HTTPS, DNS and OWA

[Clopster]

Gidday,

I have OWA via HTTPS working fine externally plus a small handful of windows mobile devices. However when my clients use the FQDN internally it doesn't work.

I think what I need is a CNAME or A record on my DNS internally to resolve the FQDN to my local 10.0.0.7 IP.

Anyone got any tips?

 

[RichardHuang]

Did you try to resolve the FQDN name internally? If it doesn't work, it means you are right and you need to create a CNAME or A record.

 

[Cstorms]

If there is another zone file that you use internally to navigate to internal machines which may be the case here you can add an A record with the particular ip for the CAS server, like OWA in the <domain.whatever> zone that your internal machines can use for name resolution.

Cory

 

[Cstorms]

I suppose this also will rely on the fact that you can indeed reach it by specifying

https://<internal

ip>/owa from the internal client machines...

In any case good luck!

Cory

 

[Clopster]

Thanks guys,

Yeah the FQDN resolves to the external IP which is the firewalls external IP address. However the so called "managed" firewall freaks out and goes into semi recursive loop.

I've tried setting a few CNAME & A records adresses + restarted the DNS server services followed by ipconfig /flushdns. Yet the clients still resolve to external IP for

https://webmail.domain.co.uk/owa

Either I got a funny issue with my DNS (W3K) server or perhaps I'm not configuring the DNS correctly. However when I do a tracert my clients do 1 hoop and resolves to my IPS given IP (external)address. Which does sort of point to my DNS setting?

Any ideas?

 

[Cstorms]

Well if you are on a client machine using your DNS server, and you do a tracert on the FQDN, my guess is that the IP on that A record (something like

http://www that

sits in the zone <domain.com>) points to the ip that your ISP gave you, so the tracert is correct, what you would want to do is to find out where to put this record, try pinging just by computer name one of your server machines, by doing this you can search the zone files for this record. From here you would create the new record for the internal site, (A record = internalowa, with an ip corresponding to the internal ip that you would use to access it by ip), this in turn will be the record clients will use to get to

https://internalowa/owa

<- assuming you dont have redirects and still need to add the owa part.

Decipher that run on and maybe it will help you get some where.

Cory

 

[Clopster]

Thanks Cstorms,

Just spent a wee bit of time running tests on a few other sites I support. Long story short is all the companies with "managed" firewall solutions actually have the same problem. Yet have never noticed because they don't use outlook via https access.

Hmm ironically I had a project to replace that "managed" solution in the next few months. Guess now I got more of business case to role that forward to next week.

 

[58sniper]

You need split brain DNS. Create an internal DNS forward lookup zone for your public domain name. Create A records for your OWA address (such as "mail") and point them at your CAS box. You'll also want to create A records for any public resources so your users can get to them, like your web site.

You typically don't to use the external address internally. There's really no good reason for your firewall to ever have to deal with internal traffic destined for internal servers.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP