SBS 2011 - RWW - Certificate error from external access, can't connect

I am getting an error when trying to connect to systems externally from the office, using RWW or RDP direct. Firewall rules and networking is in palace and working, I just get a certificate error, and it does not allow me to proceed.

The work around on the internet regarding not prompting for errors does  not work, because it doesn’t allow one to proceed. I have added the certificate to the trust locations and have tried many “possible” fixes found online. I have spent two days on this, beyond frustrated.

Any help please would be appreciated, I am beyond stuck and need to get past this. It is still in testing/POC but I want to move this to production and then roll it out to a few customers.

Thanks in advance.
certificate-error-rdp-sbs2011.png
sergio3986Asked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
SBS 2008 and 2011 will not allow you to connect unless you have a valid certificate and you cannot connect to an IP.

Your externally facing FQDN, the certificate, and your external DNS records (external name you will use to connect to the SBS) must all be the same. The default with SBS is remote.yourdomain.abc   If you wish to change this or want to create a new self signed certificate, you need to re-run the “Set Up My Internet Address” wizard. To do so  see the following link.  Assuming you already have a purchased domain name you can skip down to item #7. If you do not want to use the default “remote” you need to click the “advanced settings” link on the “Internet Address Management” page.
http://blogs.technet.com/b/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx
That FQDN must have a matching DNS Host record with whoever manages DNS for your domain pointing to the Public IP of the SBS site.

New machines joined to the domain will automatically have the certificate added, but remote machines or mobile devices will need to have the certificate installed. To do so see the following which outlines how to distribute/install the self signed certificate
http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

A simpler option is to buy a 3rd party certificate. The advantage being the certificate does not have to be installed on the remote machine because Internet Explorer already recognized the certificate provider. The least expensive provider of 3rd party certificates is GoDaddy. To request and install a GoDaddy certificate se:
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
0
 
connectexCommented:
It's complaining that it can't check the revocation list to confirm the certificate is still valid. No of the changes you've made will correct that issue. How/where did this certificate come from?

-Matt-
0
 
sergio3986Author Commented:
The certificate came from the SBS server itself. It is a clean install, all default.

It made a certificate for "Sites" default in SBS 2011 I guess. I did nothing outside of the steps required to complete the install, it is a brand new install. the DNS sitting externally from the SBS 2011 Server point to its IP so I am entering the correct info as indicated in the certificate, FQDN


Do i need to re-issue the certificates or some how reset it?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
connectexCommented:
The default self-signed certificate is a PITA if you are using RWW, Outlook Anywhere, or Exchange ActiveSync (Windows mobile, iPhone, Droid). That's because you have you probably have to  install the certificate on all these devices for them to work. Buying a 3rd party 5 domain UCC certifcate is the best option. This way you avoid the headaches of the self-signed certificate but it does cost you $90/yr. Or you could use a single domain certificate for $50/yr. But this will cause issues with Outlook Anywhere generating messages that it can't download the offline address book. Pricing is via GoDaddy.com. The single domain name certificate should cover your external address (i.e. mail.externaldomain.com or remote.externaldomain.com) and a UCC should have (in desired order - as some say you don't need the internal references but you have the space for them):

mail.externaldomain.com or remote.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername


-Matt-
0
 
Cliff GaliherConnect With a Mentor Commented:
Because IIS requires some settings when it is installed, in order to complete the install, SBS uses "sites" but this is *NOT* valid for use. For SBS to function properly, you must run the Internet Address Management Wizard.

http://www.microsoft.com/showcase/en/us/details/0f192dc2-e21f-45b3-baa3-c1e4b189d4bf

Once that has been done, a new package will be created to allow you to install the internal certificates as already covered in RobWill's post.

-Cliff
0
 
sergio3986Author Commented:
Much appreciated!! After running the Internet Address Management wizard, and updating the DNS entries to reflect the new lab info, I was able to connect via RWW and RDP.

Thanks again.

I have some questions about RWW, since I think it is limited to what I was hoping I could do...but I will post another Question separate from this one.

Thanks again. Cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.