Certificate Error When Opening Outlook
-
I just installed a new PFSense firewall. When users open Outlook on the wired LAN there is no issue, but when they connect to the WiFi they get this certificate error. Not sure where to start. Thank you for your help in advance. Note: I am new to PFSense.
Information:
PFSense Firewall
Local Exchange
Local DNS
-
Do you have captive portal activated on WiFi or a Proxy?
-
-
Do your LAN and wifi networks run on different address ranges? Are they separated networks?
-
Do your LAN and wifi networks run on different address ranges? Are they separated networks?
No.
-
Feel free to give answers of more than one word at a time. We could go on like this forever unless you give a better idea of what your network is like.
-
Feel free to give answers of more than one word at a time. We could go on like this forever unless you give a better idea of what your network is like.
I understand. I don't want to give irrelevant information and I don't really know what is causing this so I am not sure what info to give you. I apologize. What kind of information would you like to have?
I have a new PFSense firewall. I have Cisco APs and a Cisco controller. When users are connected via the wired LAN they get no cert error. When they connect to the WiFi (same LAN) they get the cert issue. Not sure if this is just a DNS issue or if I have something configured wrong on the Firewall. DNS and DHCP are handled by my DC.
-
Not sure if this is just a DNS issue or if I have something configured wrong on the Firewall. DNS and DHCP are handled by my DC.
So do a NS lookup once on WiFi and once on LAN and copare the responds.
-
Are you saying your LAN and wifi clients are using the same DHCP and DNS servers? From the look of it, I'd say not - if your LAN clients are seeing the correct name for the certificate but your wifi users aren't then it's very likely they're getting different information. Have you checked a LAN client's DNS information against the same info for one of your wifi users?
Edit: I see viragomann has already posted this idea while I was typing.
-
Are you saying your LAN and wifi clients are using the same DHCP and DNS servers? From the look of it, I'd say not - if your LAN clients are seeing the correct name for the certificate but your wifi users aren't then it's very likely they're getting different information. Have you checked a LAN client's DNS information against the same info for one of your wifi users?
Edit: I see viragomann has already posted this idea while I was typing.
Ok, not sure if this has any relevance to this issue but on the wired LAN all info matches the WiFi except DHCP server. For some reason DHCP says, 1.1.1.1, when on the WiFi. It has correct DHCP ip when on the wired.
-
So I presume your WiFi device isn't directly connected to pfSense, it's rather connected to an AP or a wireless range extender which runs its own DHCP?
::)You may be able to configure the DHCP server to provide the correct DNS servers.
-
So I presume your WiFi device isn't directly connected to pfSense, it's rather connected to an AP or a wireless range extender which runs its own DHCP?
::)You may be able to configure the DHCP server to provide the correct DNS servers.
The APs report to the controller. The controller is directly connected to the main switch with a LAN ip. I am not using the controller for DHCP. Only the DC for DHCP.
-
And you also get different DNS servers when you are on WiFi and on wired?
Have you compared nslookups for your Exchange on both nets yet?If there are simple APs in default mode, they should forward DHCP requests to a DHCP server, presume this is pfSense.
-
he is tunneling traffic back to the controllers it sounds like to me.. And he most likely has a captive portal setup on his wlc.. And cert error is what he is getting form that not his exchange cert..
-
And you also get different DNS servers when you are on WiFi and on wired?
Have you compared nslookups for your Exchange on both nets yet?If there are simple APs in default mode, they should forward DHCP requests to a DHCP server, presume this is pfSense.
All other info was correct except DHCP. So I started digging through my Cisco wireless controller and found that DHCP proxy mode was set to global on my WiFi. (After reading some Cisco documentation, apparently this is set to DHCP proxy mode by default). I disabled that and now my WiFi DHCP server ip is correct. Not sure if this will resolve the cert issue or not. I am going to continue watching this closely and see if the issue comes up again. I am not saying this fixed my Cert error issue but it has resolved the DHCP server ip issue.
-
he is tunneling traffic back to the controllers it sounds like to me.. And he most likely has a captive portal setup on his wlc.. And cert error is what he is getting form that not his exchange cert..
See my latest reply to viragomann. Not sure if that is what was causing the Cert issue. Will watch closely the next couple of days to see if the cert issue comes up again.
-
why do you have to wait/watch - why not jump on the wifi and test it?
-
why do you have to wait/watch - why not jump on the wifi and test it?
Ok i just tested. Still getting Cert issue. The cert is issued by pfsense.
-
why do you have to wait/watch - why not jump on the wifi and test it?
So the cert, which is issued by PFSense, is trying to resolve mail.domain.com even though I have my Outlook pointing to server.domain.local. Is this a NAT or Rule issue with pfsense. When I try to tracert mail.domain.com from LAN it resolves to my WAN ip. Should this be resolving to local ip from lan?
-
Outlook doesn't need an MX record to communicate with Exchange.
Maybe the old IP is still in your DNS cache. Try to flush the cash.
