it works inside and outside
how do I point my internal clients to the external address?
You point everything going to the mail server to external.external.com rather than using your internal address for anything.
I understand that I have to point everything to the external mailserver. But how do I do that?
By using the external DNS name everywhere, when the client is inside they will be using the internal DNS which will point them to the internal IP, when they are outside it will point to the external IP. To the client it will be transparent and all look the same so the certificate will be right as it only checks the DNS name not the IP.
allright thnx i will try it and let you know if it works.
Ok, so I managed to change the Autodiscover URL pointing it to the external URL, so Outlook will connect with the right certificate. If I delete and re-add the outlook profile, the certificate error won't pop-up and everything works fine. My question now is: I am dealing wth 50+ users. Does this mean every single user has to delete his outlook account and re-add it? This is a big amount of work, not to mention the time Outlook needs to sync everything back again (over 50gb worth of data).
Is there a way to do this faster and more effective?
There are currently 1 users browsing this thread. (0 members and 1 guests)