[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

Exchange 2010/Outlook 2007 Certificate warning

Exchange 2010 is very new to me so forgive me if I sound naive in some of my questioning.  

We have 2 Exchange Servers in our organization, a 2003 and a 2010 Exchange Server.  All the Roles for  2010 are on 1 server.

In order to get Active Sync working we purchased a Certificate from GoDaddy.  Active Sync is working on the new server.......it was issued to the name we use for our external URL.  The internal URL is the same name as the Exchange 2010 server.

While active sync work fine, whenever Outlook 2007 opens a mailbox that resides on the Exchange 2010 Server it gets the warning certificate message that is well known where the last option "The name on the security certificate is invalid or does not match the name of the site"   The internal URL was not included when we created this certificate.

This morning I created a new cert for the internal url...without thinking I assigned it IIS services...well this made the cert warning message go away but also broke active sync.  Removed the IIS services from the new cert and active sync worked fine.


So basically all to say how do I make the certificate warning message stop when my internal users open Outlook 2007 without breaking active sync?

Thanks and sorry to sound naive...trying to understand as I go


0
BlueGoose
Asked:
BlueGoose
  • 4
  • 3
1 Solution
 
LLMorrissonCommented:
If you don't have a SAN cert, you'll need to change the internal service URL that is used for communication between Exchange and Outlook so it matches the name in the cert to make it stop complaining. You obviously need to make sure this address is resolvable internally too before you do it, otherwise that will break it too.
0
 
jar3817Commented:
How about you set internal outlook clients to connect vi MAPI rather than HTTPS? Or are they laptops that are internal sometimes and external other times?

Really the best thing to do would be to use the same domain name internally and externally. That might require you run split dns, it all depends on your setup.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
BlueGooseAuthor Commented:
Internal clients are connecting by MAPI (verified by right clicking icon in tray and choosing Connection Status)

Short of having the internal and external urls's being the same is there other options?  Right now the only 3rd party cert we have is the GoDaddy on that is used for Active Sync.   Could I just purchase another cert for the internal url or will I pretty much end up with the same issue as the self signed one?
0
 
LLMorrissonCommented:
Ideally you should be using a SAN certificate (aka a UCC). This is a cert that lets you list multiple names in the same cert. You cna get these from godaddy too, although they are a little more expensive than the regular certs unfortunately.
0
 
BlueGooseAuthor Commented:
I think we will go the UCC route.......any ideas on what I should choose during the creating of the cert on the Exchange 2010 server...we will be using it for active sync, owa, internal email...so many choices, not sure which ones to choose
0
 
LLMorrissonCommented:
You can use the tool built into exchange 2010 to tell you want SANs you need in your cert. Goto the Server Configuration node in the EMC and click on New Exchange Certificate. During the wizard there is an opportunity to tell it what services you want to protect with the cert and it will fetch all your current service URLs as part of that process. You can then use that info for your SAN cert order.
0
 
BlueGooseAuthor Commented:
Thanks!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now