KANEWONG
asked on
Certificate alert on Outlook 2007 while connecting to Exchange 2007 SP1
I am recently installed Outlook 2007 on my laptop for evaluation, I am using it to connect to my Exchange 2007 SP1 server. My Exchg 2K7 has a SSL certificate which allow access via OWA or RPC over HTTPS from internet. The SSL cert is using valid internet URL.
The local server name of my Exchange is called "EX2K7.COMPANY.LOCAL", when I start Outlook 2007, I received a Security Alert window of my certicate. The following is the content of the pop up window.
ex2k7.company.local
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
The security certificate is from a trusted certifying authority.
The securiity certificate date is valid.
The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed?
I can press "Yes" button to start my Outlook but how can I get rid of the alert window.
I understand that it is because the SSL site name is not exactly the same as my local domain name on server. Is there any way that I can co-exist both of them at the same time?
ex2k7.company.local is used for local LAN.
email.company.com is used for internet
Currently, the "email.company.com" is used on my SSL certificate.
The local server name of my Exchange is called "EX2K7.COMPANY.LOCAL", when I start Outlook 2007, I received a Security Alert window of my certicate. The following is the content of the pop up window.
ex2k7.company.local
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
The security certificate is from a trusted certifying authority.
The securiity certificate date is valid.
The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed?
I can press "Yes" button to start my Outlook but how can I get rid of the alert window.
I understand that it is because the SSL site name is not exactly the same as my local domain name on server. Is there any way that I can co-exist both of them at the same time?
ex2k7.company.local is used for local LAN.
email.company.com is used for internet
Currently, the "email.company.com" is used on my SSL certificate.
Hi,
This is because you have used a Single Name SSL certificate.
What you should have used for Exchange 2007 is a UC/SAN Certificate. This kind of certificate lets you have mutiple names in it. so for your Organization you would have:
email.company.com
ex2k7
ex2k7.company.local
autodiscover.company.com
Autodiscover is there for external users to get their Outlook configures automaticly.
When using this kind of certificate you wont have any problems if the client is connecting to the internal name or the external.
What you could do here is you have a ISA or something like that is to use the Certificate you have bought on the ISA server, and then use a Internal SAN certificate issued from your internal CA on the Exchange server.
If you dont use a UC/SAN certificate on the Exchange server,,,some features arent going to work. Like the free/busy information when using scheduling assistant.
Remi
This is because you have used a Single Name SSL certificate.
What you should have used for Exchange 2007 is a UC/SAN Certificate. This kind of certificate lets you have mutiple names in it. so for your Organization you would have:
email.company.com
ex2k7
ex2k7.company.local
autodiscover.company.com
Autodiscover is there for external users to get their Outlook configures automaticly.
When using this kind of certificate you wont have any problems if the client is connecting to the internal name or the external.
What you could do here is you have a ISA or something like that is to use the Certificate you have bought on the ISA server, and then use a Internal SAN certificate issued from your internal CA on the Exchange server.
If you dont use a UC/SAN certificate on the Exchange server,,,some features arent going to work. Like the free/busy information when using scheduling assistant.
Remi
You can deploy Exchange 2007 with a single name SSL certificate, but it takes quite a bit of work and requires some settings within DNS both internally and publicly.
This article will tell you what to do: http://www.amset.info/exchange/singlenamessl.asp
However if you cannot set the DNS changes that are required then you will need to purchase a SAN/UC certificate with the additional names in it.
-M
This article will tell you what to do: http://www.amset.info/exchange/singlenamessl.asp
However if you cannot set the DNS changes that are required then you will need to purchase a SAN/UC certificate with the additional names in it.
-M
Hi Mestha,
Just wanted to add
Im not sure what have been testet in that article, but it is true you can get it to work with a Single SSL, and i have done that at a customer a while ago, but what didnt work was free/busy time for External OA users. Everything else worked great.
I had a support call with MS and they i got told that not ALL Availability features will work when you use a Single SSL certificate on the Exchange server. Like the free/busy
So what I did was to install the Single SSL cert on the ISA server only and i then issued A internal SAN certificate to the Exchange server. And then free/busy worked too.
:-)
Remi
Just wanted to add
Im not sure what have been testet in that article, but it is true you can get it to work with a Single SSL, and i have done that at a customer a while ago, but what didnt work was free/busy time for External OA users. Everything else worked great.
I had a support call with MS and they i got told that not ALL Availability features will work when you use a Single SSL certificate on the Exchange server. Like the free/busy
So what I did was to install the Single SSL cert on the ISA server only and i then issued A internal SAN certificate to the Exchange server. And then free/busy worked too.
:-)
Remi
I can't comment on ISA, but I know it works on a single server as I have done it. You have to change a lot of settings to get it to work. When you can get a SAN/UC certificate for US$60 though, it hardly seems worth the hassle.
-M
-M
ASKER
If I upgraded to UCC cert, how can I upgrade from my current single SSL cert? Do I need to do something on E2K7 server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your solutions posted here. I got an idea what should do.
http://support.microsoft.com/?kbid=940726