Exchange Server Forums

Exchange 2010 Security Alert in Outlook 2007/2010

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2010] >> General >> Exchange 2010 Security Alert in Outlook 2007/2010

Page: [1]

Message

<< Older Topic Newer Topic >>

Exchange 2010 Security Alert in Outlook 2007/2010 - 28.Apr.2011 12:18:56 PM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Hi All

Background:
I've got a Exchange 2010 Server with a CA Certificate from GoDaddy. Its a multidomain Cert with the following domains in them:

Servername
Servername.mydomain.local
Autodiscover.mydomain.com
mail.mydomian.com
remote.mydomain.com

AT the Hosting Company (Hetzner) I've got the folloing A Records:

remote.mydomain.com - (points to Exchange server Public IP)
autodiscover.mydomain.com - (points to Exchange server Public IP)
mail.mydomain.com - (Points to Hetzner Mail Server)

I use PopCon to retrieve my mail for Hetzner to my Exchange Server.

The Problem:

When I open Outlook 2010 on any of the domain joined PC's I get a "Security Alert" with a problem with the security on mail.mydomain.com.

When I try to install the Certificate it's a certificate from Hetzner called "secure.konsoleh.co.za" and not the installed Certificate on my server from GoDaddy.

How do I get rid of that certificate that it's trying to install everytime I open Outlook 2010? or here does it get that info from?

Everything else works fine. SmartPhones connect fine to the exchange server. I can connect to OWA using https://remote.mydomain.com/owa

Any Ideas?

Regards
Jeanne

Post #: 1

Featured Links*

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 29.Apr.2011 8:25:12 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

UPDATE:

I've run a full test on all the Analyzer on the Exchange Test Analyzer (www.testexchangeconnectivity.com)

All the tests are working 100%, so I've got no idea where the above SECURITY ALERT comes from

Any Ideas? somebody?

Thanks

(in reply to jdevilliers)

Post #: 2

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 3.May2011 8:15:46 PM

Paul Cunningham

Posts: 198
Joined: 26.Aug.2009
From: Australia
Status: offline

I would guess that your internal DNS is resolving one of those names to the external web host instead of to your internet Exchange server, and the external web host is simply presenting its normal SSL certificate for the HTTPS requests.

Check your DNS resolution internally.

_____________________________

Paul Cunningham

Website: ExchangeServerPro.com
Check out the free Exchange 2010 training

(in reply to jdevilliers)

Post #: 3

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 8:33:14 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Hi Paul

I've checked my Internal DNS on my Active Directory server. There is no sign of SECURE.KONSOLEH.CO.ZA or mail.mydomain.com

The Certificate is Issued to: Secure.Konsoleh.co.za
and Issued by: Thawte Server CA

Konsoleh is Hetzner's mail server.

Where else can I be looking for it?

This is driving me nuts!

Regards

< Message edited by jdevilliers -- 4.May2011 8:37:47 AM >

(in reply to Paul Cunningham)

Post #: 4

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 8:36:38 AM

Paul Cunningham

Posts: 198
Joined: 26.Aug.2009
From: Australia
Status: offline

No not that name, the names such as mail.mydomain.com.

If those are resolving for INTERNAL clients to the web host's server instead of your Exchange server, then its possible Outlook clients are making SSL connection attempts to the web host instead of to your Exchange server.

_____________________________

Paul Cunningham

Website: ExchangeServerPro.com
Check out the free Exchange 2010 training

(in reply to jdevilliers)

Post #: 5

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 8:43:38 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Surely if I then go through my DNS records and I can't find Mail.mydomain.com anywhere then this is correct for my internal clients?

(in reply to Paul Cunningham)

Post #: 6

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 8:56:32 AM

Paul Cunningham

Posts: 198
Joined: 26.Aug.2009
From: Australia
Status: offline

Depends on the URLs configured for Exchange web services etc.

Run these commands to check whether mail.mydomain.com is configured on any services:

Get-ClientAccessServer | fl *uri*

Get-WebServicesVirtualDirectory | fl *url*

_____________________________

Paul Cunningham

Website: ExchangeServerPro.com
Check out the free Exchange 2010 training

(in reply to jdevilliers)

Post #: 7

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 9:45:29 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Hi Paul

Results for:

Get-ClientAccessServer | fl *uri*

AutoDiscoverServiceInternalUri : https://mail.mydomain.com/autodiscover/autodiscover.xml

Get-WebServicesVirtualDirectory | fl *url*

InternalNLBBypassUrl : https://servername.mydomain.local/ews/exchange.asmx
InternalUrl : https://mail.mydomain.local/EWS/exchange.asmx
ExternalUrl : https://mail.mydomain.com/EWS/exchange.asmx
How do I change these?

It need to read:

https://remote.mydomain.com/autodiscover/autodiscover.xml

and

ExternalUrl : https://remote.mydomain.com/EWS/exchange.asmx

Regards

(in reply to Paul Cunningham)

Post #: 8

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 9:57:21 AM

Paul Cunningham

Posts: 198
Joined: 26.Aug.2009
From: Australia
Status: offline

Yes, that looks like the issue right there.

Change those internal URLs to something that resolves for internal clients to the internal IP of the Exchange server. The FQDN of the server itself should be fine, as long as that name is also in your SAN certificate.

_____________________________

Paul Cunningham

Website: ExchangeServerPro.com
Check out the free Exchange 2010 training

(in reply to jdevilliers)

Post #: 9

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 4.May2011 10:09:24 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Hi Paul

Yes the FQDN of the server is in the SAN Certificate.

Can you help me changing that?

Where do I do that in the Exchange Management Console?

(in reply to Paul Cunningham)

Post #: 10

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 5.May2011 10:47:08 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Hi Paul

Any idea how I can change these settings in Exchange.

See my previous reply.

Regards

(in reply to Paul Cunningham)

Post #: 11

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 7.May2011 1:30:40 PM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Anyone that can help me solve my issue... I now know what the problem is, just need to fix it - but HOW??

(in reply to jdevilliers)

Post #: 12

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 9.May2011 11:28:34 AM

jdevilliers

Posts: 12
Joined: 28.Jan.2011
Status: offline

Ok Here is a link on how to change the settings mentioned above.

I will test and let you all know if it worked.

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

(in reply to jdevilliers)

Post #: 13

RE: Exchange 2010 Security Alert in Outlook 2007/2010 - 11.May2011 11:34:06 AM