exchange public facing server question


Recommended Posts

This is probably a real simple question for you Exchange Pros. Basically, I am in the process of setting up a new Exchange Server from scratch. I was going through the configuration of the self-signing SSL cert and there were a few fields that I'd like to be enlightened in:

 

For the filling out of the intranet part, that is easy. ABC-Exchange2.ZZZ.local

 

For the public internet face of things, I noticed that it's recommended to use mail.ZZZ.com, so I will just use mail2.ZZZ.com for my research purposes sake.

 

BlueHost owns our ZZZ.com domain and our AD/DNS is only configured for ZZZ.local.

 

Do I just create an A (Host) record under DNZ Zone Editor on BlueHost and point it to my public IP or the mail2.ZZZ.com?

 

This takes me to my next question. If I was to type in mail2.ZZZ.com , I usually had to manually type in the /owa at the end.

Does the /owa get put in there automatically or does the user still need to type it in.

Sorry, I am an Exchange n00b

Link to comment
Share on other sites

you will need an A record point to your mail2.zzz.com to your external ip

then you will need a MX record to point to mail2.zzz.com

 

 

when configuring your mail server you can have a redirect point to https://mail2.zzz.com/owa in iis.

 

 

your internal dns should have a zone for zzz.com and either a A record or a cname for mail2 pointing to your internal mail server ip/hostname. 

Link to comment
Share on other sites

when configuring your mail server you can have a redirect point to https://mail2.zzz.com/owa in iis.

I figured this because technically mail2.zzz.com would point to my public IP address and my public IP address already resolves to a different website running right from my business location.

Entering mail2.zzz.com during the Exchange SSL Cert Configuration will be safe though right after I make the above redirect point?

 

your internal dns should have a zone for zzz.com and either a A record or a cname for mail2 pointing to your internal mail server ip/hostname.

yeah I think I need to create a "zone"

Link to comment
Share on other sites

You should also make an autodiscover.zzz.com. This will allow for automatic configuration for phone's and outlook clients. It is also recommended to have a cert from a known provider so that there is less config on phone's and clients. Otherwise you will need to import the cert on all computers and phone's.

You are on the right path though

Link to comment
Share on other sites

So get this, I went into BlueHost earlier today to look at the A-Records. One of the things I noticed was that there already was an "autodiscover" record pointing @ what seems to be a BlueHost server.

I changed the IP address of that and it's been a good 9 hours. Now I am home & am pinging that URL and it is still resolving to the BlueHost.

 

I also noticed an SRV record in the DNS zones on BlueHost. It says:

_autodiscover_  _tcp autodiscover.bluehost.com

Do you think I should change that?

 

There also is a Host record that has v=spf1 ip4:66.147.244.160 a mx ptr include:bluehost.com ?all

I'm not sure I should touch that.

Link to comment
Share on other sites

Yea, that is 24 hours. The next time a dns check won't be for another 15 hours or so. You should change them now to as low as they can go. Next update will change that number to check back more frequently.

Link to comment
Share on other sites

Should I change the SRV record _autodiscover_  _tcp autodiscover.bluehost.com as well in the DNZ Zones on BlueHost?

Or should I just edut the ARecord on bluehost?

Link to comment
Share on other sites

Well the autodiscover ARecord I know to change.

The SRV record that has autodiscover terminology, I'm not so sure. We do have other sites running on BlueHost :( I don't want them impacted.

Link to comment
Share on other sites

You are right.

 

I am in the process of adding an SRV record, but I am a little lost where to place it.

I have:

ZZZ.local

_sites

_tcp

_udp

DomainDNSZones

ForestDNSZones

 

When I right click and click, Other New Records/SRV records, not one of them state _autodiscover in the Service: field. Do I need to add that in manually? Also which of the folders above would I create this in? ZZZ.local or DomainDNSZones?

