Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

certificates for windows 2008 SBS (remote web workplace and OWA )

Im little confused to which certificate i should use for Windows Remote Web Workplace OWA ?

Can anyone explain the requirements so I can purchase the correct certificate?  The features of Windows 2008 SBS I want to use are  Windows Remote Web Workplace and OWA.

0
resolver1
Asked:
resolver1
  • 11
  • 5
  • 4
  • +1
5 Solutions
 
tonyperthCommented:
you need a UCC certificate from somewhere like godaddy.com
0
 
tonyperthCommented:
it needs to hold differnt domain names such as:

autodiscover.<domain>.com
remote.<domain>.com
<domain>.com
<servername>.local
0
 
tonyperthCommented:
The following article gives you a quick explanation of the requirements for Exchange 2007.  That is mainly what you need it for in SBS2008, as it will automatically look after the rest if you include remote.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
Cliff GaliherCommented:
You do *NOT* need a UCC cert for SBS.
Use the SBS "add trusted certificate" wizard, let it generate the CSR for a certificate, and purchase the certificate at the vendor of your choice. That is it. The CSR it generates is not for a UCC, and a UCC is not required in any way.
-Cliff
 
0
 
tonyperthCommented:
Correct, you don't need one, but if you want autodiscover for exchange, and mobile devices to work easily it is better to get one.
0
 
Cliff GaliherCommented:
AGain, SBS takes care of this with the wizards. autodiscover via Outlook Anywhere does not need UCC either. Simply a SRV record. And creating one is trivial and allows you to use the SBS wizards. Creating and installing a UCC cert on SBS is *not* trivial and the wizards will be unaware of this configuration thus they can actually break it, making the whole setup MORE fragile.
This falls into the "trust SBS wizards" rule. Better to use the wizard and use a non-UCC cert than to try to go the other way and have things fall apart on a regular basis.
-Cliff
 
0
 
tonyperthCommented:
Fair enough, then the only issue is distributing the certificate each year when it expires for RWW.
0
 
tonyperthCommented:
To be honest the only reason I started buying certificates was a number of clients had mobile devices that were locked and would not accept certificates from trusted sources.
0
 
tonyperthCommented:
sorry, non trusted sources
0
 
Cliff GaliherCommented:
Totally with you on that. I don't recommend self-signed certificates at all. SBS 2008 added the "Add Trusted Certificate" wizard to the mix of SBS wizards, and as the name implies, it walks through the process of generating a CSR and submitting it to a 3rd-party certificate reseller, so they are trusted certs if you use the wizard. They just aren't UCC. And yes, dealing with self-signed is a PITA and not at all worth the hassle.
-Cliff
 
0
 
resolver1Author Commented:
OK I think non UCC wins because of the ease. but Why would people want to buy the UCC certificates? What are the advantages over non UCC?
0
 
tonyperthCommented:
The only benifit of the UCC is the multiple names.  You get errors when you browse to things with different names that don't appear on the certifiate.
0
 
tonyperthCommented:
So Cliff, are you saying that autodiscover and mobile devices work well for you with just a standard puchased certificate even though it does not contain the autodiscover name?  Sorry to ask questions on your post resolver1?
0
 
Cliff GaliherCommented:
tonyperth: Precisely what I'm saying. One DNS SRV record resolves that issue. It allows Outlook 2007 SP1 (not RTM) and most newer activesync devices that support autodiscover to find the proper domain name (in SBS, this is usually remote.) and in that scenario, the certificate matches.  I've deployed this exact scenario many times over and I've never had a problem.
0
 
Cliff GaliherCommented:
resolver1: Tony is exactly right on the desire to purchase UCC certs. There are certainly scenarios where I may want to purchase a certificate to secure several domain names that I run...on a web server for example.
They've also *become* popular with Exchange deployments because in an enterprise environment it is easier to buy a cert than maintain DNS. It has become so popular however that there has been some collective knowledge loss and most newer exchange admins (of which SBS applies) don't even realize there are alternatives.
So there you have it. UCC's definitely do have a place. Just not a necessity in this particular situation.
0
 
RickEpnetCommented:
Just make sure and use the SBS Wizard and you will not need a UUC. I have been getting my certificates from here for a few years and they work great. less than $14.00 I remember when they cost $400 or more.

https://www.servertastic.com
0
 
resolver1Author Commented:
no problems asking on my post.  its good that you are asking as your probably asking questions i should be :-) I dont want to just know the best certificate for my senerio. i want to learn what certificates types there are and the circumstances they are used in.

There is another purpose for the certificate which is for EDI messages between us and our supplier.  I'll need to check the requirements from them tomorrow.
0
 
resolver1Author Commented:
Right I've researched the certificates and alot of people seem to be going for the godaddy.  I've checked there website and it has the standard Single Domain option http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039.

I'm not fully understanding at which level the certificates work.  I'll explain my situation and maybe you can help.

We have a domain name which is CompanyName.com which for MX records and HTTP traffic points to our hosting provider.  I was thinking of pointing Remote.CompanyName.com to our perimeter router/firewall?

Does the certificate belong to Remote.CompanyName.com or does it belong to a partular machine e.g. PC1.Remote.CompanyName.com?  
0
 
tonyperthCommented:
It belongs to Remote.companyname.com
0
 
tonyperthCommented:
Basically to use RWW you will be browsing to a web site externally at https://remote.companyname.com/remote and the certificate must have the same name to be valid.  By same name I mean only the "remote.companyname.com" part, not the https etc.
0
 
resolver1Author Commented:
Rightio, I understand.  There was just some doubt in my mind but you've cleared it up for me.  
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 11
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now