Self Signed Certificates for RWW on SBS 2008

I have recently set up a new server running Windows SBS server 2008, and I have set up RWW (Remote Web Workplace) which works fine when connecting locally.  When I try and connect remotely, i recieve an error message about the certificate not being valid.  I did some research, and found some articles that said I had to run the Certificate Distribution Package on any client computers and did so, but it is still not working.  From what I can tell, it seems that it is because the certificate does not match the DNS information when connecting remotely through the static IP of the server.  If this is the case, is there any way to create a self-signed certificate for use with RWW?  If not, what else could be causing this issue?  Thank you in advance for any help!
qbarat2Asked:
Who is Participating?
 
markdmacCommented:
GoDaddy certs are $29.00.  Get yourself a real cert, it will make hooking up PocketPCs, Androids and iPhones to Exchange much easier and eliminate the annoying untrusted cert issue.
0
 
Jian An LimSolutions ArchitectCommented:
you need to use split dns to setup your dns correctly

i.e. mail.domain.com

for internal and external
internal point to 192.168.x.x (private IP o your SBS 2008)
external point to a static IP

you can recreate iSSL via the wizard again
0
 
qbarat2Author Commented:
When you say split DNS, what do you mean?  The client is not really using exchange for anything, they all use their personal webmails.  They only need this certificate for connecting to their computers with RWW.  The domain is currently mydomain.local, and the connection to RWW is set up under https:// xxx.xxx.xxx.xxx/remote, the x's being the IP address of the server.  How do I configure split DNS?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
markdmacCommented:
Well right there is part of your problem.  A certificate will validate a host name to an IP address.  If they are accessing the RWW by IP then they will always get this error because the cert has a host name associated with it.  Doesn't matter if it is self signed or not.

Does your customer have a static IP or a dynamic one?  It would be best to use a static, if not look at DYNDNS.ORG for a solution there.

Your customer is not following best practices for SBS.  It would be best for you to advise them to get a certificate, register a host name in their public DNS and get them off the personal webmails and start using Exchange.  Company data should not be flowing on personal web mail, you have no control over it, customer lists and contact information is easily stolen that way.  They should be using Exchange.
0
 
Jian An LimSolutions ArchitectCommented:
gbarat2

anything with https must link with domain name not IP address.
this is part of your SBS 2008 installation.

Then is your certificate issue. While markdmac mention for godaddy certificate, you can do it without but install Certificate Distribution Package.

But again. your problem is not about the certificate but IP address.

you cannot use https://<IP>/remote, because certificate always link with a name like remote.xxx.com or mail.xxx.com

so you need spilt DNS to configure to your internal DNS and External DNS to recognise this name.


0
 
qbarat2Author Commented:
limjianan,

Could you tell me what I would need to do this?  Do I need to contact the ISP and set up some kind of record?  Will I need to change the domain on the server from servername.domain.local?  Any information would be great, and thanks for all the replies guys!
0
 
markdmacCommented:
I'm still not getting the resistance to setting this up per best practice.  We are not talking huge cost here.  Don't implement bandaids, set it up properly.
0
 
Jian An LimSolutions ArchitectCommented:
check your domain name's name server
if you run nslookup
set type=ns
domain.com (your domain)

you will find 1 or 2 address is there, that is your name server.

you need to contact them to add a A record let say remote.domain.com to your external static IP address


For inhouse
goto your DNS console,create a new zone in forward lookup zones
it will call remote.domain.com and create a A record with blank name and point to your internal IP address


Until this part, everything should be the same.


Then the next part will either
1. recreate your certificate using CA in your server (which against best practice)
or
2. buy a 3rdparty SSL certificate from some where like godaddy.


for option 1.
in Windows SBS Console,
click home, and Set up your Internet Address

in this wizard, click
> I already have a domain name that i want to use
> I want to manage the domain name myself
> put in domain.com (your real information)

after this, your certificate should setup correctly.

for option 2.
after complete option 1,
Buy the certificate   remote.domain.com
install the certificate into the server according to the supplier
click Add a trusted certificate in SBS console
and follow the prompt






0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.