DNS Wildcard

Similar Messages

• Csa dns suffix wildcards in system state

  Has anyone tried using a dns wildcard in the system states ? I have a customer that uses something.net as common dns, but locally they get assigned to stuff like 123.something.net. If i use *.something.net it doesn't match, *something.net is a nogo as well, how is it supposed to be used ? do i really need to find all the subdomains and add these ?

  I think dns suffix matching field in system states sets can be used for this. Following link may help you
  http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap5.html#wp1008928

• Mobile Account Nightmares!

  Ok so Mobile accounts looks to be the answer to everything. I am looking for an easy backup solution that will allow people to sync files over the network and also let them take their computers home while still being able to access that same account.
  Well we have ran into a few problems... and if I cannot get them fixed we will be forced to try to find another solution.
  One of these problems is that when the computer is off the network and connected to another network (like home or public wifi), the computer will literally take minutes to log in. It will just sit there after you type in your password. This is very inconvenient. Another problem is that when the computer is off the network the computer still tries to sync to the server. Why the **** would the computer keep trying to connect to the server when it is off the network!? This causes extreme slow downs and the user must manually cancel the sync.
  Also I will ask this anyway, although I am pretty certain it is not possible, we want to only sync the computer to the network when they are on the local network. We have 5 sites that are all connected by t1s. Each site has a Mac OS X server that hosts their home folders. Some people travel from site to site, but we only want the computer to sync when they are at the site in which there home directory resides at. In otherwords we don't want them to sync over the T1. Is this at all possible?
  Thanks in advance!

  OK, I might have improved this.
  Just tried this on a 10.6.4 client bound to a 10.6.4 server and I get the same 120 second delay at login when connected to a guest network.
  I have set home sync to be manual and reduced the timeouts.
  Time outs:
  Open/close times out in - 15 seconds
  Query times out in - 15 seconds
  Re-bind attempted in - 15 seconds
  Connection idles out in - 1 minutes
  Server side tracking is enabled.
  Client is set to obtain everything from DHCP, producing a 120 second delay.
  If I set the client to have a manual IP in the same range and don't set any DNS server, then login is instant, as soon as I set a DNS server I get the 120 second delay. DNS wildcarding ?
  Adding an entry in the clients hosts file for the server and rebooting the client has reduced the delay to 20 seconds. I can live with that.
  /etc/hosts
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting. Do not change this entry.
  127.0.0.1 localhost
  255.255.255.255 broadcasthost
  ::1 localhost
  fe80::1%lo0 localhost
  <IP of my odmaster> <fully qualified name of my odmaster>
  If I comment out the entry in the hosts file and reboot, I'm back to 120 second delay which is only reduced by uncommenting the entry.
  Trying to login without any network connection is still instant.
  Cheers
  Gen
  Message was edited by: gen_bunty

• [SOLVED] globbing in /etc/hosts or something similar

  Is there any way to glob addresses in /etc/hosts?
  If not, which seems to be the case, is there something else that could achieve a similar effect?
  Example:
  127.0.0.1 *.localhost # enable subdomains on localhost (with Apache virtual hosts)
  It's not that tedious to manually add them and I could probably write a script, but it would be useful for other things (127.0.0.1 *.google.* )
  Last edited by Xyne (2010-03-24 09:04:25)

  BIND supports DNS wildcards, which seems to be what you're after.
  Just for fun I went through the process of setting this up, and it's not too difficult.  I did need to do a bit of research to figure out the syntax for the DNS zones.  Fortunately, there are plenty of resources which describe this.
  Briefly, the process I went through for wildcard domain resolution:
  1) Install bind and invoke named
  2) Ensure the nameserver is included in resolv.conf and that the DNS service is in the host DB of /etc/nsswitch.conf
  3) Edit /etc/named.conf and the corresponding zone file.
  There's an article on debian-administration which focuses on exactly the case you proposed.
  Last edited by chpln (2010-03-23 11:04:56)

