SBS 2011 - RWW - Certificate error from external access, can't connect

I am getting an error when trying to connect to systems externally from the office, using RWW or RDP direct. Firewall rules and networking is in palace and working, I just get a certificate error, and it does not allow me to proceed.

The work around on the internet regarding not prompting for errors does  not work, because it doesn’t allow one to proceed. I have added the certificate to the trust locations and have tried many “possible” fixes found online. I have spent two days on this, beyond frustrated.

Any help please would be appreciated, I am beyond stuck and need to get past this. It is still in testing/POC but I want to move this to production and then roll it out to a few customers.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
SBS 2008 and 2011 will not allow you to connect unless you have a valid certificate and you cannot connect to an IP.

Your externally facing FQDN, the certificate, and your external DNS records (external name you will use to connect to the SBS) must all be the same. The default with SBS is   If you wish to change this or want to create a new self signed certificate, you need to re-run the “Set Up My Internet Address” wizard. To do so  see the following link.  Assuming you already have a purchased domain name you can skip down to item #7. If you do not want to use the default “remote” you need to click the “advanced settings” link on the “Internet Address Management” page.
That FQDN must have a matching DNS Host record with whoever manages DNS for your domain pointing to the Public IP of the SBS site.

New machines joined to the domain will automatically have the certificate added, but remote machines or mobile devices will need to have the certificate installed. To do so see the following which outlines how to distribute/install the self signed certificate

A simpler option is to buy a 3rd party certificate. The advantage being the certificate does not have to be installed on the remote machine because Internet Explorer already recognized the certificate provider. The least expensive provider of 3rd party certificates is GoDaddy. To request and install a GoDaddy certificate se:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's complaining that it can't check the revocation list to confirm the certificate is still valid. No of the changes you've made will correct that issue. How/where did this certificate come from?

sergio3986Author Commented:
The certificate came from the SBS server itself. It is a clean install, all default.

It made a certificate for "Sites" default in SBS 2011 I guess. I did nothing outside of the steps required to complete the install, it is a brand new install. the DNS sitting externally from the SBS 2011 Server point to its IP so I am entering the correct info as indicated in the certificate, FQDN

Do i need to re-issue the certificates or some how reset it?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

The default self-signed certificate is a PITA if you are using RWW, Outlook Anywhere, or Exchange ActiveSync (Windows mobile, iPhone, Droid). That's because you have you probably have to  install the certificate on all these devices for them to work. Buying a 3rd party 5 domain UCC certifcate is the best option. This way you avoid the headaches of the self-signed certificate but it does cost you $90/yr. Or you could use a single domain certificate for $50/yr. But this will cause issues with Outlook Anywhere generating messages that it can't download the offline address book. Pricing is via The single domain name certificate should cover your external address (i.e. or and a UCC should have (in desired order - as some say you don't need the internal references but you have the space for them): or

Cliff GaliherCommented:
Because IIS requires some settings when it is installed, in order to complete the install, SBS uses "sites" but this is *NOT* valid for use. For SBS to function properly, you must run the Internet Address Management Wizard.

Once that has been done, a new package will be created to allow you to install the internal certificates as already covered in RobWill's post.

sergio3986Author Commented:
Much appreciated!! After running the Internet Address Management wizard, and updating the DNS entries to reflect the new lab info, I was able to connect via RWW and RDP.

Thanks again.

I have some questions about RWW, since I think it is limited to what I was hoping I could do...but I will post another Question separate from this one.

Thanks again. Cheers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.