-
Outlook doesn't need an MX record to communicate with Exchange.
Maybe the old IP is still in your DNS cache. Try to flush the cash.
I deleted the MX record. back to where we were. I also flushed the DNS cache.
-
Outlook doesn't need an MX record to communicate with Exchange.
Maybe the old IP is still in your DNS cache. Try to flush the cash.
Since deleting the MX record and flushing the cache, tracert is resolving mail.domain.com to server.domain.local now. Not sure if this will hold. Going to test Outlook now.
-
Outlook doesn't need an MX record to communicate with Exchange.
Maybe the old IP is still in your DNS cache. Try to flush the cash.
Still getting the error. Its so random too. It does not come up everytime you open outlook and its not all users. It will jump around. One user will have an issue while another will not. All connected to same network. Any help is much appreciated.
-
"tracert is resolving mail.domain.com to server.domain.local now"
Huh?? What is the client using to access outlook.. an IP address a fqdn? Your saying this fqdn resolves to different IPs?
What are you clients using for dns? Here is the thing its is bad idea to point a client to multiple dns that could resolve things differently.. So for example pointing client to both a local dns and a public dns is BAD idea.. You are never going to be sure which dns a client does or gets a response from.
So if your asking for www.yourlocal.tld, public dns sure and the hell not going to know about that.. So if your clients need to resolve stuff that only resolves locally then only thing they should point to for dns is dns that can resolve that local stuff.
If your saying it pops up here or there sounds like to me you have an issue to where your clients are going..
-
"tracert is resolving mail.domain.com to server.domain.local now"
Huh?? What is the client using to access outlook.. an IP address a fqdn? Your saying this fqdn resolves to different IPs?
What are you clients using for dns? Here is the thing its is bad idea to point a client to multiple dns that could resolve things differently.. So for example pointing client to both a local dns and a public dns is BAD idea.. You are never going to be sure which dns a client does or gets a response from.
So if your asking for www.yourlocal.tld, public dns sure and the hell not going to know about that.. So if your clients need to resolve stuff that only resolves locally then only thing they should point to for dns is dns that can resolve that local stuff.
If your saying it pops up here or there sounds like to me you have an issue to where your clients are going..
Outlook is pointing to server.domain.local. Not sure where to begin. What is the first thing I should check?
-
"server.domain.local"
so what does that client use for dns? .local is only going to resolve with a local dns that has record for that.. that sure is not going to work on public internet.
-
"server.domain.local"
so what does that client use for dns? .local is only going to resolve with a local dns that has record for that.. that sure is not going to work on public internet.
IP config shows local server for DNS and google for secondary which is how it has always been. Never had an issue with this before. But yes, DNS is pointing to local DC.
-
and it also points to google.. So if client asks google for your server name.. What is it going to get back.. server.domain.local is not going to resolve on google..
As I stated before its BAD BAD BAD idea to use dns that can not resolve the same stuff to the same IPs.. You can not be sure what the client is going to use.. Be it you hadn't run into issues before is besides the point..
Lets say I am using server.somedomain.com, but I do not own this somedomain.com on the public.. Or lets say I do even. But my local dns points to 192.168.1.100, if I ask google for it what gets returned… It sure and the hell not going to be 192.168.1.100.. It might be the pubic IP, but then for me to access that it has to be a nat reflection, etc.
Or maybe it points me to some other server since I don't own somedomain.com
Pointing to name servers that can not return the same data is BAD idea!!! If you want 2, then point to 2 local ones that both resolve all your local stuff to the same IP. Public is going to be public - but pointing to a local server that resolves you local stuff and having a secondary server that does not resolve your local stuff is just BAD with issues waiting to happen.
-
and it also points to google.. So if client asks google for your server name.. What is it going to get back.. server.domain.local is not going to resolve on google..
As I stated before its BAD BAD BAD idea to use dns that can not resolve the same stuff to the same IPs.. You can not be sure what the client is going to use.. Be it you hadn't run into issues before is besides the point..
Lets say I am using server.somedomain.com, but I do not own this somedomain.com on the public.. Or lets say I do even. But my local dns points to 192.168.1.100, if I ask google for it what gets returned… It sure and the hell not going to be 192.168.1.100.. It might be the pubic IP, but then for me to access that it has to be a nat reflection, etc.
Or maybe it points me to some other server since I don't own somedomain.com
Pointing to name servers that can not return the same data is BAD idea!!! If you want 2, then point to 2 local ones that both resolve all your local stuff to the same IP. Public is going to be public - but pointing to a local server that resolves you local stuff and having a secondary server that does not resolve your local stuff is just BAD with issues waiting to happen.
Ok, I have removed the secondary DNS server from DHCP scope. Testing Outlook now.
-
validate the fqdn your trying to go to resolves to what its suppose to resolve too server.domain.local
simple ping, nslookup, dig, drill whatever your fav dns query tool is so you can see the answer. Ping works in a pinch to what the name resolves too. Be it answers or not.