• Wildcard dns

  From my blog.
  I’m having this problem where I can’t get the CNAME *.domain.tld working on Mac OSX server 10.8
  I'll illustrate my problem (presuming web service is up and running):
  Let’s set up a new “Primary Zone” with an “A Record”.
  Server.app
  DNS
  +
  Add Primary Zone
  Name: domain.tld
  Done
  +
  Add Machine Record
  Zone: domain.tld
  Host Name: domain.tld
  IP Addresses: 127.0.0.1
  Done
  Visit http://domain.tld/ in Safari
  That’s great, now we can find the domain by visiting the browser, but how about www.domain.tld?
  No can do.... But this is logical
  Let’s add a CNAME (or “alias Record”)
  Server.app
  DNS
  +
  Add Alias Record
  Zone: domain.tld
  Host Name: www
  Destination: domain.tld
  Done
  Visit http://www.domain.tld/ in Safari
  Now we can find domain.tld as well as www.domain.tld in the browser.
  This is just great, it almost looks like a full Enterprise Webserver!!
  Now I want to add *.domain.tld so I can find all.these.sub.domains.domain.tld as well, of maybe just dev.domain.tld or test.domain.tld or even www2.domain.tld
  Server.app
  DNS
  +
  Add Alias Record
  Zone: domain.tld
  Host Name: *
  The by most people much beloved GUI does not accept the * so I’ll just type “asteriks” in stead and change it in the terminal later.
  Host Name: asteriks
  Destination: domain.tld
  Done
  Terminal.app
  # sudo nano /private/var/named/db.domain.tld
  change "asteriks.domain.tld" to "*.domain.tld"
  Server.app
  DNS
  OFF
  ON
  The “GUI” now reflects the zonefile.
  I can now resolve anything.domain.tld, but not for long…
  The problem
  The problem is that periodically or after a service/machine restart, the *.domain.tld CNAME will be undone because Apple does not like it when I change things I’m not "supposed" to change.
  The issue I have with this problem is that *.domain.tld is widely accepted in Bind/DNS systems except for Mac OSX server Mountain Lion.
  Incom”Apple”ble…..
  Conclusion
  Apple OSX Server is NOT enterprise ready because it fails on a number of accounts (Bind, Samba) to offer the functionalities a 'real world' enterprise *NIX server offers.
  Apple "Server Support"
  I have spoken to Apple Server Support in Ireland who only know how to handle the GUI, so very friendly, but not very helpful!
  Please feel free to discus this issue in this thread of on my blog.
  Message was edited by: OcchioNL

  Hi infinite vortex,
  Thanks, indeed the GUI doesn't allow wildcard entries.
  I already tried to edit the zone record file (/private/var/named/db.domain.tld) as I explained above and further to that I have already tried to chmod the file read-only.
  The system just deletes the whole file and regenerates the entries from the content out of the GUI.
  Is there a method to "lock" the file other than the method I describe in this reply?
  I agree; "this should work in BIND"!!!

• Wildcards or regex in CSS dns-record

  Hi, is it possible to use regex or wildcards in dns-record command in CSS?. I would like to use something like
  dns-record a *.example.com 10.10.10.10
  in order to CSS responds to test1.example.com and test2.example.com without introduce this last two dns-records in CSS.
  Thank you in advance.
  Samuel

  This can also happen if you do KAL-ICMP keepalive to your VIP
  CSCtj38660 Bug Details
  dns-record kal-icmp keepalive to vip could incorrectly go DOWN
  Symptom:The CSS is configured with a dns-record of type kal-icmp, querying a local VIP could incorrectly go DOWN when the service associated with that VIP is Alive.
  Conditions:The CSS is configured with a dns-record of type kal-icmp, querying a local VIP. The keepalive could incorrectly go DOWN if the service reports of a load of 254.
  Workaround:Configure "no load reporting" on the CSS

• DNS Alias Wildcard?

  Hello.
  Is it possible to create a DNS Alias Wildcard?
  For example, a DNS alias record something like *.mydomain.com?
  Regards,
  Kristin.

