That's a good list. It is possible you could have added the /Autodiscover/* path to your OWA rule. But I now remember I had to create a separate TMG rule because with our OWA we leverage 2FA with OTP and Autodiscover won't work in that config. So had the second rule to allow Autodiscover requests. Anyway, hope you get it sorted, come back if/when you get it fixed. Be interested to know the steps used to resolve it.
Thanks, Geoff From: [email protected] [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 22, 2014 11:09 AM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity Yeah how the hell have I been working all year like this? No rule in TMG No SRV internal or external What the heck... :) I will start SRV record externally Then work on the TMG Then get my certs straight. Geez Thanks all From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, October 22, 2014 2:02 PM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity Well (someone can jump in and correct me if I'm wrong), the SRV record is what will allow Autodiscover of devices to actually work. The MS connectivity test may succeed since it attempts to resolve the A record autodiscover.imsu.com. In that case, as long as the TMG is properly publishing the rule to allow the /Autodiscover/* path, you should be good. There was an error about SSL certs, so you may want to double-check that the SSL listener's cert is good, but perhaps one step at a time is the best approach here. Anyway, some of this is a bit foggy in my memory, so if anyone else wants to add details or correct me in any of the above, please do so. Thanks, Geoff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 22, 2014 10:56 AM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity That is internal? Or both? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, October 22, 2014 1:51 PM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity And actually just saw you have an A record for Autodiscover but no mention of an SRV record. You'll want to make sure externally you have an SRV record that points to an A record with the IP of your TMG (in this case the Autodiscover.imcu.com). Example: [cid:[email protected]] Thanks, Geoff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 22, 2014 10:42 AM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity Thing is it has been working for about a year now. Just trying it now prior to getting new certs and it is failing. So since I don't test daily I am not sure when it broke. I will look at the TMG but I believe I have a rule there already. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, October 22, 2014 1:38 PM To: '[email protected]' Subject: [Exchange] RE: DNS external records and Testconnectivity I ran into this a couple months back. IIRC the /Autodiscover/* path had to be added to the publishing rule in TMG. I may have created a separate rule strictly for Autodiscover, though I am not sure if that was necessary or I did it to isolate the changes being made. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 22, 2014 10:25 AM To: [email protected]<mailto:[email protected]> Subject: [Exchange] DNS external records and Testconnectivity I have the below set externally with Ultradns and Fisolv: Autodiscover.imcu.com 'A' 38.109.185.193 Mx1.imcu.com 'A' 38.109.185.193 LegacyMail.imcu.com 'A' 38.109.185.193 Mail.imcu.com 'A' 38.109.185.193 193.185.109.38.in-addr.arpa 'PTR' mail.imcu.com 193.185.109.38.in-addr.arpa 'PTR' mx1.imcu.com 'MX' mx1.imcu.com 'TXT' "v=spf1 ip4:184.72.242.195 ip4:38.109.185.193 ~all" I have the below set internally with server 2012 DNS: Outlook.imcu.com 'A' 10.0.55.58 Autodiscover.imcu.com 'A' 10.0.55.58 LegacyMail.imcu.com 'A' 10.0.50.4 Mail.imcu.com 'A' 10.0.55.58 58.55.0.10.in-addr.arpa 'PTR' mail.imcu.com 58.55.0.10.in-addr.arpa 'PTR' outlook.imcu.com 58.55.0.10.in-addr.arpa 'PTR' autodiscover.imcu.com 'MX' mail.imcu.com My question is do I have all the DNS settings I need for an Exchange 2010 with TMG in the DMZ? Because with I do a testconnectivity I get bad Autodiscover responses: See below: The Microsoft Connectivity Analyzer is testing Exchange ActiveSync. The Exchange ActiveSync test failed. Additional Details Elapsed Time: 23179 ms. Test Steps Attempting the Autodiscover and Exchange ActiveSync test (if requested). Testing of Autodiscover for Exchange ActiveSync failed. Additional Details Elapsed Time: 23179 ms. Test Steps Attempting each method of contacting the Autodiscover service. The Autodiscover service couldn't be contacted successfully by any method. Additional Details Elapsed Time: 23179 ms. Test Steps Attempting to test potential Autodiscover URL https://Imcu.com:443/Autodiscover/Autodiscover.xml Testing of this potential Autodiscover URL failed. Additional Details Elapsed Time: 490 ms. Test Steps Attempting to resolve the host name imcu.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: 12.145.177.146 Elapsed Time: 266 ms. Testing TCP port 443 on host imcu.com to ensure it's listening and open. The port was opened successfully. Additional Details Elapsed Time: 76 ms. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Additional Details Elapsed Time: 146 ms. Test Steps The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server imcu.com on port 443. The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate. Additional Details The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. Elapsed Time: 121 ms. Attempting to test potential Autodiscover URL https://autodiscover.Imcu.com:443/Autodiscover/Autodiscover.xml Testing of this potential Autodiscover URL failed. Additional Details Elapsed Time: 1467 ms. Test Steps Attempting to resolve the host name autodiscover.imcu.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: 38.109.185.193 Elapsed Time: 201 ms. Testing TCP port 443 on host autodiscover.imcu.com to ensure it's listening and open. The port was opened successfully. Additional Details Elapsed Time: 122 ms. Testing the SSL certificate to make sure it's valid. The certificate passed all validation requirements. Additional Details Elapsed Time: 298 ms. Test Steps The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.imcu.com on port 443. The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate. Additional Details Remote Certificate Subject: CN=mail.imcu.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US. Elapsed Time: 265 ms. Validating the certificate name. The certificate name was validated successfully. Additional Details Host name autodiscover.imcu.com was found in the Certificate Subject Alternative Name entry. Elapsed Time: 1 ms. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn't expired. Additional Details The certificate is valid. NotBefore = 11/12/2013 1:47:36 PM, NotAfter = 11/12/2014 1:47:36 PM Elapsed Time: 0 ms. Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn't detected. Additional Details Accept/Require Client Certificates isn't configured. Elapsed Time: 359 ms. Attempting to send an Autodiscover POST request to potential Autodiscover URLs. Autodiscover settings weren't obtained when the Autodiscover POST request was sent. Additional Details Elapsed Time: 485 ms. Test Steps The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.Imcu.com:443/Autodiscover/Autodiscover.xml for user [email protected]<mailto:[email protected]>. The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response. Tell me more about this issue and how to resolve it Additional Details An HTTP 403 error was received because ISA Server denied the specified URL. HTTP Response Headers: Connection: close Pragma: no-cache Content-Length: 2040 Cache-Control: no-cache Content-Type: text/html Elapsed Time: 484 ms. Attempting to contact the Autodiscover service using the HTTP redirect method. The attempt to contact Autodiscover using the HTTP Redirect method failed. Additional Details Elapsed Time: 21036 ms. Test Steps Attempting to resolve the host name autodiscover.Imcu.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: 38.109.185.193 Elapsed Time: 16 ms. Testing TCP port 80 on host autodiscover.Imcu.com to ensure it's listening and open. The specified port is either blocked, not listening, or not producing the expected response. Tell me more about this issue and how to resolve it Additional Details A network error occurred while communicating with the remote host. Elapsed Time: 21019 ms. Attempting to contact the Autodiscover service using the DNS SRV redirect method. The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method. Additional Details Elapsed Time: 24 ms. Test Steps Attempting to locate SRV record _autodiscover._tcp.Imcu.com in DNS. The Autodiscover SRV record wasn't found in DNS. Tell me more about this issue and how to resolve it Additional Details Elapsed Time: 24 ms. Checking if there is an autodiscover CNAME record in DNS for your domain 'Imcu.com' for Office 365. Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning. Tell me more about this issue and how to resolve it Additional Details There is no Autodiscover CNAME record for your domain 'Imcu.com'. Elapsed Time: 160 ms. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
