I have a Windows 2008 Standard server running Exchange 2010 that is hosting OWA. Internal Outlook 2007 clients connect to the primary IP via SSL, which is bound in IIS using the self-signed certificate Exchange creates on its own as exchange.mycompany.local.
In order to publish OWA to the outside world, I have a SonicWall firewall configured to forward HTTPS inquiries to a second IP address via SSL, also bound in IIS, but using a commercial certificate as mail.mycompany.com. This is necessary, of course, because you can't use host headers on SSL.
This second IP address exists on a second NIC in the server, it only has IPv4 bound to it, and the option to auto-register in the DNS is deselected. Nevertheless, every few hours, internal Outlook clients get that certificate error because that second IP address shows up in the DNS. I've been manually deleting the A record as it shows up, but nothing I've done has been able to keep it from coming back.
Any suggestions on how I can make this work? Unfortunately, the "proper" setup of separating the internal and external OWA sites isn't feasible right now.
Best Answer
You're seeing something that feels like the as-designed behaviour of the Microsoft DNS Server. By default, the DNS Server itself registers A records for all addresses the server listens for requests on. I'm wondering if this Exchange Server computer also happens to be a DNS server.
If I'm right, and assuming you're not using the second NIC's IP address as a DNS server IP address on any clients, open the DNS Management snap-in, go to the "Properties" on the server, go to the "Interfaces" tab, and choose to listen only on the IP addresses that you want "A" records registered for. Delete the unneeded "A" record and you'll find that it no longer comes back.