  The GUI won't let you do this, for sure. You can edit the zone files directly but I'd almost guarantee that the GUI would overwrite the file (thereby deleting the wildcard) if you edit the zone. If you don't edit the specific zone (i.e. you edit other zones, but leave this one alone) you should be OK.
  There is no easy way to lock out users from editing specific zones via the GUI. You may have to setup some kind of monitoring to alert you when the zone file changes and your wildcard disappears.

• Wildcard DNS entries

  Hello,
  in adition to this post: wildcard dns have anyone found a solution to get wildcard dns names properly working in os x server 4.1?
  When I manually modify this file /Library/Server/named/db.DOMAIN.com with an asterisk an then restart the dns server the wildcard domain works. But when I make any changes in the DNS-GUI my asterisk entry will be deleted.
  I have also tried with the $INCLUDE statement, but this will also be deleted.
  Have any one an idea?
  Thanks
  Oliver

  Shut down the DNS server, edit the zone file, restart the server.
  The zone files are in
  /var/named
  or
  /library/server/named
  depending on the OS X Server version.
  FWIW and for completeness, forwarding servers aren't necessary, outside of cases where you're using a nanny filter or other such tool that shims into your network name resolution as a DNS server.
  Given what you're up to over in that other thread, this seems to be a fairly complex network.  You're probably also past what Server Admin.app and Server.app can deal with, and are probably just going to have to hand-manage this configuration.
  The networksetup tool is probably the closest to what you want, and based on a quick search that doesn't manage DNS forwarders AFAICT.  In the same area, the sudo serveradmin fullstatus dns and sudo serveradmin settings dns commands also lack access to the forwarding settings here.  Which means it's off to the zone files...

• New, Single Server - DNS, Web, Wiki, Mail Setup Issues

  I'm having some issues properly setting up 10.7.3 to host internal DNS and external Web, Wiki and Mail.  I'm having issues with the web and wiki hosting.  Since those are the most important right now, I haven't really had a chance to fully test the other features.  I was able to do some testing of the mail and iCal but it was limited.
  Long read below but I thought the specifics would be helpful...
  My goals and configuration are:
  ***GOALS***
  Primary:
  1) Host a public website: example.org and www.example.org
  2) Host a public wiki: main.example.org and www.main.example.org
  3) Host a public mail server: [email protected]
  4) Host a public, group calendar
  4a) Read only to majority - Read/Write to a group
  5) Host a global address book for authenticated users
  Secondary:
  6) Allow anonymous public access to a file share (read only)
  7) Allow authenticated access to the same file share (read/write)
  8) Do as much of this via GUIs as possible.
  ***SETUP AND CONFIGURATION***
  Physical:
  1) Business class Internet (no blocked ports)
  2) A single, public and static IP address
  3) Domain name and public DNS via GoDaddy
  4) Wildcard Cert: *.example.org from GoDaddy
  5) Late 2011 (bought in Jan 2012) MacMini Lion Server (the $1,000 one).
  5a) Upgraded the RAM to 16GB (need for VMware Windows clients)
  5b) Added two USB to Ethernet adapters.
  6) Using a new model AirPort Extreme Base Station (bought w/ the MM) as the main router.
  Initial Configuration:
  7) Setup a Mac Address reservation for the main and two USB Ethernet ports along with the wireless too.
  7a) Main port = 10.0.1.5 / Others are .6, .7 and .10
  8) During the setup, I chose the Host on the Internet (third) option and named my server: main.example.org
  9) After the setup completed, I upgraded the OS & Admin Tool to 10.7.3 from a clean install (on #5 now)
  DNS Config
  10) I used the admin tool to open DNS and change:
  11) "Primary Zone Name" from main.example.org to example.org.
  12) In the "Nameservers:" block, I changed the zone name there but left the nameserver name alone (zone: example.org /// Nameserver Hostname: main.example.org).
  13) The Machine Name and Reverse Zone was left alone.  RZ resolves to main.example.org.  sudo changeip -checkhostname is good.  dig on the example.org and main.example.org are good to go (NOERROR).
  OD Config
  14) From the server app, I clicked Manage/Network Accounts and setup the OD - No issues.
  SSL
  15) From the server app, I created self signed cert, generated a CSR, got a public Cert, then replaced the self-signed with the public one - No issues.
  16) Changed any service using the self-signed cert to the public one - No issues.
  17) Changed the cert in the OD to the public cert from server admin - No issues.
  In order: File Sharing, Mail, AB, iCal, Web, Wiki, Profile Manager, Network Groups, Network Users
  18) File Sharing was setup using the server app
  19) Setup mail using the server app to start it and the server admin app to configure it - No issues there (I think...)
  20) AB - Flipped the switch to on
  21) iCal - Flipped the switch to on - I setup the e-mail address to use after I added the network accounts.
  22) Web - Flipped the switch to on - Default site worked (main.example.org)
  23) Wiki - Flipped the switch to on - Default wiki worked. (main.example.org)
  24) PM - Checked the sign config profiles and enabled the device mgt.  I then flipped the switch to on - Default settings and pages worked.
  ***MY PROBLEMS***
  Website:
  Adding a website for example.org gave me the red dot in the server app.  To fix that, I added a Machine Name record to my primary zone (PZ = example.org Machine Name = example.org).  I first tried using the same 10.0.1.5 IP as the main.example.org and left the reverse mapping alone (still resolved to the NS of main.example.org).
  That gave me the green light in the server app when trying to add the website again.  From there, I changed the "Store Site Files In" to the location of my website files (and confirmed "Everyone" has Read Access in the folder's security settings).  I left the other info alone (all defaults accepted) and clicked done.
  Access to the website works on the server but external access doesn't (Network Error/timed out tcp_error).  Checked the AirPort settings using the AirPort utility (version 5.5.3) and the Port Mapping (under the "Advanced" icon) show serveral services all pointing to 10.0.1.5.  Thinking it could be DNS I tried main.example.org externally and it failed the same way.
  I ran the changeip command (good to go) and dig on example.org and main.example.org and they both resolved to 10.0.1.5 correctly.
  I removed the example.org Machine Record from the zone and it now looks like:
  PZ=example.org / ZONE=example.org / NS=main.example.org
  Machine Record=main.example.org / IP=10.0.1.5
  RM=10.0.1.5 / Resolves=main.example.org
  PLEASE HELP!

