I've tried just about everything I've come across online for this issue. I have two Exchange 2007 servers, one is an outward facing CAS with name SERVER2.domain.com, the second is an internal CAS and Mailbox server called SERVER1.domain.com. I have a split-DNS configured, with the same domain.com for external as well as internal use. So SERVER1 is the internal mailbox/CAS server, and SERVER2 is the external CAS server. For the external CAS SERVER2, Outlook Anywhere and autodiscovery is configued with the External URL https://moblie.domain.com, and internal URLs of https://mobile.domain.com. In the AD DNS, mobile.domain.com is a CNAME for SERVER2.domain.com. Externally, mobile.domain.com is pointed to the external IP address of the router, and ports 80 and 443 are forwarded to server2's internal IP address. Everything seems to work fine, except when connecting to Outlook Anywhere I still receive invalid certificate errors, as Outlook receives the mobile.domain.com certificate but connects to SERVER1.domain.com. In the client access section of SERVER1, I have removed the external URLs for OWA, ActiveSync, OAB, and have internal URLs set to https://server1.domain.com. Outlook Anywhere is not installed on this internal server. My issue is when using Outlook anywhere, Outlook tries to connect to the internal SERVER1, and when passed the certificate of server1.domain.com, obviously complains about an invalid name, as it receives the certificate for mobile.domain.com (from what I understand, mobile.domain.com is thus forwarding the request to server1 instead of proxying the connection). Here's the output of Outlook 2007's autodiscovery test XML while connecting externally: <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>My Name</DisplayName> <LegacyDN>/o=Domain-Name/ou=First Administrative Group/cn=Recipients/cn=nate</LegacyDN> <DeploymentId>24a7504b-ce6d-467b-8e6b-ece1c7274c99</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>SERVER1.domain.com</Server> <ServerDN>/o=Domain-Name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVER1</ServerDN> <ServerVersion>72038053</ServerVersion> <MdbDN>/o=Domain-Name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVER1/cn=Microsoft Private MDB</MdbDN> <PublicFolderServer>SERVER1.domain.com</PublicFolderServer> <AD>SERVER1.domain.com</AD> <ASUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</EwsUrl> <OOFUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://SERVER1.domain.com/UnifiedMessaging/Service.asmx</UMUrl> <OABUrl>Public Folder</OABUrl> </Protocol> <Protocol> <Type>EXPR</Type> <Server>mobile.domain.com</Server> <SSL>On</SSL> <AuthPackage>Basic</AuthPackage> <ASUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</EwsUrl> <OOFUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://SERVER1.domain.com/UnifiedMessaging/Service.asmx</UMUrl> <OABUrl>Public Folder</OABUrl> </Protocol> <Protocol> <Type>WEB</Type> <External> <OWAUrl AuthenticationMethod="Fba">https://mobile.domain.com/owa</OWAUrl> <Protocol> <Type>EXPR</Type> <ASUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</ASUrl> </Protocol> </External> <Internal> <OWAUrl AuthenticationMethod="Basic, Fba">https://mobile.domain.com/owa</OWAUrl> <OWAUrl AuthenticationMethod="Basic, Fba">https://SERVER1.domain.com/owa</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://SERVER1.domain.com/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover>

Have you consindered configuring the ExternalURLs of SERVER1's virtual directories to be the same as those on SERVER2?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Edit: Ok, this kind-of worked. The first time I run the outlook test auto-discovery tool, it still comes up with SERVER1.domain.com as the Availability Service URL and OOF URL, but if I run the tool again, they both come up as mobile.domain.com. Further runs of the tool all come up as mobile.domain.com. If I close and re-open outlook 2007, the first time the tool is run it comes up as SERVER1.domain.com again, and further runs of the tool come up as mobile.domain.com. I still get the certificate warnings about SERVER1.domain.com sometimes, of course. P.S. Everything I had read told me to remove the External URL from a CAS inside the network so that proxying would occur. However, the external URL change did seem to change the behavior.

Outlook profiles can be sticky. You might consider "refreshing" the profile. Remove the last letter of your name and then click Check Name.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, Does the issue perist after refreshing the profile? Could you also post the autodiscovery log after runing autodiscovery test from external network? Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT