Solved

exchange 2010 ucc certificate - internal fqdn problem

Posted on 2011-03-10
12
2,062 Views
Last Modified: 2012-05-11
I inherited an active directory running 2003 server/exchange.

The internal AD domain name is *not* unique on the internet.  The name is registered to a company completely unrelated to our internal network.  The network has a valid registered public domain name.

I am currently installing Server 2008 and Exchange 2010, and am going to have probalems requesting a UCC cert with SAN's including someone else's public domain name.

Questions:
1. Do I need to have the Exchange 2010 internal server name as a SAN
2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)
3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
0
Comment
Question by:snowdog_2112
  • 7
  • 3
  • 2
12 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 35101601
1. Do I need to have the Exchange 2010 internal server name as a SAN

no


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
This is what you will need to do but with a slightly different approach

a. create a CAS array and call it say cas.yourdomain.com
b. configure all your internal and external urls to be say mail.yourdomain.com
c. change the rpc client access server on your databases to be cas.yourdomain.com

request your certificate with
mail.yourdomain.com
cas.yourdomain.com
autodiscover.yourdomain.com

0
 
LVL 8

Accepted Solution

by:
praveenkumare_sp earned 500 total points
ID: 35102613

Questions and Answers
1. Do I need to have the Exchange 2010 internal server name as a SAN

yes (but not absolutely necessary )


2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)

FQDN without hostname can work
hostname without FQDN is of no use , its really waste


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").

Instead of doing that why not follow the below answer.
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35102618
hope my comment helps to solve ur queries

let me know if u need more help :)
0
 

Author Comment

by:snowdog_2112
ID: 35103084
Thanks for quick follow-up.  I'll report back with my results, hopefully sometime tomorrow.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35103376
sure , do let me know the results

bye
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106101
I am sorry praveenkumare_sp won't solve the issue

in all the steps you gave (which by the way are for exchange 2007 and not 2010 but will work for the most) you are proposing to changing them to a FQDN what FQDN are you talking about ? obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain the only solution is SPLIT DNS.

to snowdog_2112 did you install exchange 2010 or not yet ? if not while installing it you will be asked if you want it to be Internet facing click yes and enter mail.yourdomain.com in the text box this will simplify things for you

is there anything in my proposition that is not cleare
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109014
[u]Akhater i beg to differ in this situation , [/u]i have seen cases where it works by changing the FQDN

The reason why u get certificate prompt :- Because u dont have the CAS FQDN in the certificate

Can we get the FQDN in the certificate :- No, as the FQDN has a name of a domain that belongs to another company

What workaround we have :- Not to put the CAS FQDN in the certificate, and change the internal url to external url .

How does this solve the problem:- As now no More CAS FQDN(internal URL) is in the picture ur clients wont get a certificate prompt
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109028
i think the above statement is self explanatory and let me know if u have any concerns :)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35109065
:) this is exactly what Split DNS is to put in the certificate the FQDN corresponding to a domain you OWN and use this instead of the current cas fqdn

this is exactly what I told the OP to do in the first post
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109138
Akhater i dont understand why have u said
" [b]obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain [/b]"

Open in new window


as my solution does not need or ask u to have the internal domain in the certificate it requires only to have external domain name




0
 

Author Closing Comment

by:snowdog_2112
ID: 35320080
Thanks for the help.  Exchange was already installed when we discovered that the previous IT support company had used someone else's public domain name for the internal AD name.  (we have also corrected our internal procedures to do a better "discovery phase" to prevent this with other customers of ours).
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35320134
good to hear ur issue is resolved
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now