  The amount of users (if relevant):
  On site - 1 (Me)
  Off site - 16 (Windows clients - some have iOS devices too)
  Web site traffic - less than 50 regular visits per day (avg of 15) with a peek of ~125 once a month.
  This is for a 501c3 public nonprofit made of all unpaid volunteers (including the officers and directors).  All of us have paying day jobs and I just so happen to be the guy that knows just enough to get myself in trouble here.

• Can't delete primary zone in DNS after moving the server

  Woe is me!
  Our MacMini was hosted at a Colo site and working fine. No firewall in front of the machine, so we turned on the server firewall and only allowed mail, web, ftp, and a couple of other services. This worked great using our external public DNS wired to our domain names and public fixed IP address. Later, we got VPN up a running (the trick was to create a second, local IP address for the ethernet port), but this also required us to turn on the server's DNS to create a split-brained DNS server.
  Everything was working swimmingly... and then we had a hard drive crash. Since we were thinking about moving the server onsite anyway (our POS system was accessed through the VPN, but it could be slow and made our tasting room dependent on Internet access in order to run the POS), we ordered Comcast business class internet with a fixed IP address.
  We updated the external public DNS to the new public fixed ip. Rather than plug the mini directly to the Comcast router (which is in pass-through mode), we elected to put a AirPort Extreme in front of it, mainly so we could get all of the POS computers on the same local network without using the mini as a DHCP/NAT router. We created a DHCP reservation on the Extreme so that the mini had a fixed local IP address. We port forwarded everything we wanted to expose to the Internet. Email started to work again. However, web services and VPN are nada.
  This being Snow Leopard Server and having spent literally hours debugging DNS issues when we first got the server, I knew it wouldn't be straightforward. And it hasn't been. Even changing the IP address of the server has been a chore.
  We ran "sudo changeip <old IP address> <new IP address>".
  Then we ran "sudo changeip -checkhostname" and received:
  "$ sudo changeip -checkhostname
  Primary address     = 10.0.8.2 <new static internal IP address>
  Current HostName    = <servername>.<domainname>.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  dirserv:success = "success""
  Oh no, the black pit of death.
  Even though I tried to modify the machine record in the local DNS to reflect the new internal static IP address, Nada.
  So, looking back on my previous research from Mr Hoffman and others, I stopped the DNS service, and I deleted the primary zone and reverse lookups in order to rebuild them from scratch. Except that no matter what I do, I can't delete the primary zone - it comes back like Dracula (even though the reverse zone and all of the zone records are gone). I tried rebuilding everything using the undeletable zone, but after a few services (saved each one separately), they would suddenly disappear.
  I am leery of messing with the DNS files on the server as I don't want to hose up Server Admin (my command line skills are rudimentary and slow). I have so much installed on the machine now that I am concerned about someone saying "reinstall".
  Help!
  Related to this is that it is not clear to me in web services which IP address you should use for the sites. The internal IP? The public IP? I thought Apache cared about the external IP address. And I think Apache is hosed at the moment due to my DNS troubles anyway.
  Thanks in advance!

  Morris Zwick wrote:
  And does anyone know which IP you enter for your sites in the web service? The public static IP or the internal private static IP?
  For the external DNS server I am sure you have already deduced that it should be the static IP issued you by Comcast and this will be forwarded by your router to your server.
  For your internal DNS server you could use either the internal LAN IP, or the external IP although the later might be affected by your firewall so this you will need to test.
  For the Web Server service in Server admin, if your only running a single website you could avoid the issue by just using the wildcard entry which will respond to any IP address, so this would be an empty host name and an IP address of *
  In fact you don't have to specify an IP address you could just use the hostname, so it will listen to traffic arriving at your server addressed to any IP address and as long as the URL that was requested includes the hostname you define for the site it will get responded to. So if as an example you have two websites you want to serve
  www.example.com
  site2.example.com
  then as long as both have the IP address for the site as an * (asterisk) then both should work as separate sites for traffic addressed to either the LAN or WAN IP address of the server.
  You will still need to use two IP addresses on the server to enable VPN, you could use a USB Ethernet adapter for the second one. Port forwarding for VPN is not as simple as other traffic as VPN requires traffic different to the standard IP and UDP packets. Routers that support 'VPN Passthrough' are specifically designed to accomodate this but I don't know if the AirPort Extreme does this. I have also found PPTP copes better with this sort of setup than L2TP although PPTP is generally regarded as less secure.

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Routing DNS requests in a zone to a default host

  Hi,
  What I'd like to do is to direct all DNS requests for non-existent hosts to a single host by default. So even if I haven't defined a hostname in my zone, the request will still resolve (to this default host). Any ideas?
  Ben

  It's possible to do via wildcard DNS, but you cannot do it via Server Admin (it doesn't permit the * for the wildcard name), therefore you have to get under the hood and edit your zone file directly.
  You'll need to find your zone's domain file in /var/named and add a line like:
  *  IN  A  1.2.3.4
  (where 1.2.3.4 is, obviously, the IP address you want all unknown addresses to point to).
  You'll also need to increment the serial number in the SOA record near the top of the file (otherwise your change won't be noticed)
  Restart named (e.g. via killall -HUP named or via Server Admin), and now any lookup for an unknown host will return the specified address.

• Federation with wildcard cert

  Hi,
  We have multiple SIP domains, and I am trying to reduce the number of certificates needed.
  I use a wildcard cert for one of the domains for the Edge and reverse proxy.
  It works fine to connect from outside etc. But federation is not working.
  In the DNS SRV record _sipfederationtls._tcp.domain2.com I have put the address sip.domain2.com as hostname, but it's actually pointing to a address that have the wildcard cert for *.mydomain1.com
  Is there some way to make this work without buying many certs?

