Proxy Server Security Certificate

Question

We are a hybrid deployment. Our user mailboxes are in Exchange Online. A couple of mailboxes are on prem for archiving application. We use smtp relay for inhouse applications and multifunction printers. The two hybrid servers are exchange 2019. The servers are in a DAG.

In preparation for enabling extended protection on the exchange servers, I un-checked SSL Offloading on Outlook Anywhere using EAC. We do not use Outlook Anywhere. I did not remove the server name from server host field and left negotiate in the authentication field. I tried disabling using powershell but received error message. It was suggested that I disable using EAC.

After I made the change, I started getting prompted for my credentials on my outlook client and outlook would not open. I also got the following message:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchangeserver2019.com. Outlook is unable to connect to the proxy server (Error Code 10)

I changed back to SSL Offloading. I am still getting the above message (may need to do iisreset?), but not getting the prompts and I am able to access Outlook.

Why am I getting this message? Do I need to remove the servername information from the Outlook Anywhere Fields?

Thank You for your help.

Answer 1

Hi @mara2021 ，

Do I need to remove the servername information from the Outlook Anywhere Fields?

No, there's no need to remove the servername information or change the authentication method when unchecking the SSL Offloading on Outlook Anywhere via EAC.

According to the official document, the recommended way to disable SSL offloading by running the cmdlet below:

Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true

Based on my test, un-checking the SSL Offloading option only on Outlook Anywhere in EAC does the almost the equivalent thing backend:

Why am I getting this message?

The error message indicates there is a mismatch between the host name that the Outlook client is trying to access and the certificate SAN. But it's weird that the error prompts and your outlook client is affected after disabling SSL offloading on Outlook Anywhere, as you mentioned that you do not use Outlook Anywhere.

To help narrow the issue, please collect the information below:

1. Outlook connection status when the issue occurs:
   While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray, click Connection Status, catch a screenshot, be sure to include the protocol column. Obfuscate all sensitive information like email address and domain name, then share the image:
   
2. Check the Outlook Anywhere settings by running the following command:

Get-OutlookAnywhere | fl *ssl*,*authen*

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.