Exchange 2010 SSL Certificate - Name mismatch across VPN connection.
Recently added a branch office to connect to the main office with a hardware VPN. Joined the local server to the domain and all networking works fine.
The Exchange 2010 server is located in the main office. Outlook clients locally connect fine. Outlook clients externally can connect from the outside using the certificate.
Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site". Press OK and all works ok. At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the external.domain.com address.
I know it has something to do with the branch office being on a different network across the VPN. Suggestions?
Suggestions?
The Exchange 2010 server is located in the main office. Outlook clients locally connect fine. Outlook clients externally can connect from the outside using the certificate.
Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site". Press OK and all works ok. At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the external.domain.com address.
I know it has something to do with the branch office being on a different network across the VPN. Suggestions?
Suggestions?
I should also mention,
Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS. There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.
Let me know if you need more info on that and I'll get the commands and reference for you.
Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS. There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.
Let me know if you need more info on that and I'll get the commands and reference for you.
For exchange 2010 you can get the UCC certificate which will fix the name mismatch issue. Especially if you plan to use outlook 2010 which you will encounter more of those naming error if you only use the regular certificate.
You can use the following tool to generate the necessary crs:
https://www.digicert.com/easy-csr/exchange2010.htm
and then purchase the UCC certificate from godaddy (which is cheaper)
You can use the following tool to generate the necessary crs:
https://www.digicert.com/easy-csr/exchange2010.htm
and then purchase the UCC certificate from godaddy (which is cheaper)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The branch office is on the same domain with a local domain controller and DNS running on it. Most of the clients in the branch office do run Office 2010, with just a few Office 2007 clients.
Currently the exchange server does have cert from godaddy on it.
Thanks for all the references to look at. I will be looking at it shortly and update everyone.
Currently the exchange server does have cert from godaddy on it.
Thanks for all the references to look at. I will be looking at it shortly and update everyone.
ASKER
Regarding the DNS question:
From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App
From the the main office (Exchange server location) the address of https://mail.ExternalDomain.com/owa does not resolve. From the branch office it does.
The error from the branch office refers to only showing the external address on the cert. When you view the cert, the "issue to" is: mail.ExternalDomain.com
From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App
From the the main office (Exchange server location) the address of https://mail.ExternalDomain.com/owa does not resolve. From the branch office it does.
The error from the branch office refers to only showing the external address on the cert. When you view the cert, the "issue to" is: mail.ExternalDomain.com
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).
Do you get a cert error at the main site when you go to server.domain.local/owa ??
Just thinking if it works at the main site and owa works outside it may not be a cert issue.
Just thinking if it works at the main site and owa works outside it may not be a cert issue.
ASKER
Outlook clients at the main site do not get a cert error. From both sites you can go to server.domain.local/owa with no problems.
Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside. External clients use the external address of mail.domainname.com/owa in their http proxy settings with no cert error.
I did add a new DNS zone for the domainname.com address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.
Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside. External clients use the external address of mail.domainname.com/owa in their http proxy settings with no cert error.
I did add a new DNS zone for the domainname.com address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.
ASKER
RE:
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).
-----------------
I guess I do not understand how this can help with fixing a certificate already in existance? Can you be more specific than pointing me to a site and suggesting a UCC? Is the problem related to not having the proper alternative names in the certificate?
The certificate works fine for external OWA/WebApp users going to mail.domainname.com/owa
How does this affect users that are using Outlook across a VPN?
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).
-----------------
I guess I do not understand how this can help with fixing a certificate already in existance? Can you be more specific than pointing me to a site and suggesting a UCC? Is the problem related to not having the proper alternative names in the certificate?
The certificate works fine for external OWA/WebApp users going to mail.domainname.com/owa
How does this affect users that are using Outlook across a VPN?
ASKER
Thanks for they help. Changing the InternalUrl to the ExternalUrl of the certificate and adding DNS entries for the external address for the internal did the trick.
It sounds to me as if the SAN certificate on the Exchange server does not include the FQDN of the exchange server (ex. exchange.domain.local)
If you have it all setup correctly at your main office then it's probably just DNS, I'd make sure the remote site is either running it's own DNS as part of the domain OR referencing a domain controller / dns server at the main office.