Solved

SBS 2008 and Exchange 2007/Outlook Anywhere Security Certificate Question

Posted on 2010-09-14
17
623 Views
Last Modified: 2012-05-10
I have a client with a small business server. They are a non-profit and are trying to avoid any unnecessary expendatures. They do not have a static IP and going static would cost them a considerable amount more per month so I am using DDNS to create a valid hostname that they can use to reach the SBS from outside the LAN. I haven't worked much with DDNS and certs but is it even possible to utilize Outlook Anywhere when your ip changes? I know in order for it to work if you are using SSL is for the certificate to be installed into the trusted root certification authorities on the client side. I have noticed that after installing the cert, every couple of hours if I browse to the OWA via the hostname I receive a security certificate warning and have to re-install. I think the change of IP is triggering this. Is there a type of Cert I can create that will allow for the IP to change? Or is it IE that is registering the IP and when I browse to the SBS and the ip is different...it rejects the cert. Any help is appreciated.  

For the exchange server...I am using the SBS POP connector and a smart host to send and receive mail and it is working great.
0
Comment
Question by:J C
  • 9
  • 7
17 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33674697
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 33677551
You can do so with a dynamic IP but you need to use a service like DDNS's custom DNS. This will map your changing IP to your public Domain name:
http://www.dyndns.com/services/dns/custom/
No_IP offers similar with their Plus managed DNS service:
http://www.no-ip.com/services/managed_dns/plus_dynamic_dns.html

With your registrar for your domain you then forward insert dyndns or no-ip's servers as the DNS servers. Then on the service you have chosen you can set up your MX and host records pointing to your server.

Next there is the certificate issue. By far the simplest option is to buy and install an SSL certificate, available starting at $30/ year from www.godady.com  This will still work with the dynamic IP. If you don't want to buy that you can create a self signed certificate on the SBS which you then have to manually install on all non domain connected PC's. Works fine, but a bit of a nuisance to manage. Keep in mind the certificate name  (default is remote.YourDomain.abc) has to match the URL to which user's connect. You cannot use the IP.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33677560
PS- the following is a helpful link if you want to buy and install a Godday certificate:
http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx
0
 

Author Comment

by:J C
ID: 33677586
Thanks for your response. I just want to make sure I understand. Do I have to transfer my domain out of the current registrar into a registrar that supports DDNS? Is there any way to transfer/migrate a sub-domain such as remote.mypublicdomain.com to dyndns and leave all other DNS records in tact with the current registrar?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33677647
No you don't have to change registrars. Any registrar has a listing as to what DNS server holds the records for your domain. This is often the registrar themselves, however it ca be changed. With many registrars you can do so on their management page yourself, but with others you have to request it be changed. You then have them point it to dyndns or no-IP's servers. The server names are provided when you set up the service.
Who is the registrar for your domain. We may be able to be more specific.

It is usually best to have the DDNS service in place first so their is no interruption of service as the switch over takes place.
0
 

Author Comment

by:J C
ID: 33677660
Makes sense and you have defintiely jogged my memory. We can pay the 30 a year for the DDNS service and it would make the most sense just to go ahead and purchase a cert. Thank you for your help.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33677964
Very welcome. Let us know if you have any questions about details.
--Rob
0
 

Author Comment

by:J C
ID: 33686115
Rob,

Do you know of any issues with 1&1 and limitations in not being able to delegate a subdomain to DNS servers other than their own? I was able to configure the delegation from the control panel but the tech I spoke to with 1and1 said it shouldn't work. I just finished making all the changes and I know it can take time to activate/propogate. If you have any information on this please reply. Thank you.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 33686171
remote.mypublicdomain.com is not a sub-domain it is a host record named remote for the domain mypublicdomain.com
You cannot set this up using subdomains.
0
 

Author Comment

by:J C
ID: 33686202
So i would need to use the dyndns name servers for all of the records for my domain to make this work?
0
 

Author Comment

by:J C
ID: 33686272
Here is what I did. I logged into the CP. I created a subdomain and named it remote.mypublicdomain.com

I edited the DNS for the subdomain and entered the dyndns.org name servers. What makes remote.mypublicdomain.com ineligible to be a subdomain? What would one look like?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33686360
Correct.
You would have 1and1 set up your domain to use DYNDNS's DNS servers:
ns1.mydyndns.org   (Required)  204.13.248.76
ns2.mydyndns.org   (Required)  204.13.249.76
ns3.mydyndns.org                       208.78.69.76
ns4.mydyndns.org                       91.198.22.76
ns5.mydyndns.org                     203.62.195.76

Then set up your host records and MX records using the DYNDNS service. For SBS you really only need one host record remote.mypublicdomain.com  and your MX record points to that. If you have a web site you will also want a host record for www. The following may be of some help to configure:
https://www.dyndns.com/support/kb/mailservers.html#howto-dns

They also have a BackUp MX service that will accept and hold all mail for your domain for up to 7 days if your server is off line. When the server is back on line they automatically forward it to your server. It is an extra cost but something you may want to consider.
I usually use both dyndns and NO-IP for clients, but no-ip's backup MX service also has some reporting that is nice to have. There is a NO-IP link at the bottom of my web site.
http://www.lan-2-wan.com/
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33686387
To the best of my knowledge sub-domains will not work.
If it is a true sub-domain, you then you need a host name. You would then have SBSname.remote.mypublicdomain.com  and SBS will not accept that.

1and1 can set up the DNS as required, but it may not be possible for you to do. Many registrars require you to call or open a trouble ticket and request.
0
 

Author Comment

by:J C
ID: 33687228
Made all of the changes. I have a related question...Is the same certificate used for the OWA/Sharepoint/RWW? So if I purchase one from godaddy is that going to be enough to be able to do everything I need to if I want to utilize all of the available features?

When I try to connect to a computer it tells me you must install the proper certificate...I am not sure if this is all relative or not.

You have been a big help so far, thanks a lot and if you can provide any feedback on the questions above that'd be great.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33687843
>>"Is the same certificate used for the OWA/Sharepoint/RWW?"
Yes.

>>"When I try to connect to a computer it tells me you must install the proper certificate...I am not sure if this is all relative or not. "
Where are you seeing this?
You can use a self signed certificate generated by the SBS. If the connecting PC is not a member of the domain or if you have changed the certificate after joining the domain you must manually install it on the connecting PC. The advantage of a purchased certificate from a known authority is it will automatically be accepted by the PC's when connecting to the SBS, so you don't have the hassle of installing it on every device trying to use remote services. This is especially beneficial on Smart Phones.
0
 

Author Closing Comment

by:J C
ID: 33687863
Rob,

You are awesome. Thanks again.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33688001
You are very welcome. Thank you jleecole.
Cheers!
--Rob
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now