[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2107
  • Last Modified:

exchange 2010 ucc certificate - internal fqdn problem

I inherited an active directory running 2003 server/exchange.

The internal AD domain name is *not* unique on the internet.  The name is registered to a company completely unrelated to our internal network.  The network has a valid registered public domain name.

I am currently installing Server 2008 and Exchange 2010, and am going to have probalems requesting a UCC cert with SAN's including someone else's public domain name.

Questions:
1. Do I need to have the Exchange 2010 internal server name as a SAN
2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)
3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
0
snowdog_2112
Asked:
snowdog_2112
  • 7
  • 3
  • 2
1 Solution
 
AkhaterCommented:
1. Do I need to have the Exchange 2010 internal server name as a SAN

no


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
This is what you will need to do but with a slightly different approach

a. create a CAS array and call it say cas.yourdomain.com
b. configure all your internal and external urls to be say mail.yourdomain.com
c. change the rpc client access server on your databases to be cas.yourdomain.com

request your certificate with
mail.yourdomain.com
cas.yourdomain.com
autodiscover.yourdomain.com

0
 
praveenkumare_spCommented:

Questions and Answers
1. Do I need to have the Exchange 2010 internal server name as a SAN

yes (but not absolutely necessary )


2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)

FQDN without hostname can work
hostname without FQDN is of no use , its really waste


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").

Instead of doing that why not follow the below answer.
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.
0
 
praveenkumare_spCommented:
hope my comment helps to solve ur queries

let me know if u need more help :)
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
snowdog_2112Author Commented:
Thanks for quick follow-up.  I'll report back with my results, hopefully sometime tomorrow.
0
 
praveenkumare_spCommented:
sure , do let me know the results

bye
0
 
AkhaterCommented:
I am sorry praveenkumare_sp won't solve the issue

in all the steps you gave (which by the way are for exchange 2007 and not 2010 but will work for the most) you are proposing to changing them to a FQDN what FQDN are you talking about ? obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain the only solution is SPLIT DNS.

to snowdog_2112 did you install exchange 2010 or not yet ? if not while installing it you will be asked if you want it to be Internet facing click yes and enter mail.yourdomain.com in the text box this will simplify things for you

is there anything in my proposition that is not cleare
0
 
praveenkumare_spCommented:
[u]Akhater i beg to differ in this situation , [/u]i have seen cases where it works by changing the FQDN

The reason why u get certificate prompt :- Because u dont have the CAS FQDN in the certificate

Can we get the FQDN in the certificate :- No, as the FQDN has a name of a domain that belongs to another company

What workaround we have :- Not to put the CAS FQDN in the certificate, and change the internal url to external url .

How does this solve the problem:- As now no More CAS FQDN(internal URL) is in the picture ur clients wont get a certificate prompt
0
 
praveenkumare_spCommented:
i think the above statement is self explanatory and let me know if u have any concerns :)
0
 
AkhaterCommented:
:) this is exactly what Split DNS is to put in the certificate the FQDN corresponding to a domain you OWN and use this instead of the current cas fqdn

this is exactly what I told the OP to do in the first post
0
 
praveenkumare_spCommented:
Akhater i dont understand why have u said
" [b]obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain [/b]"

Open in new window


as my solution does not need or ask u to have the internal domain in the certificate it requires only to have external domain name




0
 
snowdog_2112Author Commented:
Thanks for the help.  Exchange was already installed when we discovered that the previous IT support company had used someone else's public domain name for the internal AD name.  (we have also corrected our internal procedures to do a better "discovery phase" to prevent this with other customers of ours).
0
 
praveenkumare_spCommented:
good to hear ur issue is resolved
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 7
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now