Self Signed Certificates for RWW on SBS 2008

I have recently set up a new server running Windows SBS server 2008, and I have set up RWW (Remote Web Workplace) which works fine when connecting locally.  When I try and connect remotely, i recieve an error message about the certificate not being valid.  I did some research, and found some articles that said I had to run the Certificate Distribution Package on any client computers and did so, but it is still not working.  From what I can tell, it seems that it is because the certificate does not match the DNS information when connecting remotely through the static IP of the server.  If this is the case, is there any way to create a self-signed certificate for use with RWW?  If not, what else could be causing this issue?  Thank you in advance for any help!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
you need to use split dns to setup your dns correctly


for internal and external
internal point to 192.168.x.x (private IP o your SBS 2008)
external point to a static IP

you can recreate iSSL via the wizard again
GoDaddy certs are $29.00.  Get yourself a real cert, it will make hooking up PocketPCs, Androids and iPhones to Exchange much easier and eliminate the annoying untrusted cert issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
qbarat2Author Commented:
When you say split DNS, what do you mean?  The client is not really using exchange for anything, they all use their personal webmails.  They only need this certificate for connecting to their computers with RWW.  The domain is currently mydomain.local, and the connection to RWW is set up under https://, the x's being the IP address of the server.  How do I configure split DNS?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Well right there is part of your problem.  A certificate will validate a host name to an IP address.  If they are accessing the RWW by IP then they will always get this error because the cert has a host name associated with it.  Doesn't matter if it is self signed or not.

Does your customer have a static IP or a dynamic one?  It would be best to use a static, if not look at DYNDNS.ORG for a solution there.

Your customer is not following best practices for SBS.  It would be best for you to advise them to get a certificate, register a host name in their public DNS and get them off the personal webmails and start using Exchange.  Company data should not be flowing on personal web mail, you have no control over it, customer lists and contact information is easily stolen that way.  They should be using Exchange.
Jian An LimSolutions ArchitectCommented:

anything with https must link with domain name not IP address.
this is part of your SBS 2008 installation.

Then is your certificate issue. While markdmac mention for godaddy certificate, you can do it without but install Certificate Distribution Package.

But again. your problem is not about the certificate but IP address.

you cannot use https://<IP>/remote, because certificate always link with a name like or

so you need spilt DNS to configure to your internal DNS and External DNS to recognise this name.

qbarat2Author Commented:

Could you tell me what I would need to do this?  Do I need to contact the ISP and set up some kind of record?  Will I need to change the domain on the server from servername.domain.local?  Any information would be great, and thanks for all the replies guys!
I'm still not getting the resistance to setting this up per best practice.  We are not talking huge cost here.  Don't implement bandaids, set it up properly.
Jian An LimSolutions ArchitectCommented:
check your domain name's name server
if you run nslookup
set type=ns (your domain)

you will find 1 or 2 address is there, that is your name server.

you need to contact them to add a A record let say to your external static IP address

For inhouse
goto your DNS console,create a new zone in forward lookup zones
it will call and create a A record with blank name and point to your internal IP address

Until this part, everything should be the same.

Then the next part will either
1. recreate your certificate using CA in your server (which against best practice)
2. buy a 3rdparty SSL certificate from some where like godaddy.

for option 1.
in Windows SBS Console,
click home, and Set up your Internet Address

in this wizard, click
> I already have a domain name that i want to use
> I want to manage the domain name myself
> put in (your real information)

after this, your certificate should setup correctly.

for option 2.
after complete option 1,
Buy the certificate
install the certificate into the server according to the supplier
click Add a trusted certificate in SBS console
and follow the prompt

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.