• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of DNS for Secure Outlook MAPI Publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Discussion of DNS for Secure Outlook MAPI Publishing Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion of DNS for Secure Outlook MAPI Publishing - 1.Oct.2003 4:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the secure outlook MAPI publishing DNS article over at:

http://isaserver.org/articles/outlookrpcdns.html

HTH,
Tom
Post #: 1
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 1.Oct.2003 8:32:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I fully agree! Having a rock solid DNS infrastructure is the key to a succesful ISA implementation. We can't stress it enough! [Wink]

Thanks,
Stefaan

(in reply to tshinder)
Post #: 2
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 1.Oct.2003 9:26:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 2.Oct.2003 1:03:00 AM   
asutherland

 

Posts: 52
Joined: 23.Jan.2003
From: Nelson, B.C.
Status: offline
Great article... spawns a few questions from me.

1. I've never seen this work.. does Outlook prompt the user to log onto the domain (they would be typically in "offline" mode when on the road)

2. When using DHCP to assign the primary DNS suffix - does the DHCP Server Option 015 for DNS Suffix apply to the primary DNS suffix or the connection specific suffix?

3. Our Global Catalog server (one only - no NLB) is not published, nor is there an entry in the External DNS for the gcservername.internal.net. I believe that only the ISA internal NIC preferred DNS server setting, which is set to the internal IP of the internal DNS server, is used to find the GC. Is there anything that needs to be done for the GC/DC - i.e. published or filters for RPC to work?

4.
a) The GC registry setting you referred to is required on every Outlook client machine?
b) is there a Group Policy template (computer template) that you know of that can be used to distribute this automatically, without having to touch every machine?
c) If they already have a working Outlook profile is this an issue?

5. If the DC/GC/internal DNS server's default gateway is not ISA's internal IP, will this create a problem for any of the Exchange Publishing rules, especially RPC?

We are phasing out an expensive dedicated Internet connection and converting to an ISA/ADSL connection (less than 100 users - 10% remote at any one time), therefore in this phase we have no current plan to change the default gateway setting on the domain controller/global catalog server/Internal DNS server - that server's default gateway is outbound through a router, not back through ISA.
So far, ISA is publishing web servers, TSAC and FTP and all is fine - now.

6. A distinction between home users Outlook config and laptop users would be very useful.
In particular the DNS configuration. (Min. Win2K machines - none older).

For example the laptop user roams with the same computer... it belongs to the domain and has all the DNS settings you have recommended. The only thing we need to do to make this work is to add the Exchangeservername.internal.net to the External DNS and it should just work for the laptops.

On the other hand, home computer users (not laptops) don't belong to our domain, probably their own workgroup or home domain via their Windows Internet Connection Firewall. They use any ISP and probably don't have any primary or connection specific suffix. How can we change the home user's config to just work? Just add the Primary DNS suffix to their computer Network ID properties?

7. A brief discussion of how this works for "hosting" company domains would be very useful. Can DNS alias's work in a hosting scenario so you can have user friendly URLs for the hosted companies?

We host two organizations and any number of different virtual domain names, all in a single Win2K domain model. At this time we have a split DNS, but it uses different domain names on the internal and external DNS servers. That is our "real" domain "internal.net" has no entries in the External DNS - but we're pretty much forced into it now... and this involves retraining users with a new URL.

For example,
External DNS
http:\\webmail.hostedcompanydomain/exchange
has to be changed to:
https:\\actualmailservername.internal.net/exchangeso that we can use the same SSL certificate for all virtual dirs in the Exchange Server's Default Web Site, which also includes \CertSrv.

Thank you so much for this article and this discussion feedback.

Allison

(in reply to tshinder)
Post #: 4
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 2.Oct.2003 4:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Allison,

Lots of questions! [Big Grin]

1. You configure Outlook to log on to the user account, which includes the user's domain credentials in most cases

2. That sounds like the correct DHCP option

3. You don't need to publish the GC, you just need to make sure the name resolves to the IP address used in the RPC publishing rule

4. The hard coded GC requirement is for OL2000 only, AFAIK. I believe you can use the Office Deployment kit to create the required profiles with the right regentries

5. Only the published server needs to be a SecureNAT client

6. Home users and laptop users are the same in this scenario, they'll use the external DNS zone to access the site

7. A split DNS isn't really an issue with a hosting company, because the users don't roam between the internal and external network. However, the required DNS entries must be available for name resolution, as mentioned in the article

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 2.Oct.2003 7:44:00 PM   
asutherland

 

Posts: 52
Joined: 23.Jan.2003
From: Nelson, B.C.
Status: offline
Sorry to ask so many questions! You are like my mentor and you don't even know it. [Big Grin]

Your response:
3. You don't need to publish the GC, you just need to make sure the name resolves to the IP address used in the RPC publishing rule.

?Question for Clarification: the GC needs to have an external DNS entry that resolves to the External IP address of ISA server that Exchange is using to publish RPC? We've never had to put our servers.internal.net in the External DNS before so I'm a bit gun shy and have to justify this to the powers that be.

Your response:
7. A split DNS isn't really an issue with a hosting company, because the users don't roam between the internal and external network. However, the required DNS entries must be available for name resolution, as mentioned in the article.

My response:
Actually in our case, the hosted company is a hosted subsidiary, with their own UPN and their own web and email domain names. They reside in the same building and are on the same LAN, so they do roam between internal and external. They are treated as a separate company. We have a single domain with hosted company Organizational Units. They are segregated in every way by Active Directory and NTFS permissions, they even have their own private Global Address List in Exchange.

This is why it's so difficult to piece everything together, because it seems like our scenario is not very common. But, it's coming together for me. [Cool]

Thank you so much again for your responses - I very much appreciate them.

Allison

(in reply to tshinder)
Post #: 6
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 3.Oct.2003 3:46:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Allison,

* Thanks! I did't know I was your mentor, but that's cool [Big Grin]

* You don't publish the GC, you just need to make sure that the FQDN of the DC resolves to the address you used in the RPC Server Publsihing Rule (for remote clients). You don't need to do anything special to support GC access for internal clients because they can already contact the AD DNS objects

* OK, your users move between the internal and external network. That's fine. The split DNS will make things a million times easier for you.

Check out http://www.tacteam.net/isaserverorg/exchangekit/dnssupport/dnssupport.htm where I continue on this theme and see if it helps you get a better understand of what's going on. I started this just about an hour ago, so its not proofread or complete yet, return to the page periodically and you'll see incremental improvements.

You can also access the entire kit beta docs at www.tacteam.net/isaserverorg/exchangekit/default.htm

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 3.Oct.2003 8:40:00 PM   
asutherland

 

Posts: 52
Joined: 23.Jan.2003
From: Nelson, B.C.
Status: offline
Question for Clarification: the GC needs to have an external DNS entry that resolves to the External IP address of ISA server that Exchange is using to publish RPC?

* So your answer is YES?
the GC's FQDN (servername.internal.net) has to be on the External DNS Server, the address record resolves to the External IP address of ISA server that Exchange is using to publish RPC - it just doesn't have to be published.

We're just getting used to the idea that the servernames.internal.net have to be on the External DNS server. My boss did not want any internal.net entries on the External DNS - but now it can't be avoided.

Thanks so much..
Allison

(in reply to tshinder)
Post #: 8
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 4.Oct.2003 3:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Allison,

Putting those names in the public DNS won't cause any problems, and I wouldn't consider it a security risk. Proceed with your secure Exchange RPC publishing and reap the benefits!

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 14.Oct.2003 10:53:00 PM   
BobW

 

Posts: 227
Joined: 27.Mar.2002
Status: offline
Ah yes, I remember we discussed this very subject a while ago...

I have not completely read the article yet but am quite thrilled by seeing it is available.

As you may recall, I am the guy who ended up with an AD envorinment of company.local, whereas the external DNS is company.com. At the time I built the network split dns were not in favor.....then ISA came around....

At any rate, the idea of adding suffix instead of rebuilding the entire domain is quite thrilling.

I would like, however, to figure out how to add the suffix automagically through a registry edit (or something!).

Any thoughts on this?
Thanks,
Bob

[ October 14, 2003, 11:48 PM: Message edited by: BobW ]

(in reply to tshinder)
Post #: 10
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 15.Oct.2003 1:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bob,

You should be able to do this with a netsh script. I haven't researched the option, but I bet its possible.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 15.Oct.2003 8:03:00 PM   
BobW

 

Posts: 227
Joined: 27.Mar.2002
Status: offline
Found it....

1. With XP and later it can be performed in a GPO by modifying a simple setting....sorry did nto note which one.
2. With 2000, see Q275553 and http://www.jsiinc.com/SUBN/tip6600/rh6609.htm

Hope that helps someone,
BOb

(in reply to tshinder)
Post #: 12
RE: Discussion of DNS for Secure Outlook MAPI Publishing - 30.Mar.2004 10:24:00 PM   
AndyD

 

Posts: 3
Joined: 22.Jun.2001
From: London, UK
Status: offline
Hi,

I recently bought an IPAQ Pocket PC (Windows Mobile 2003) which I can use to access the Internet while on the move over Wi-Fi or GPRS. It also has the ability to sync with Exchange Server so I want to be able to do that while on the move.

Your article has got me fixed up so my laptop can do it with Outlook 2003 - syncing seamlessly both inside and outside the ISA server. However the pocket PC only works inside the ISA server.

From outside the pocket PC can surf the net seeing sites published by the ISA server and those on the wider Internet (ie no general connectivity / dns problem).

I wonder if it is an authentication issue as changing the settings on ISA for this changes the error message but none of them seem to work.

The other thing is that ActiveSync looks like an HTTP service. I've even tried a Web Publishing Rule to just push everything that comes to http://mymailserver.xxx.xxx to the exchange box and I still get an INTERNET_2 error on the pocket PC. (I realise https it the way to go eventually but I want to get something working so I'm trying the basic version first!)

Any suggestions?

Thanks

Andy

[ March 31, 2004, 11:52 AM: Message edited by: AndyD ]

(in reply to tshinder)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Discussion of DNS for Secure Outlook MAPI Publishing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts