Hello, I've got a question in regard to ActiveSync and Autodiscover. Consider the below diagram, I am walking through a design to migrate over from Exchange 2010 to 2016. You'll notice that there is no direct TCP:443 access from the public internet to Exchange 2016, I'm using a reverse proxy device to connect clients via ActiveSync and OWA only. The Outlook client itself will only ever connect over VPN.
The service URLs for Exchange 2016 have all been configured with a common FQDN, post.domain.com. Including the ClientAccessService/Autodiscover URL. However, with the exception of the ActiveSync ExternalURI field, all other ExternalURIs have been set to $null.
I don't plan to create an autodisover.domain.com record internally or externally, the hope being that Outlook clients can retrieve the necessary connection info with access to Active Directory DNS(SRV records). Since they are only allowed to sync Outlook while on VPN.
We rely on an MDM management tool to push out ActiveSync configurations to all mobile devices, so no reliance on Autodiscover there either. So in this example, you can see that the reverse proxy URL on the public internet is as1.subdomain.domain.com. Whereas the internal service URL name is post.domain.com, which the reverse proxy device connects to and resolves internally.
My question is this... Let's say an ActiveSync capable device happened to run the VPN client and now has access to internal DNS/SRV records. Can I expect the ActiveSync device to interact with Autodiscover at any level and overwrite the publicly resolvable as1.subdomain.domain.com to post.domain.com? This would in effect break ActiveSync once the VPN client was disconnected.