To give you the scenario; I have separate CAS and MBX servers for Exchange 2013. I am also using ISA 2004. The majority of my users are on Exchange 2007 still waiting to be migrated. I have tested with a couple of email accounts and have encountered a problem with Autodiscover internally. Externally, it is working fine. I have an internal address of CAS01.mycompany1.local and an external address of mail.mycompany.com.
I have discovered that Outlook needs to have the HTTP proxy set, pointing to mail.mycompany.com. If it isn't I get the error: "There is a problem with the proxy servers security certificate. The name on the certificate is invalid or does not match the name of the target site mail.mycompany.com. Outlook is unable to connect to the proxy server. (Error Code 0)." It also constantly prompts for credentials. If I cancel the credentials request, it then resolves to the GUID of the user for the Microsoft Exchange Server field and sets the mailbox to =SMTP:username@mycompany.com. I then have to cancel this and "manually configure the server settings". I choose Microsoft Exchange, click on more settings, go to the connection tab and under Outlook Anywhere, tick the "Connect to Microsoft Exchange using HTTP" and then click on "Exchange Proxy Settings". In the Connection settings, I then have to set the URL to http:// mail.mycompany.com. It then works.
Whilst I know this is not the cleanest way for this to operate, it is acceptable if I can get autodiscover to set the proxy settings automatically. I cannot expect users to manually set this.
Because ISA 2004 does not understand NTLM, I have set all the security to basic. I have also tried setting the Internal and External Hostname to mail.mycompany.com. With the internal set to CAS01.mycompany1.local it makes no difference. I can resolve the internal name and external name using nslookup. autodiscover is set to point to the CAS. The certprinciplename is set to *.mycompany.com (we are using a wildcard certificate) for both EXPR and EXCH. There is a certificate set on the CAS from our internal CA with CAS01.mycompany1.local as the primary name and then our other domains set as SAN's.
I am now out of ideas on getting this working. In an ideal world, outlook would just point directly to the CAS and pickup the settings. I find it strange how it can resolve the mailbox guid but then cannot connect. It suggests that there is some problem with authentication. Any ideas on how to resolve this would be appreciated. Thanks in advance.