A number of people have been having a problem with this. You have a server published as mail.yourdomain.com and the SSL certificate works beautifully and you are really pleased. Your OWA works, your PDAs work and your Outlook Anywhere works.
Then a punter on the LAN notices that because you can the server called OscarWilde.yourdomain.local, the certificate does not match and you get failures, particularly Outlook 2007 as its address book relies on this.
There are 3 possibilities for getting around this.
1. New default web site in IIS for external and publish the default web site for internal. Apply certificates for each. There are a fair few gotchas in this and you need to know IIS fairly well. Take an expert like Simon Butler (Exchange MVP) whose blog article on how to do it is at http://www.sembee.co.uk/archive/2007/01/21/34.aspx) and you will see what to do if you wish.
2. Have a public DNS lookup for mail.yourdomain.com on your LAN that goes to the CAS box. This would mean that every Outlook client uses this on your LAN which will be nightmarish for a lot of you out there.
3. Modify the certificate to allow it to work. This only works on self signed certificates.
I'm working on a document for number 3. :-) This is from an original document by the hugely talented John Carter.
Whether this is applicable to the problem that brought you here is dependent on the following factors:
1. Internal and external domain name differences.
2. Autodiscover DNS entry working correctly.
3. Certificate Authority using a purchased or self generated certificate.
4. Quite a few other things.
Alpha version is available from http://www.webdesignhouse.co.uk/Ex2007cert1.pdf but will be hosted on my normal site www.zelandakh.co.uk once I have written it properly and tested it with several installations. Looks like there may be differences to the CA screens which may be down to the 64 bit R2 CA that was initially used. I just need the time and equipment in the same place to play with this further.
I have the equipment ready to go as of yesterday. My new shiny kit is all connected. Give me a couple of days to sort it and I can do lots of testing.
As of today I have a 9 hour window of opportunity on a plane to do this testing.
I can't connect from the plane to the kit.
Typical. Now run along children, I'm sure you have better things to do.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment