eliminating the offsite.. rpc over http outlook anywhere.. autodiscover.domain.com warning message in outlook...
- From: markm75c@xxxxxxxxx
- Date: Tue, 20 Nov 2007 08:30:26 -0800 (PST)
I know this has been tossed around.. but i wanted to get clarification
that this is the only "free" solution to fixing the security warning
popup, offsite that occurs when using outlook anywhere, with an SSL
certificate that doesnt support multiple names or SAN...
In our case we cant afford a cert that is hundreds of dollars just to
eliminate the warning.. and actually.. i'm not even sure i really want
to follow these steps just to get rid of a warning on a "few" machines
either.. but here is what i found from this link: (is this the only
ticket to success short of a different ssl certificate)?
----------------------------------------------------------
http://www.sembee.co.uk/archive/2007/01/21/34.aspx
You could look to purchase an SSL certificate that supports the
additional names. However none of the cheap SSL certificate providers
(RapidSSL and GoDaddy) issue certificates that allow you to have the
additional names. The only certificate that I have found that does is
one of the US$600 certificates from Geotrust. Having to pay $600 for a
certificate just to secure OWA seems very expensive and is not
something that many sites will accept.
Therefore the resolution to this problem I have found is to use
multiple web sites.
This isn't as hard as it may sound and I will give you the brief steps
here. (More comprehensive instructions will appear on the amset.info
web site at some point in the future).
1. Setup Outlook Anywhere as required. This is important as it is the
one feature that cannot have its virtual directory recreated using the
Exchange Management Shell.
2. Add an additional internal IP addresses to your Exchange server's
network card. For example, if 192.168.1.1 was the default address for
the server, you would add 192.168.1.2 as an additional address. It
does not have to be the next address, just as long as it is on the
same subnet (192.168.1.x)
You need additional IP addresses as you cannot use host headers with
SSL.
3. Adjust the configuration of IIS so that the default IP address is
bound to the default web site. This is a change from the "All
unassigned" setting.
4. Create a new web site in IIS Manager. In this example I will call
it External. Set it to use the additional IP address, using the
default ports. When asked for the path, use the same as the default (C:
\Inetpub\wwwroot). When asked for permissions, select Read and Run
Scripts only.
5. Open the Exchange Management Shell and run the following commands:
If you are supporting Exchange 2007 Mailboxes ONLY:
New-OWAVirtualDirectory -OwaVersion:Exchange2007 -Name "owa" -WebSite
"External"
If you are also supporting Exchange 2003 mailboxes, then you need to
run these additional commands:
New-OwaVirtualDirectory -OwaVersion:"Exchange2003or2000" -Name
"Exchange" -WebSite "External" -VirtualDirectoryType:Mailboxes
New-OwaVirtualDirectory -OwaVersion:"Exchange2003or2000" -Name
"Public" -WebSite "External" -VirtualDirectoryType:PublicFolders
New-OwaVirtualDirectory -OwaVersion:"Exchange2003or2000" -Name
"Exadmin" -WebSite "External" -VirtualDirectoryType:Exadmin
New-OwaVirtualDirectory -OwaVersion:"Exchange2003or2000" -Name
"Exchweb" -WebSite "External" -VirtualDirectoryType:Exchweb
For ActiveSync, run the following command:
New-ActiveSyncVirtualDirectory -WebSiteName "External"
When you refresh the configuration in Exchange Management Console, you
should see two sets of virtual directories under Server Configuration,
Client Access, Outlook Web Access and Exchange ActiveSync.
6. To add Outlook Anywhere to the web site, open up IIS Manager. In
the default web site, find the /rpc virtual directory. Right click on
it and choose All Tasks, Save Configuration to a File... and save the
configuration.
Then on the new web site that you have just created, right click on
the root and choose New, Virtual Directory (from file)...
When prompted select the file that you exported from the default web
site.
Important note - any configuration changes to Outlook Anywhere do not
appear to be reflected in this exported file, so it is important that
any configuration is done before the export/import. If you make any
changes to the Outlook Anywhere configuration then the export/import
will need to be repeated. Delete the imported virtual directory and
replace it with a freshly exported configuration file.
7. Once you have created the virtual directories, you can then put an
SSL certificate on to the new web site and then point external traffic
to that address.
Internal traffic can also be pointed to the new web site.
Leave the self generated certificate on the default web site, as
Outlook 2007 will continue to connect to it.
------------------------------------------------------------
Thanks
.
- Follow-Ups:
- Re: eliminating the offsite.. rpc over http outlook anywhere.. autodiscover.domain.com warning message in outlook...
- From: John Oliver, Jr. [MVP]
- Re: eliminating the offsite.. rpc over http outlook anywhere.. autodiscover.domain.com warning message in outlook...
- Prev by Date: Missing emails...
- Next by Date: "'5.7.1 Sender ID (PRA) Not Permitted' - why?
- Previous by thread: Missing emails...
- Next by thread: Re: eliminating the offsite.. rpc over http outlook anywhere.. autodiscover.domain.com warning message in outlook...
- Index(es):
Relevant Pages
|
