Outlook Anywhere Autodiscover Redirect - SSL issue

  • Thread starter Matt_Birtwhistle
  • Start date Views 784
Status
Not open for further replies.
M

Matt_Birtwhistle



Hi
I have an Exchange 2007 HMC deployment for which I'm testing Outlook Anywhere autodiscovery.
IIS is configured with an autodiscovery redirecting virtual directory, and the relevant websites are protected with a legitimate UC SSL certificate.

The problem in a nutshell is that Outlook 2007 displays a certificate mismatch warning (name on the certificate is invalid or does not match the name of the site) relating to autodiscover.[customerdomain].com. If accept the SSL warning, I then receive the expected warning about being redirected to a different url for autodiscovery and all is well.

The OA tests at https://www.testexchangeconnectivity.com/ do run successfully though. Going through the tests it performs, it also sees the certificate mismatch error but then proceeds to test with the http redirect method which successfully redirects to https://autodiscover.[serviceproviderdomain].com which is a SAN on my SSL certificate and tests out fine via a web browser.

I'm sure I'm missing something obvious - can anyone suggest where I'm going wrong? I can't accept letting users see the SSL warning.

Versions are Exchange 2007 SP2 on Windows 2008 Enterprise, and Outlook 2007 SP2 on a variety of different OS.

Thanks for your time,
Matt

 
C

Corey Riley

In IIS Manager on the redirect virtual directory , go to properties click "Advanced" and remove port 443. This should only allow the redirect site to answer port 80 requests and no certificate mismatch error then.
 
M

Matt_Birtwhistle



Hi, thanks for the response but the redirector website does not have 443 bound to it.

Matt

 
C

Corey Riley

Do you have everything running off of one IIS site? Or is there a seperate IIS site for the redirect?
 
M

Matt_Birtwhistle



I have separate sites for autodiscover, autodiscover redirect, OAB distribution and another for OWA, OMA etc. (default website), each with their own IP addresses. SSL is configured on each, apart from the redirect as mentioned.

Thanks

 
M

Matt_Birtwhistle

That previous response was a bit ambiguous wasn't it? I have four separate websites in IIS, not two as you might have concluded.
 
C

Corey Riley



Outlook is hardcoded to go to https://autodiscover.customerdomain.com first (the HTTP is the third address it tries) so it sounds like you need to prevent autodiscover.customerdomain.com from answering on port 443 and only allow port 80 through the firewall for that external address. You mentioned that https://www.testexchangeconnectivity.com/ reported the certificate mismatch. It sounds like the firewall might be sending https://autodiscover.customerdomain.com to the internal IP for "autodiscover.serviceproviderdomain.com".

What you can do to test this is enable IIS logging (if it isn't already), then run the test again from www.testexchangeconnectivity.com and check the IIS logs to see which site is answering the request.

 
C

Corey Riley



Outlook is hardcoded to go to https://autodiscover.customerdomain.com first (the HTTP is the third address it tries) so it sounds like you need to prevent autodiscover.customerdomain.com from answering on port 443 and only allow port 80 through the firewall for that external address. You mentioned that https://www.testexchangeconnectivity.com/ reported the certificate mismatch. It sounds like the firewall might be sending https://autodiscover.customerdomain.com to the internal IP for "autodiscover.serviceproviderdomain.com".

What you can do to test this is enable IIS logging (if it isn't already), then run the test again from www.testexchangeconnectivity.com and check the IIS logs to see which site is answering the request.

 
M

Matt_Birtwhistle



Hi Corey, you've helped me figure out the problem. I've tried to be too clever for my own good by using the same IP for https OWA and http autodisover redirect, missing that Outlook will try https before it tries http.

The tesexchangeconnectivity results confused the matter further since at first glance it appeared that test succeeded without any drama.

It all seems so obvious now!

Thanks again,
Matt

 
Status
Not open for further replies.
Top