Hello everyone,
Who can help me?
In the course of the configuration for certificate problems I have set all URL's (ext and int) of the virtual directories to a different URL in the EAC.
After restarting the W2k19 server, I no longer have access from my Outlook or to the EAC or via OWA.
I used Franky's script to reset all URLs in Powershell. Unfortunately, this did not help.
Now I am at a loss, the problem may also have been caused by experiments with the certificates.
Hi,
certificate contains the new host names?
Certificate set on frontend and backend IIS?
Restart-WebAppPool MSExchangeAutodiscoverAppPool Restart-WebAppPool MSExchangeRpcProxyFrontEndAppPool Restart-WebAppPool MSExchangeRpcProxyAppPool
DNS also fits?
Greetings,
Ralf
Hi Ralf,
DNS matches, have checked everything with NSLookup. A restart does not help much if I have already restarted the server several times.
Well, that's a problem with the certificates.
I still haven't understood this properly.
My emails (send/receive) all go through my provider.
My domain is extdomain.de
Internally, the AD runs mydomain.int
The virtual directories are outlook.mydomain.int (internal and ext. url) as well as the autodiscover.mydomain.int
I obtained a 30-day certificate from SSL Trust and entered it in the EAC:
Common Name: extdomain.de
Product: Comodo PositiveSSL
internally DNS is wired with extdomain.de and mydomain.int with an A host entry on the ex-server.
When I connect internally to Outlook/OWA, the security notice for outlook.mydomain.int and autodiscover.mydomain.int says "The name on the certificate is invalid or incorrect".
I have created supdomains with forwarding to my fixed IP address for outlook.extdomain.de and autodiscover.extdomain.de with my provider.
with outllook.extdomain.de I am redirected to my OWA only I have the IP address as URL in the browser and there is a warning that the page is not secure.
The security information always refers to the fact that the certificate is issued for extdomain.de.
Then I moved all virtual directories (int/ext) to the URL's outlook.extdomain.de and autodiscover.extdomain.de.
After that, OWA, EAC or Outlook no longer worked.
Since you are not using a split DNS, as I read from the answer, you must have an internal CA.
Then create a SAN certificate there with all relevant names for both internal and external domains.
Since your clients trust the SAN cert of the internal CA, at least an Outlook/OWA connection from internally is possible (assuming suitable cert assignment and VS Config + DNS Config).
For external access you need a public certificate. A wildcard or SAN certificate would be suitable here, as you can then use various sub-names for publication. You can then pack this certificate on a reverse proxy (Sophos, Kemp whatever) and then make an SSL offload etc. if required. External clients then use Public, internal clients use the SAN cert issued by your CA. there are certainly many other ways to Rome.
Ralf
When I connect internally to Outlook/OWA, the security notice for outlook.mydomain.int and autodiscover.mydomain.int says "The name on the certificate is invalid or incorrect".
Which is kind of logical if you use an external certificate and configure everything to internal names ;)
The virtual directories are outlook.mydomain.int (internal and ext. url) as well as the autodiscover.mydomain.int
I obtained a 30-day certificate from SSL Trust and entered it in the EAC:
I would say that somewhere there is a lack of understanding of how URL/certificates and names should be configured so that it fits.
As already mentioned, if you are only operating internally, then configure everything to internal names and use an internal certificate (with the internal names). If you want it to be accessible externally, then use split DNS and public certificates and public names.
Bye
Norbert
Since you are not using a split DNS, as I read it from the answer, you must have an internal CA
if you use Splitt DNS to synchronize the DNS entries with mydomain.int (A.Host -> IP. Exchangeserver) and extdomain.de (A.Host -> IP. Exchangeserver) that I have set up.
That's what I did.
Split DNS means that the same name is resolved differently internally and externally. A client only ever knows outlook.externedomain.tld but internally it becomes 192.168.173.10 and externally 217.255.255.90, for example.
Bye
Norbert
Can it help me to move all virtual directories (int/ext) to the URL's outlook.extdomain.de and autodiscover.extdomain.de.
I have already done this once and then nothing worked except for Powershell access (no OWA, EAC or Outlook).
What else do I have to do after the URLs have been moved? A simple start of the server did nothing.
PS: Maybe someone is willing to solve this with me remotely?
I have already done this once and then nothing worked except for Powershell access (no OWA, EAC or Outlook).
And did the names also resolve correctly internally and externally?
I cannot offer remote maintenance.
Bye
Norbert
