Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 632
  • Last Modified:

SBS 2008 and Exchange 2007/Outlook Anywhere Security Certificate Question

I have a client with a small business server. They are a non-profit and are trying to avoid any unnecessary expendatures. They do not have a static IP and going static would cost them a considerable amount more per month so I am using DDNS to create a valid hostname that they can use to reach the SBS from outside the LAN. I haven't worked much with DDNS and certs but is it even possible to utilize Outlook Anywhere when your ip changes? I know in order for it to work if you are using SSL is for the certificate to be installed into the trusted root certification authorities on the client side. I have noticed that after installing the cert, every couple of hours if I browse to the OWA via the hostname I receive a security certificate warning and have to re-install. I think the change of IP is triggering this. Is there a type of Cert I can create that will allow for the IP to change? Or is it IE that is registering the IP and when I browse to the SBS and the ip is different...it rejects the cert. Any help is appreciated.  

For the exchange server...I am using the SBS POP connector and a smart host to send and receive mail and it is working great.
0
J C
Asked:
J C
  • 9
  • 7
1 Solution
 
sunnyc7Commented:
0
 
Rob WilliamsCommented:
You can do so with a dynamic IP but you need to use a service like DDNS's custom DNS. This will map your changing IP to your public Domain name:
http://www.dyndns.com/services/dns/custom/
No_IP offers similar with their Plus managed DNS service:
http://www.no-ip.com/services/managed_dns/plus_dynamic_dns.html

With your registrar for your domain you then forward insert dyndns or no-ip's servers as the DNS servers. Then on the service you have chosen you can set up your MX and host records pointing to your server.

Next there is the certificate issue. By far the simplest option is to buy and install an SSL certificate, available starting at $30/ year from www.godady.com  This will still work with the dynamic IP. If you don't want to buy that you can create a self signed certificate on the SBS which you then have to manually install on all non domain connected PC's. Works fine, but a bit of a nuisance to manage. Keep in mind the certificate name  (default is remote.YourDomain.abc) has to match the URL to which user's connect. You cannot use the IP.
0
 
Rob WilliamsCommented:
PS- the following is a helpful link if you want to buy and install a Godday certificate:
http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
J CAuthor Commented:
Thanks for your response. I just want to make sure I understand. Do I have to transfer my domain out of the current registrar into a registrar that supports DDNS? Is there any way to transfer/migrate a sub-domain such as remote.mypublicdomain.com to dyndns and leave all other DNS records in tact with the current registrar?
0
 
Rob WilliamsCommented:
No you don't have to change registrars. Any registrar has a listing as to what DNS server holds the records for your domain. This is often the registrar themselves, however it ca be changed. With many registrars you can do so on their management page yourself, but with others you have to request it be changed. You then have them point it to dyndns or no-IP's servers. The server names are provided when you set up the service.
Who is the registrar for your domain. We may be able to be more specific.

It is usually best to have the DDNS service in place first so their is no interruption of service as the switch over takes place.
0
 
J CAuthor Commented:
Makes sense and you have defintiely jogged my memory. We can pay the 30 a year for the DDNS service and it would make the most sense just to go ahead and purchase a cert. Thank you for your help.
0
 
Rob WilliamsCommented:
Very welcome. Let us know if you have any questions about details.
--Rob
0
 
J CAuthor Commented:
Rob,

Do you know of any issues with 1&1 and limitations in not being able to delegate a subdomain to DNS servers other than their own? I was able to configure the delegation from the control panel but the tech I spoke to with 1and1 said it shouldn't work. I just finished making all the changes and I know it can take time to activate/propogate. If you have any information on this please reply. Thank you.
0
 
Rob WilliamsCommented:
remote.mypublicdomain.com is not a sub-domain it is a host record named remote for the domain mypublicdomain.com
You cannot set this up using subdomains.
0
 
J CAuthor Commented:
So i would need to use the dyndns name servers for all of the records for my domain to make this work?
0
 
J CAuthor Commented:
Here is what I did. I logged into the CP. I created a subdomain and named it remote.mypublicdomain.com

I edited the DNS for the subdomain and entered the dyndns.org name servers. What makes remote.mypublicdomain.com ineligible to be a subdomain? What would one look like?
0
 
Rob WilliamsCommented:
Correct.
You would have 1and1 set up your domain to use DYNDNS's DNS servers:
ns1.mydyndns.org   (Required)  204.13.248.76
ns2.mydyndns.org   (Required)  204.13.249.76
ns3.mydyndns.org                       208.78.69.76
ns4.mydyndns.org                       91.198.22.76
ns5.mydyndns.org                     203.62.195.76

Then set up your host records and MX records using the DYNDNS service. For SBS you really only need one host record remote.mypublicdomain.com  and your MX record points to that. If you have a web site you will also want a host record for www. The following may be of some help to configure:
https://www.dyndns.com/support/kb/mailservers.html#howto-dns

They also have a BackUp MX service that will accept and hold all mail for your domain for up to 7 days if your server is off line. When the server is back on line they automatically forward it to your server. It is an extra cost but something you may want to consider.
I usually use both dyndns and NO-IP for clients, but no-ip's backup MX service also has some reporting that is nice to have. There is a NO-IP link at the bottom of my web site.
http://www.lan-2-wan.com/
0
 
Rob WilliamsCommented:
To the best of my knowledge sub-domains will not work.
If it is a true sub-domain, you then you need a host name. You would then have SBSname.remote.mypublicdomain.com  and SBS will not accept that.

1and1 can set up the DNS as required, but it may not be possible for you to do. Many registrars require you to call or open a trouble ticket and request.
0
 
J CAuthor Commented:
Made all of the changes. I have a related question...Is the same certificate used for the OWA/Sharepoint/RWW? So if I purchase one from godaddy is that going to be enough to be able to do everything I need to if I want to utilize all of the available features?

When I try to connect to a computer it tells me you must install the proper certificate...I am not sure if this is all relative or not.

You have been a big help so far, thanks a lot and if you can provide any feedback on the questions above that'd be great.
0
 
Rob WilliamsCommented:
>>"Is the same certificate used for the OWA/Sharepoint/RWW?"
Yes.

>>"When I try to connect to a computer it tells me you must install the proper certificate...I am not sure if this is all relative or not. "
Where are you seeing this?
You can use a self signed certificate generated by the SBS. If the connecting PC is not a member of the domain or if you have changed the certificate after joining the domain you must manually install it on the connecting PC. The advantage of a purchased certificate from a known authority is it will automatically be accepted by the PC's when connecting to the SBS, so you don't have the hassle of installing it on every device trying to use remote services. This is especially beneficial on Smart Phones.
0
 
J CAuthor Commented:
Rob,

You are awesome. Thanks again.
0
 
Rob WilliamsCommented:
You are very welcome. Thank you jleecole.
Cheers!
--Rob
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now