Certificate Error When Opening Outlook
-
I just installed a new PFSense firewall. When users open Outlook on the wired LAN there is no issue, but when they connect to the WiFi they get this certificate error. Not sure where to start. Thank you for your help in advance. Note: I am new to PFSense.
Information:
PFSense Firewall
Local Exchange
Local DNS
-
Do you have captive portal activated on WiFi or a Proxy?
-
-
Do your LAN and wifi networks run on different address ranges? Are they separated networks?
-
Do your LAN and wifi networks run on different address ranges? Are they separated networks?
No.
-
Feel free to give answers of more than one word at a time. We could go on like this forever unless you give a better idea of what your network is like.
-
Feel free to give answers of more than one word at a time. We could go on like this forever unless you give a better idea of what your network is like.
I understand. I don't want to give irrelevant information and I don't really know what is causing this so I am not sure what info to give you. I apologize. What kind of information would you like to have?
I have a new PFSense firewall. I have Cisco APs and a Cisco controller. When users are connected via the wired LAN they get no cert error. When they connect to the WiFi (same LAN) they get the cert issue. Not sure if this is just a DNS issue or if I have something configured wrong on the Firewall. DNS and DHCP are handled by my DC.
-
Not sure if this is just a DNS issue or if I have something configured wrong on the Firewall. DNS and DHCP are handled by my DC.
So do a NS lookup once on WiFi and once on LAN and copare the responds.
-
Are you saying your LAN and wifi clients are using the same DHCP and DNS servers? From the look of it, I'd say not - if your LAN clients are seeing the correct name for the certificate but your wifi users aren't then it's very likely they're getting different information. Have you checked a LAN client's DNS information against the same info for one of your wifi users?
Edit: I see viragomann has already posted this idea while I was typing.
-
Are you saying your LAN and wifi clients are using the same DHCP and DNS servers? From the look of it, I'd say not - if your LAN clients are seeing the correct name for the certificate but your wifi users aren't then it's very likely they're getting different information. Have you checked a LAN client's DNS information against the same info for one of your wifi users?
Edit: I see viragomann has already posted this idea while I was typing.
Ok, not sure if this has any relevance to this issue but on the wired LAN all info matches the WiFi except DHCP server. For some reason DHCP says, 1.1.1.1, when on the WiFi. It has correct DHCP ip when on the wired.
-
So I presume your WiFi device isn't directly connected to pfSense, it's rather connected to an AP or a wireless range extender which runs its own DHCP?
::)You may be able to configure the DHCP server to provide the correct DNS servers.
-
So I presume your WiFi device isn't directly connected to pfSense, it's rather connected to an AP or a wireless range extender which runs its own DHCP?
::)You may be able to configure the DHCP server to provide the correct DNS servers.
The APs report to the controller. The controller is directly connected to the main switch with a LAN ip. I am not using the controller for DHCP. Only the DC for DHCP.
-
And you also get different DNS servers when you are on WiFi and on wired?
Have you compared nslookups for your Exchange on both nets yet?If there are simple APs in default mode, they should forward DHCP requests to a DHCP server, presume this is pfSense.
-
he is tunneling traffic back to the controllers it sounds like to me.. And he most likely has a captive portal setup on his wlc.. And cert error is what he is getting form that not his exchange cert..
-
And you also get different DNS servers when you are on WiFi and on wired?
Have you compared nslookups for your Exchange on both nets yet?If there are simple APs in default mode, they should forward DHCP requests to a DHCP server, presume this is pfSense.
All other info was correct except DHCP. So I started digging through my Cisco wireless controller and found that DHCP proxy mode was set to global on my WiFi. (After reading some Cisco documentation, apparently this is set to DHCP proxy mode by default). I disabled that and now my WiFi DHCP server ip is correct. Not sure if this will resolve the cert issue or not. I am going to continue watching this closely and see if the issue comes up again. I am not saying this fixed my Cert error issue but it has resolved the DHCP server ip issue.
-
he is tunneling traffic back to the controllers it sounds like to me.. And he most likely has a captive portal setup on his wlc.. And cert error is what he is getting form that not his exchange cert..
See my latest reply to viragomann. Not sure if that is what was causing the Cert issue. Will watch closely the next couple of days to see if the cert issue comes up again.
-
why do you have to wait/watch - why not jump on the wifi and test it?
-
why do you have to wait/watch - why not jump on the wifi and test it?
Ok i just tested. Still getting Cert issue. The cert is issued by pfsense.
-
why do you have to wait/watch - why not jump on the wifi and test it?
So the cert, which is issued by PFSense, is trying to resolve mail.domain.com even though I have my Outlook pointing to server.domain.local. Is this a NAT or Rule issue with pfsense. When I try to tracert mail.domain.com from LAN it resolves to my WAN ip. Should this be resolving to local ip from lan?
-
Outlook doesn't need an MX record to communicate with Exchange.
Maybe the old IP is still in your DNS cache. Try to flush the cash.