Solved

certificates for windows 2008 SBS (remote web workplace and OWA )

Posted on 2010-09-02
21
674 Views
Last Modified: 2012-05-10
Im little confused to which certificate i should use for Windows Remote Web Workplace OWA ?

Can anyone explain the requirements so I can purchase the correct certificate?  The features of Windows 2008 SBS I want to use are  Windows Remote Web Workplace and OWA.

0
Comment
Question by:resolver1
  • 11
  • 5
  • 4
  • +1
21 Comments
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
you need a UCC certificate from somewhere like godaddy.com
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
it needs to hold differnt domain names such as:

autodiscover.<domain>.com
remote.<domain>.com
<domain>.com
<servername>.local
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
The following article gives you a quick explanation of the requirements for Exchange 2007.  That is mainly what you need it for in SBS2008, as it will automatically look after the rest if you include remote.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 300 total points
Comment Utility
You do *NOT* need a UCC cert for SBS.
Use the SBS "add trusted certificate" wizard, let it generate the CSR for a certificate, and purchase the certificate at the vendor of your choice. That is it. The CSR it generates is not for a UCC, and a UCC is not required in any way.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
Correct, you don't need one, but if you want autodiscover for exchange, and mobile devices to work easily it is better to get one.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
Comment Utility
AGain, SBS takes care of this with the wizards. autodiscover via Outlook Anywhere does not need UCC either. Simply a SRV record. And creating one is trivial and allows you to use the SBS wizards. Creating and installing a UCC cert on SBS is *not* trivial and the wizards will be unaware of this configuration thus they can actually break it, making the whole setup MORE fragile.
This falls into the "trust SBS wizards" rule. Better to use the wizard and use a non-UCC cert than to try to go the other way and have things fall apart on a regular basis.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
Fair enough, then the only issue is distributing the certificate each year when it expires for RWW.
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
To be honest the only reason I started buying certificates was a number of clients had mobile devices that were locked and would not accept certificates from trusted sources.
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
sorry, non trusted sources
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
Comment Utility
Totally with you on that. I don't recommend self-signed certificates at all. SBS 2008 added the "Add Trusted Certificate" wizard to the mix of SBS wizards, and as the name implies, it walks through the process of generating a CSR and submitting it to a 3rd-party certificate reseller, so they are trusted certs if you use the wizard. They just aren't UCC. And yes, dealing with self-signed is a PITA and not at all worth the hassle.
-Cliff
 
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:resolver1
Comment Utility
OK I think non UCC wins because of the ease. but Why would people want to buy the UCC certificates? What are the advantages over non UCC?
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
The only benifit of the UCC is the multiple names.  You get errors when you browse to things with different names that don't appear on the certifiate.
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
So Cliff, are you saying that autodiscover and mobile devices work well for you with just a standard puchased certificate even though it does not contain the autodiscover name?  Sorry to ask questions on your post resolver1?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
tonyperth: Precisely what I'm saying. One DNS SRV record resolves that issue. It allows Outlook 2007 SP1 (not RTM) and most newer activesync devices that support autodiscover to find the proper domain name (in SBS, this is usually remote.) and in that scenario, the certificate matches.  I've deployed this exact scenario many times over and I've never had a problem.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
resolver1: Tony is exactly right on the desire to purchase UCC certs. There are certainly scenarios where I may want to purchase a certificate to secure several domain names that I run...on a web server for example.
They've also *become* popular with Exchange deployments because in an enterprise environment it is easier to buy a cert than maintain DNS. It has become so popular however that there has been some collective knowledge loss and most newer exchange admins (of which SBS applies) don't even realize there are alternatives.
So there you have it. UCC's definitely do have a place. Just not a necessity in this particular situation.
0
 
LVL 14

Assisted Solution

by:RickEpnet
RickEpnet earned 100 total points
Comment Utility
Just make sure and use the SBS Wizard and you will not need a UUC. I have been getting my certificates from here for a few years and they work great. less than $14.00 I remember when they cost $400 or more.

https://www.servertastic.com
0
 

Author Comment

by:resolver1
Comment Utility
no problems asking on my post.  its good that you are asking as your probably asking questions i should be :-) I dont want to just know the best certificate for my senerio. i want to learn what certificates types there are and the circumstances they are used in.

There is another purpose for the certificate which is for EDI messages between us and our supplier.  I'll need to check the requirements from them tomorrow.
0
 

Author Comment

by:resolver1
Comment Utility
Right I've researched the certificates and alot of people seem to be going for the godaddy.  I've checked there website and it has the standard Single Domain option http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039.

I'm not fully understanding at which level the certificates work.  I'll explain my situation and maybe you can help.

We have a domain name which is CompanyName.com which for MX records and HTTP traffic points to our hosting provider.  I was thinking of pointing Remote.CompanyName.com to our perimeter router/firewall?

Does the certificate belong to Remote.CompanyName.com or does it belong to a partular machine e.g. PC1.Remote.CompanyName.com?  
0
 
LVL 8

Expert Comment

by:tonyperth
Comment Utility
It belongs to Remote.companyname.com
0
 
LVL 8

Assisted Solution

by:tonyperth
tonyperth earned 100 total points
Comment Utility
Basically to use RWW you will be browsing to a web site externally at https://remote.companyname.com/remote and the certificate must have the same name to be valid.  By same name I mean only the "remote.companyname.com" part, not the https etc.
0
 

Author Comment

by:resolver1
Comment Utility
Rightio, I understand.  There was just some doubt in my mind but you've cleared it up for me.  
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
excahne, lync 9 21
Exchange 2010 - transport rule edge or hub? 2 38
Publishing OWA on TMG 2010 2 22
Account will not go away 3 23
Easy CSR creation in Exchange 2007,2010 and 2013
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now