Exchange 2010 Outlook anywhere cannot connect if user is on different site using CAS to CAS proxy

Hi All,

We have two TMG servers configured as a stand alone array acting as a reverse proxy on Site A.
Two CAS/HUB servers and two mailbox servers on Site A.

1 CAS/HUB/MBX on Site B.
1 CAS/HUB/MBX on Site C.

Each site has its own CAS array.  Site B and Site C goes through a WAN link to Site A to access the internet.


However when we migrate users to Site B and Site C, users on the internet cannot use Outlook Anywhere. Active Sync, OWA works fine.


Results of Exchange connectivity analyzer, whats bothering me is it says it passed.

Testing RPC/HTTP connectivity.
	The RPC/HTTP test completed successfully.
	Test Steps   ExRCA is attempting to test Autodiscover for jeff.doe@inchcape.com.sg.   Autodiscover was tested successfully.   Test Steps   Attempting each method of contacting the Autodiscover service.   The Autodiscover service was tested successfully.   Test Steps   Attempting to test potential Autodiscover URL https://inchcape.com.sg/AutoDiscover/AutoDiscover.xml   Testing of this potential Autodiscover URL failed.   Test Steps   Attempting to resolve the host name inchcape.com.sg in DNS.   The host name resolved successfully.   Additional Details   IP addresses returned: 202.172.61.215 Testing TCP port 443 on host inchcape.com.sg to ensure it's listening and open.   The port was opened successfully. Testing the SSL certificate to make sure it's valid.   The SSL certificate failed one or more certificate validation checks.   Test Steps   ExRCA is attempting to obtain the SSL certificate from remote server inchcape.com.sg on port 443.   ExRCA successfully obtained the remote SSL certificate.   Additional Details   Remote Certificate Subject: CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US. Validating the certificate name.   Certificate name validation failed.    <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl00_ctl02_ctl01_tmmArrow">Tell me more about this issue and how to resolve it</label>   Additional Details   Host name inchcape.com.sg doesn't match any name found on the server certificate CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg. Attempting to test potential Autodiscover URL https://autodiscover.inchcape.com.sg/AutoDiscover/AutoDiscover.xml   Testing of the Autodiscover URL was successful.   Test Steps   Attempting to resolve the host name autodiscover.inchcape.com.sg in DNS.   The host name resolved successfully.   Additional Details   IP addresses returned: 202.172.61.222 Testing TCP port 443 on host autodiscover.inchcape.com.sg to ensure it's listening and open.   The port was opened successfully. Testing the SSL certificate to make sure it's valid.   The certificate passed all validation requirements.   Test Steps   ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.inchcape.com.sg on port 443.   ExRCA successfully obtained the remote SSL certificate.   Additional Details   Remote Certificate Subject: CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US. Validating the certificate name.   The certificate name was validated successfully.   Additional Details   Host name autodiscover.inchcape.com.sg was found in the Certificate Subject Alternative Name entry. Certificate trust is being validated.   The certificate is trusted and all certificates are present in the chain.   Test Steps   ExRCA is attempting to build certificate chains for certificate CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg.   One or more certificate chains were constructed successfully.   Additional Details   A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US. Analyzing the certificate chains for compatibility problems with versions of Windows.   Potential compatibility problems were identified with some versions of Windows.   Additional Details   ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled. Testing the certificate date to confirm the certificate is valid.   Date validation passed. The certificate hasn't expired.   Additional Details   The certificate is valid. NotBefore = 10/24/2012 1:11:19 PM, NotAfter = 10/24/2013 1:11:19 PM Checking the IIS configuration for client certificate authentication.   Client certificate authentication wasn't detected.   Additional Details   Accept/Require Client Certificates isn't configured. Attempting to send an Autodiscover POST request to potential Autodiscover URLs.   ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.   Test Steps   ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.inchcape.com.sg/AutoDiscover/AutoDiscover.xml for user jeff.doe@inchcape.com.sg.   The Autodiscover XML response was successfully retrieved.   Additional Details   Autodiscover Account Settings XML response: <?xml version="1.0"?> <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>Jeff Doe</DisplayName> <LegacyDN>/o=Inchcape SG/ou=First Administrative Group/cn=Recipients/cn=jeff.doe</LegacyDN> <DeploymentId>0ce3fcef-971d-4428-b7d0-5cc5c12c84d2</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>mail-oc.inchcape.com.sg</Server> <ServerDN>/o=Inchcape SG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=mail-oc.inchcape.com.sg</ServerDN> <ServerVersion>738280F7</ServerVersion> <MdbDN>/o=Inchcape SG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=mail-oc.inchcape.com.sg/cn=Microsoft Private