Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

certificates for windows 2008 SBS (remote web workplace and OWA )

Posted on 2010-09-02
21
Medium Priority
?
710 Views
Last Modified: 2012-05-10
Im little confused to which certificate i should use for Windows Remote Web Workplace OWA ?

Can anyone explain the requirements so I can purchase the correct certificate?  The features of Windows 2008 SBS I want to use are  Windows Remote Web Workplace and OWA.

0
Comment
Question by:resolver1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 4
  • +1
21 Comments
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586436
you need a UCC certificate from somewhere like godaddy.com
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586447
it needs to hold differnt domain names such as:

autodiscover.<domain>.com
remote.<domain>.com
<domain>.com
<servername>.local
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586518
The following article gives you a quick explanation of the requirements for Exchange 2007.  That is mainly what you need it for in SBS2008, as it will automatically look after the rest if you include remote.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1200 total points
ID: 33586614
You do *NOT* need a UCC cert for SBS.
Use the SBS "add trusted certificate" wizard, let it generate the CSR for a certificate, and purchase the certificate at the vendor of your choice. That is it. The CSR it generates is not for a UCC, and a UCC is not required in any way.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586634
Correct, you don't need one, but if you want autodiscover for exchange, and mobile devices to work easily it is better to get one.
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1200 total points
ID: 33586678
AGain, SBS takes care of this with the wizards. autodiscover via Outlook Anywhere does not need UCC either. Simply a SRV record. And creating one is trivial and allows you to use the SBS wizards. Creating and installing a UCC cert on SBS is *not* trivial and the wizards will be unaware of this configuration thus they can actually break it, making the whole setup MORE fragile.
This falls into the "trust SBS wizards" rule. Better to use the wizard and use a non-UCC cert than to try to go the other way and have things fall apart on a regular basis.
-Cliff
 
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586733
Fair enough, then the only issue is distributing the certificate each year when it expires for RWW.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586818
To be honest the only reason I started buying certificates was a number of clients had mobile devices that were locked and would not accept certificates from trusted sources.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33586822
sorry, non trusted sources
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1200 total points
ID: 33586862
Totally with you on that. I don't recommend self-signed certificates at all. SBS 2008 added the "Add Trusted Certificate" wizard to the mix of SBS wizards, and as the name implies, it walks through the process of generating a CSR and submitting it to a 3rd-party certificate reseller, so they are trusted certs if you use the wizard. They just aren't UCC. And yes, dealing with self-signed is a PITA and not at all worth the hassle.
-Cliff
 
0
 

Author Comment

by:resolver1
ID: 33587133
OK I think non UCC wins because of the ease. but Why would people want to buy the UCC certificates? What are the advantages over non UCC?
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33587183
The only benifit of the UCC is the multiple names.  You get errors when you browse to things with different names that don't appear on the certifiate.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33587213
So Cliff, are you saying that autodiscover and mobile devices work well for you with just a standard puchased certificate even though it does not contain the autodiscover name?  Sorry to ask questions on your post resolver1?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 33588302
tonyperth: Precisely what I'm saying. One DNS SRV record resolves that issue. It allows Outlook 2007 SP1 (not RTM) and most newer activesync devices that support autodiscover to find the proper domain name (in SBS, this is usually remote.) and in that scenario, the certificate matches.  I've deployed this exact scenario many times over and I've never had a problem.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 33588335
resolver1: Tony is exactly right on the desire to purchase UCC certs. There are certainly scenarios where I may want to purchase a certificate to secure several domain names that I run...on a web server for example.
They've also *become* popular with Exchange deployments because in an enterprise environment it is easier to buy a cert than maintain DNS. It has become so popular however that there has been some collective knowledge loss and most newer exchange admins (of which SBS applies) don't even realize there are alternatives.
So there you have it. UCC's definitely do have a place. Just not a necessity in this particular situation.
0
 
LVL 14

Assisted Solution

by:RickEpnet
RickEpnet earned 400 total points
ID: 33588509
Just make sure and use the SBS Wizard and you will not need a UUC. I have been getting my certificates from here for a few years and they work great. less than $14.00 I remember when they cost $400 or more.

https://www.servertastic.com
0
 

Author Comment

by:resolver1
ID: 33588844
no problems asking on my post.  its good that you are asking as your probably asking questions i should be :-) I dont want to just know the best certificate for my senerio. i want to learn what certificates types there are and the circumstances they are used in.

There is another purpose for the certificate which is for EDI messages between us and our supplier.  I'll need to check the requirements from them tomorrow.
0
 

Author Comment

by:resolver1
ID: 33594782
Right I've researched the certificates and alot of people seem to be going for the godaddy.  I've checked there website and it has the standard Single Domain option http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039.

I'm not fully understanding at which level the certificates work.  I'll explain my situation and maybe you can help.

We have a domain name which is CompanyName.com which for MX records and HTTP traffic points to our hosting provider.  I was thinking of pointing Remote.CompanyName.com to our perimeter router/firewall?

Does the certificate belong to Remote.CompanyName.com or does it belong to a partular machine e.g. PC1.Remote.CompanyName.com?  
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33594835
It belongs to Remote.companyname.com
0
 
LVL 8

Assisted Solution

by:tonyperth
tonyperth earned 400 total points
ID: 33594843
Basically to use RWW you will be browsing to a web site externally at https://remote.companyname.com/remote and the certificate must have the same name to be valid.  By same name I mean only the "remote.companyname.com" part, not the https etc.
0
 

Author Comment

by:resolver1
ID: 33594954
Rightio, I understand.  There was just some doubt in my mind but you've cleared it up for me.  
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question