  Hi,
  It is not supported to use wildcard certificate for Edge Server external interface. You need a public SAN certificate to support federation. You can use wildcard certificate for Reverse Proxy.
  For more Server Roles which wildcard certificate can be used in Lync Server environment, you can refer to the link below:
  https://technet.microsoft.com/en-us/library/hh202161.aspx
  Best Regards,
  Eason Huang  
  Eason Huang
  TechNet Community Support

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• Exchange 2010 - Virtual Directory Internal & External URL's with Wildcard Cert

  Hi Guys
  I am trying to determine if my Exchange 2010 server Virtual Directory URL's are setup according to best practice. I'm sure anyone with good Exchange experience will instantly be able to tell me if my Virtual Directory DNS is correct or could cause issues.
  Scenario:
  Hosted Exchange 2010 SP1. Multiple client mail domains hosted
  2x CA, 2x HT, 2x MB, 2x DC
  Wildcard *.example.co.za certificate being used on CA servers
  AD domain is he.example.za.net
  CA Server naming example: ca1.he.example.za.net, ca2.he.example.za.net
  he.example.net DNS is done by DC servers
  External name used by clients: outlook.example.co.za (For Outlook setup and OWA access)
  outlook.example.co.za has two A records pointing to the CA IP's
  PROBLEM/CONCERN:
  We have a random OWA log out issue that we believe might be due to ambiguous DNS names being used.
  If I change the Virtual Directories External URL to be the FQDN of the server, we get a Certificate Error in clients (due to the .co.za Wildcard). The external URL clients use
  must be on .co.za.
  So are the Virtual Directory URL's causing the CA servers to loose track of who is authenticated in where (leading to OWA disconnection)? Is it fine to load balance the CA servers with the DNS the way we are doing currently? Any other issues you see?
  Current Virtual Directory settings:
  Note that they are identical on CA1 and CA2
  [PS] C:>Get-OabVirtualDirectory -server ca2 |fl *url
  InternalUrl : https://outlook.example.co.za/OAB
  ExternalUrl : https://outlook.example.co.za/OAB
  [PS] C:>Get-WebServicesVirtualDirectory -Server ca2 |fl *url
  InternalNLBBypassUrl : https://ca2.he.example.za.net/ews/exchange.asmx
  InternalUrl          : https://outlook.example.co.za/ews/Exchange.asmx
  ExternalUrl          : https://outlook.example.co.za/ews/Exchange.asmx
  [PS] C:>Get-ActiveSyncVirtualDirectory -Server ca2 |fl  *url
  MobileClientCertificateAuthorityURL :
  InternalUrl                         : https://outlook.example.co.za/Microsoft-Server-ActiveSync
  ExternalUrl                         : https://outlook.example.co.za/Microsoft-Server-ActiveSync
  [PS] C:>Get-EcpVirtualDirectory -Server ca2 |fl  *url
  InternalUrl : https://ca2.he.example.za.net/ecp
  ExternalUrl : https://outlook.example.co.za/ecp
  [PS] C:>Get-OwaVirtualDirectory -Server ca2 |fl  *url
  Url             : {}
  Exchange2003Url :
  FailbackUrl     :
  InternalUrl     : https://ca2.he.example.za.net/owa
  ExternalUrl     : https://outlook.example.co.za/owa
  [PS] C:>Get-AutodiscoverVirtualDirectory |fl *url, server
  InternalUrl :
  ExternalUrl :
  Server      : CA1
  InternalUrl : https://outlook.example.co.za/
  ExternalUrl : https://outlook.example.co.za/
  Server      : CA2
  REALLY APPRECIATE SOME EXPERT ADVISE. Thanks.

  Hi Kane,
  Why did not you use cas array to load balance client connectivity?
  If you create a CAS array, you can assign an virtual IP (VIP) for the CAS array FQDN (e.g CASarray.example.za.net), and then point all the Virtual Directories internal URL to CAS array fqdn;
  For external, you can point outlook.example.co.za to VIP which had been assigned to CAS array.
  I recommend you refer to the following article to understand CAS array:
  http://technet.microsoft.com/en-us/library/ee332317(v=exchg.141).aspx#CASarray
  http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
  http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
  Best regards,
  Niko Cheng
  TechNet Community Support