0

We currently have a few CAS/Hub servers behind a hardware balancer. We were told by Microsoft and Digicert that we may not need them listed as SANs in our UCC cert since we do not publicize their hostname to users.

However, when we tried to apply the UCC certificate to our CAS servers without them listed individually as a SAN we received errors like this from Outlook:

enter image description here

Does anyone know what configuration or setup causes the CAS server hostnames to be exposed?

PS: I know that we shouldn't be using fake TLDs. We are working to fix that soon.

Update (5/6/14)

I ran through a plethora of configuration:

Get-WebServicesVirtualDirectory | Fl Identity,InternalUrl,BasicAuthenticationExternalUrl
Get-OabVirtualDirectory | Fl Identity,InternalURL,ExternalURL
Get-ActiveSyncVirtualDirectory | Fl Identity,InternalUrl,ExternalUrl
Get-OutlookAnywhere | Fl Server,ExternalHostname
Get-ClientAccessServer | Fl Server,AutoDiscoverServiceInternalURI

The only one that referenced our fake TLD internal hostname was the last one. Isn't this just for auto discovery though? Why would internal clients reference it on every launch?

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
  • 2
    Check your Autodiscover internal and external URLs with Powershell. Also, have you phased out internal DNS names from your UCC cert? – DanBig May 05 '14 at 17:40
  • Are you using CASarray as suggested? Get-WebServicesVirtualDirectory | FL ExternalURL,InternalURL – Vick Vega May 06 '14 at 01:01

1 Answers1

3

It's by design. Autodiscovery is going on internally and externally, and it happens to default to the internal CAS Server name.

As you already figured out, you need to change all services to use the External URL as Interal URL as well, else your internal clients will receive certificate errors.

MichelZ
  • 11,008
  • 4
  • 30
  • 58