MDB</MdbDN> <ASUrl>https://bmsocxch16.inchcape.com.sg/EWS/Exchange.asmx</ASUrl> <OOFUrl>https://bmsocxch16.inchcape.com.sg/EWS/Exchange.asmx</OOFUrl> <OABUrl>http://mail.inchcape.com.sg/OAB/4253eafa-cea8-454e-80b0-4a2b1b9d87ad/</OABUrl> <UMUrl>https://bmsocxch16.inchcape.com.sg/EWS/UM2007Legacy.asmx</UMUrl> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <PublicFolderServer>BMSDCXCH12.inchcape.com.sg</PublicFolderServer> <AD>bmslkrad02.inchcape.com.sg</AD> <EwsUrl>https://bmsocxch16.inchcape.com.sg/EWS/Exchange.asmx</EwsUrl> <EcpUrl>https://bmsocxch16.inchcape.com.sg/ecp/</EcpUrl> <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um> <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr> <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt> <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret> <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms> </Protocol> <Protocol> <Type>EXPR</Type> <Server>webmail.inchcapemotors.com.sg</Server> <ASUrl>https://webmail.inchcapemotors.com.sg/ews/exchange.asmx</ASUrl> <OOFUrl>https://webmail.inchcapemotors.com.sg/ews/exchange.asmx</OOFUrl> <OABUrl>https://webmail.inchcapemotors.com.sg/OAB/4253eafa-cea8-454e-80b0-4a2b1b9d87ad/</OABUrl> <UMUrl>https://webmail.inchcapemotors.com.sg/ews/UM2007Legacy.asmx</UMUrl> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <SSL>On</SSL> <AuthPackage>Basic</AuthPackage> <EwsUrl>https://webmail.inchcapemotors.com.sg/ews/exchange.asmx</EwsUrl> </Protocol> <Protocol> <Type>WEB</Type> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <Internal> <OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">https://bmsocxch16.inchcape.com.sg/owa/</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://bmsocxch16.inchcape.com.sg/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover> Autodiscover settings for Outlook Anywhere are being validated.   ExRCA validated the Outlook Anywhere Autodiscover settings. Attempting to resolve the host name webmail.inchcapemotors.com.sg in DNS.   The host name resolved successfully.   Additional Details   IP addresses returned: 202.172.61.222 Testing TCP port 443 on host webmail.inchcapemotors.com.sg to ensure it's listening and open.   The port was opened successfully. Testing the SSL certificate to make sure it's valid.   The certificate passed all validation requirements.   Test Steps   ExRCA is attempting to obtain the SSL certificate from remote server webmail.inchcapemotors.com.sg on port 443.   ExRCA successfully obtained the remote SSL certificate.   Additional Details   Remote Certificate Subject: CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US. Validating the certificate name.   The certificate name was validated successfully.   Additional Details   Host name webmail.inchcapemotors.com.sg was found in the Certificate Subject Common name. Certificate trust is being validated.   The certificate is trusted and all certificates are present in the chain.   Test Steps   ExRCA is attempting to build certificate chains for certificate CN=webmail.inchcapemotors.com.sg, OU=Domain Control Validated, O=webmail.inchcapemotors.com.sg.   One or more certificate chains were constructed successfully.   Additional Details   A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US. Analyzing the certificate chains for compatibility problems with versions of Windows.   Potential compatibility problems were identified with some versions of Windows.   Additional Details   ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled. Testing the certificate date to confirm the certificate is valid.   Date validation passed. The certificate hasn't expired.   Additional Details   The certificate is valid. NotBefore = 10/24/2012 1:11:19 PM, NotAfter = 10/24/2013 1:11:19 PM Checking the IIS configuration for client certificate authentication.   Client certificate authentication wasn't detected.   Additional Details   Accept/Require Client Certificates isn't configured. Testing HTTP Authentication Methods for URL https://webmail.inchcapemotors.com.sg/rpc/rpcproxy.dll?mail-oc.inchcape.com.sg:6002.   The HTTP authentication methods are correct.   Additional Details   ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic Testing SSL mutual authentication with the RPC proxy server.   Mutual authentication was verified successfully.   Additional Details   Certificate common name webmail.inchcapemotors.com.sg matches msstd:webmail.inchcapemotors.com.sg. Attempting to ping RPC proxy webmail.inchcapemotors.com.sg.   RPC Proxy was pinged successfully.   Additional Details   Completed with HTTP status 200 - OK Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server mail-oc.inchcape.com.sg.   The endpoint was pinged successfully.   Additional Details   RPC Status Ok (0) returned in 265 ms. Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.   The NSPI interface was tested successfully.   Test Steps   Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server mail-oc.inchcape.com.sg.   The endpoint was pinged successfully.   Additional Details   RPC Status Ok (0) returned in 671 ms. Testing NSPI "Check Name" for user jeff.doe@inchcape.com.sg against server mail-oc.inchcape.com.sg.   Check Name succeeded.   Additional Details   DisplayName: Jeff Doe, LegDN: /o=Inchcape SG/ou=First Administrative Group/cn=Recipients/cn=jeff.doe Testing the Referral service on the Exchange Mailbox server.   The Referral service was tested successfully.   Test Steps   Attempting to ping RPC endpoint 6002 (Referral Interface) on server mail-oc.inchcape.com.sg.   The endpoint was pinged successfully.   Additional Details   RPC Status Ok (0) returned in 609 ms. Attempting to perform referral for user /o=Inchcape SG/ou=First Administrative Group/cn=Recipients/cn=jeff.doe on server mail-oc.inchcape.com.sg.   ExRCA successfully got the referral.   Additional Details   The server returned by the Referral service: mail-oc.inchcape.com.sg Testing the Exchange Information Store on the Mailbox server.   ExRCA successfully tested the Information Store.   Test Steps   Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server mail-oc.inchcape.com.sg.   The endpoint was pinged successfully.   Additional Details   RPC Status Ok (0) returned in 640 ms. Attempting to log on to the Exchange Information Store.   ExRCA successfully logged on to the Information Store.