Link to comment
Share on other sites

Ok. I created the SRV record. I had to manually fill in _autodiscover and _tcp as they were not available in the drop down options. I hit ok and it seemed to go through. I refreshed the zone and couldn't find the record in there. I thought that I will try it again. I went through the same process and it says that the record already exists. Where was the record placed? If it is there, it is not appearing!?

 

edit: ok i found it. it dropped into the TCP folder

Link to comment
Share on other sites

I just ran the Analyzer tool & it said:

 

Attempting to locate SRV record_autodiscover._tcp_ZZZ.com in DNS.

The Autodiscover record wasn't found in DNS.

 

I see the record sitting in ZZZ.local -> _sites -> _tcp after I created it inside ZZZ.local

 

what gives?

Link to comment
Share on other sites

Mind if I teamviewer in to get a better idea of what is going on.  It would help expedite things and get you more direct answers.  You can pm the codes if you wish. 

Link to comment
Share on other sites

SC302 - thanks for all your help today :)

I managed to install the self-signing cert, and after the end-user import, everything looks good. no prompts. success!

 

I am thinking about dropping the remote.zzz.net SSL cert from GoDaddy and purchasing the 5 device *.zzz.com instead.

This way I can have mail.zzz.com, remote.zzz.com & etc & easily manage it.

 

I already made an ARecord for remote.zzz.com on BlueHost and also placed an entry in the zone you helped me create!

Thanks again for all your help tonight!

Link to comment
Share on other sites

Update:

 

it appears that the GoDaddy cert was actually working for remote.zzz.net the whole time.

 

All my remote users and mobile device users now need to have SSL unchecked to get their email flowing again since the GoDaddy cert has been removed.

 

However My self-signed cert for internal users did make the annoying security error popup go away, which was my original goal. :) :) :)

 

Now I must add the GoDaddy cert again because my external users are complaining by the dozens.

 

But... when I add the GoDaddy cert back in, my internal users will start getting that security error message again :(

 

I feel like I'm back to square 1 haha.

 

Thoughts?

 

I think that the GoDaddy cert changes my internal and external address to the same thing in the OWA URL fields, which would end up being remote.zzz.net

Meaning that the  remote.zzz.net is probably also pointing at my Intranet OWA URL field, which is not what I want.

 

I am thinking importing the GoDaddy cert and then manually editing (PowerShell) the Intranet facing fields back to https://xxx-ExG01.something.local/owa and leaving the PUBLIC Internet facing field of remote.zzz.net alone.

Or will performing this powershell "hack" edit break the GoDaddy cert altogether.

 

Does this make any sense?

Link to comment
Share on other sites

yes your godaddy cert while hosting 2 different services, resolves to one external ip. 

 

You really should have a separate cert for exchange and one for your remote desktop users...I would do a self signed cert for the remote desktop and have a global/godaddy cert for mail.  Mail hits far more devices/os than remote desktop and is more difficult to import the self signed cert/ca into every os that could possibly connect to exchange.  (this is what I was getting at last night).  Sharing a cert between two servers isn't exactly the best or recommended practice even though it may work. 

 

You really need to have a UCC ssl to support exchange. 

https://www.godaddy.com/ssl/ssl-certificates-config.aspx?origin=pod&plan=ssl_std_3_5

 

The certificate, in my opinion, should have:

mail.xxx.com

webmail.xxx.com

autodiscover.xxx.com

 

you can change names if you want, but those are the three that should be in there. 

 

your dns host may not support SRV records, so you would need to add autodiscover as an A record to your external DNS host.

 

At the very least if wish to continue to go down the route of having your current, single, godaddy cert act as everything, you will need to remove the www.remote.xxx.com and add mail, webmail, and autodiscover to that cert through the godaddy interface...then import that cert into exchange again.

Link to comment
Share on other sites

Purchase a new/more cert? LOL cmonnnnnnn. Most of our computers here are Optiplex GX280s lmao.

I'm surprised we keep up with 2 domain renewals and a hosting haha

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.