Solved

certificates for windows 2008 SBS (remote web workplace and OWA )

Posted on 2010-09-02
21
697 Views
Last Modified: 2012-05-10
Im little confused to which certificate i should use for Windows Remote Web Workplace OWA ?

Can anyone explain the requirements so I can purchase the correct certificate?  The features of Windows 2008 SBS I want to use are  Windows Remote Web Workplace and OWA.

0
Comment
Question by:resolver1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 4
  • +1
21 Comments
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586436
you need a UCC certificate from somewhere like godaddy.com
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586447
it needs to hold differnt domain names such as:

autodiscover.<domain>.com
remote.<domain>.com
<domain>.com
<servername>.local
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586518
The following article gives you a quick explanation of the requirements for Exchange 2007.  That is mainly what you need it for in SBS2008, as it will automatically look after the rest if you include remote.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 300 total points
ID: 33586614
You do *NOT* need a UCC cert for SBS.
Use the SBS "add trusted certificate" wizard, let it generate the CSR for a certificate, and purchase the certificate at the vendor of your choice. That is it. The CSR it generates is not for a UCC, and a UCC is not required in any way.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586634
Correct, you don't need one, but if you want autodiscover for exchange, and mobile devices to work easily it is better to get one.
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
ID: 33586678
AGain, SBS takes care of this with the wizards. autodiscover via Outlook Anywhere does not need UCC either. Simply a SRV record. And creating one is trivial and allows you to use the SBS wizards. Creating and installing a UCC cert on SBS is *not* trivial and the wizards will be unaware of this configuration thus they can actually break it, making the whole setup MORE fragile.
This falls into the "trust SBS wizards" rule. Better to use the wizard and use a non-UCC cert than to try to go the other way and have things fall apart on a regular basis.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586733
Fair enough, then the only issue is distributing the certificate each year when it expires for RWW.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586818
To be honest the only reason I started buying certificates was a number of clients had mobile devices that were locked and would not accept certificates from trusted sources.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586822
sorry, non trusted sources
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
ID: 33586862
Totally with you on that. I don't recommend self-signed certificates at all. SBS 2008 added the "Add Trusted Certificate" wizard to the mix of SBS wizards, and as the name implies, it walks through the process of generating a CSR and submitting it to a 3rd-party certificate reseller, so they are trusted certs if you use the wizard. They just aren't UCC. And yes, dealing with self-signed is a PITA and not at all worth the hassle.
-Cliff
 
0
 

Author Comment

by:resolver1
ID: 33587133
OK I think non UCC wins because of the ease. but Why would people want to buy the UCC certificates? What are the advantages over non UCC?
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33587183
The only benifit of the UCC is the multiple names.  You get errors when you browse to things with different names that don't appear on the certifiate.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33587213
So Cliff, are you saying that autodiscover and mobile devices work well for you with just a standard puchased certificate even though it does not contain the autodiscover name?  Sorry to ask questions on your post resolver1?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 33588302
tonyperth: Precisely what I'm saying. One DNS SRV record resolves that issue. It allows Outlook 2007 SP1 (not RTM) and most newer activesync devices that support autodiscover to find the proper domain name (in SBS, this is usually remote.) and in that scenario, the certificate matches.  I've deployed this exact scenario many times over and I've never had a problem.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 33588335
resolver1: Tony is exactly right on the desire to purchase UCC certs. There are certainly scenarios where I may want to purchase a certificate to secure several domain names that I run...on a web server for example.
They've also *become* popular with Exchange deployments because in an enterprise environment it is easier to buy a cert than maintain DNS. It has become so popular however that there has been some collective knowledge loss and most newer exchange admins (of which SBS applies) don't even realize there are alternatives.
So there you have it. UCC's definitely do have a place. Just not a necessity in this particular situation.
0
 
LVL 14

Assisted Solution

by:RickEpnet
RickEpnet earned 100 total points
ID: 33588509
Just make sure and use the SBS Wizard and you will not need a UUC. I have been getting my certificates from here for a few years and they work great. less than $14.00 I remember when they cost $400 or more.

https://www.servertastic.com
0
 

Author Comment

by:resolver1
ID: 33588844
no problems asking on my post.  its good that you are asking as your probably asking questions i should be :-) I dont want to just know the best certificate for my senerio. i want to learn what certificates types there are and the circumstances they are used in.

There is another purpose for the certificate which is for EDI messages between us and our supplier.  I'll need to check the requirements from them tomorrow.
0
 

Author Comment

by:resolver1
ID: 33594782
Right I've researched the certificates and alot of people seem to be going for the godaddy.  I've checked there website and it has the standard Single Domain option http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039.

I'm not fully understanding at which level the certificates work.  I'll explain my situation and maybe you can help.

We have a domain name which is CompanyName.com which for MX records and HTTP traffic points to our hosting provider.  I was thinking of pointing Remote.CompanyName.com to our perimeter router/firewall?

Does the certificate belong to Remote.CompanyName.com or does it belong to a partular machine e.g. PC1.Remote.CompanyName.com?  
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33594835
It belongs to Remote.companyname.com
0
 
LVL 8

Assisted Solution

by:tonyperth
tonyperth earned 100 total points
ID: 33594843
Basically to use RWW you will be browsing to a web site externally at https://remote.companyname.com/remote and the certificate must have the same name to be valid.  By same name I mean only the "remote.companyname.com" part, not the https etc.
0
 

Author Comment

by:resolver1
ID: 33594954
Rightio, I understand.  There was just some doubt in my mind but you've cleared it up for me.  
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Read this checklist to learn more about the 15 things you should never include in an email signature.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question