Solved

Exchange 2010 SSL Certificate - Name mismatch across VPN connection.

Posted on 2011-03-10
11
1,176 Views
Last Modified: 2013-02-18
Recently added a branch office to connect to the main office with a hardware VPN.  Joined the local server to the domain and all networking works fine.

The Exchange 2010 server is located in the main office.  Outlook clients locally connect fine.  Outlook clients externally can connect from the outside using the certificate.

Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site".  Press OK and all works ok.  At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the external.domain.com address.

I know it has something to do with the branch office being on a different network across the VPN.  Suggestions?

Suggestions?
0
Comment
Question by:xsawkins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 16

Expert Comment

by:Auric1983
ID: 35099654
At your main office do you have it configured so "External.domain.com" resolves to the internal IP (Split DNS) for your local outlook clients?

It sounds to me as if the SAN certificate on the Exchange server does not include the FQDN of the exchange server (ex. exchange.domain.local)

If you have it all setup correctly at your main office then it's probably  just DNS, I'd make sure the remote site is either running it's own DNS as part of the domain OR referencing a domain controller / dns server at the main office.

0
 
LVL 16

Expert Comment

by:Auric1983
ID: 35099665
I should also mention,

Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS.  There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.

Let me know if you need more info on that and I'll get the commands and reference for you.
0
 
LVL 9

Expert Comment

by:pcchiu
ID: 35102319
For exchange 2010 you can get the UCC certificate which will fix the name mismatch issue.  Especially if you plan to use outlook 2010 which you will encounter more of those naming error if you only use the regular certificate.

You can use the following tool to generate the necessary crs:
https://www.digicert.com/easy-csr/exchange2010.htm 

and then purchase the UCC certificate from godaddy (which is cheaper)
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 8

Accepted Solution

by:
praveenkumare_sp earned 500 total points
ID: 35103077
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.


this should fix ur issue

let me know if u need more info
0
 

Author Comment

by:xsawkins
ID: 35132964
The branch office is on the same domain with a local domain controller and DNS running on it.  Most of the clients in the branch office do run Office 2010, with just a few Office 2007 clients.

Currently the exchange server does have cert from godaddy on it.

Thanks for all the references to look at.  I will be looking at it shortly and update everyone.
0
 

Author Comment

by:xsawkins
ID: 35133262
Regarding the DNS question:

From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App

From the the main office (Exchange server location) the address of https://mail.ExternalDomain.com/owa does not resolve.  From the branch office it does.

The error from the branch office refers to only showing the external address on the cert.  When you view the cert, the "issue to" is: mail.ExternalDomain.com
0
 
LVL 9

Expert Comment

by:pcchiu
ID: 35133344
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

0
 
LVL 16

Expert Comment

by:Auric1983
ID: 35134337
Do you get a cert error at the main site when you go to server.domain.local/owa ??

Just thinking if it works at the main site and owa works outside it may not be a cert issue.
0
 

Author Comment

by:xsawkins
ID: 35138976
Outlook clients at the main site do not get a cert error.  From both sites you can go to server.domain.local/owa with no problems.

Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside.  External clients use the external address of mail.domainname.com/owa in their http proxy settings with no cert error.

I did add a new DNS zone for the domainname.com address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.
0
 

Author Comment

by:xsawkins
ID: 35139649
RE:
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

-----------------

I guess I do not understand how this can help with fixing a certificate already in existance?  Can you be more specific than pointing me to a site and suggesting a UCC?  Is the problem related to not having the proper alternative names in the certificate?

The certificate works fine for external OWA/WebApp users going to mail.domainname.com/owa

How does this affect users that are using Outlook across a VPN?
0
 

Author Comment

by:xsawkins
ID: 35140283
Thanks for they help.  Changing the InternalUrl to the ExternalUrl of the certificate and adding DNS entries for the external address for the internal did the trick.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question