Self Signed Certificates for RWW on SBS 2008
I have recently set up a new server running Windows SBS server 2008, and I have set up RWW (Remote Web Workplace) which works fine when connecting locally. When I try and connect remotely, i recieve an error message about the certificate not being valid. I did some research, and found some articles that said I had to run the Certificate Distribution Package on any client computers and did so, but it is still not working. From what I can tell, it seems that it is because the certificate does not match the DNS information when connecting remotely through the static IP of the server. If this is the case, is there any way to create a self-signed certificate for use with RWW? If not, what else could be causing this issue? Thank you in advance for any help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When you say split DNS, what do you mean? The client is not really using exchange for anything, they all use their personal webmails. They only need this certificate for connecting to their computers with RWW. The domain is currently mydomain.local, and the connection to RWW is set up under https:// xxx.xxx.xxx.xxx/remote, the x's being the IP address of the server. How do I configure split DNS?
Well right there is part of your problem. A certificate will validate a host name to an IP address. If they are accessing the RWW by IP then they will always get this error because the cert has a host name associated with it. Doesn't matter if it is self signed or not.
Does your customer have a static IP or a dynamic one? It would be best to use a static, if not look at DYNDNS.ORG for a solution there.
Your customer is not following best practices for SBS. It would be best for you to advise them to get a certificate, register a host name in their public DNS and get them off the personal webmails and start using Exchange. Company data should not be flowing on personal web mail, you have no control over it, customer lists and contact information is easily stolen that way. They should be using Exchange.
Does your customer have a static IP or a dynamic one? It would be best to use a static, if not look at DYNDNS.ORG for a solution there.
Your customer is not following best practices for SBS. It would be best for you to advise them to get a certificate, register a host name in their public DNS and get them off the personal webmails and start using Exchange. Company data should not be flowing on personal web mail, you have no control over it, customer lists and contact information is easily stolen that way. They should be using Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
limjianan,
Could you tell me what I would need to do this? Do I need to contact the ISP and set up some kind of record? Will I need to change the domain on the server from servername.domain.local? Any information would be great, and thanks for all the replies guys!
Could you tell me what I would need to do this? Do I need to contact the ISP and set up some kind of record? Will I need to change the domain on the server from servername.domain.local? Any information would be great, and thanks for all the replies guys!
I'm still not getting the resistance to setting this up per best practice. We are not talking huge cost here. Don't implement bandaids, set it up properly.
check your domain name's name server
if you run nslookup
set type=ns
domain.com (your domain)
you will find 1 or 2 address is there, that is your name server.
you need to contact them to add a A record let say remote.domain.com to your external static IP address
For inhouse
goto your DNS console,create a new zone in forward lookup zones
it will call remote.domain.com and create a A record with blank name and point to your internal IP address
Until this part, everything should be the same.
Then the next part will either
1. recreate your certificate using CA in your server (which against best practice)
or
2. buy a 3rdparty SSL certificate from some where like godaddy.
for option 1.
in Windows SBS Console,
click home, and Set up your Internet Address
in this wizard, click
> I already have a domain name that i want to use
> I want to manage the domain name myself
> put in domain.com (your real information)
after this, your certificate should setup correctly.
for option 2.
after complete option 1,
Buy the certificate remote.domain.com
install the certificate into the server according to the supplier
click Add a trusted certificate in SBS console
and follow the prompt
if you run nslookup
set type=ns
domain.com (your domain)
you will find 1 or 2 address is there, that is your name server.
you need to contact them to add a A record let say remote.domain.com to your external static IP address
For inhouse
goto your DNS console,create a new zone in forward lookup zones
it will call remote.domain.com and create a A record with blank name and point to your internal IP address
Until this part, everything should be the same.
Then the next part will either
1. recreate your certificate using CA in your server (which against best practice)
or
2. buy a 3rdparty SSL certificate from some where like godaddy.
for option 1.
in Windows SBS Console,
click home, and Set up your Internet Address
in this wizard, click
> I already have a domain name that i want to use
> I want to manage the domain name myself
> put in domain.com (your real information)
after this, your certificate should setup correctly.
for option 2.
after complete option 1,
Buy the certificate remote.domain.com
install the certificate into the server according to the supplier
click Add a trusted certificate in SBS console
and follow the prompt
i.e. mail.domain.com
for internal and external
internal point to 192.168.x.x (private IP o your SBS 2008)
external point to a static IP
you can recreate iSSL via the wizard again