Changing the AutoDiscover URL
Hi All,
I've recently procured a new SSL Certificate for my Exchange 2010 CAS box and I'd like to secure my External OWA page with it so I dont have to keep telling my users to "click continue to this website".
I've installed the certificate and this is fine, however when I bind https to the new certificate within IIS on the CAS server, and enable "Require SSL" on my OWA Virtual Directory all of my Outlook 2007 clients begin popping up with a "Certificate Warning"
Obviously this warning is telling me that the Internal URL of my Exchange CAS Box does not match the SSL certificate I applied to OWA.
THe problem i have is this: how can I install my SSL certificate and secure OWA without having to purchase another alternate name on the certificate. I know we can change the AutoDiscover URL to match the new domain name, which I'm fine doing but i'm concerned the effect this will have on my users.
It is worth bearing in mind I do have around 300 OUtlook 2003 users who dont get the certificate error.
I've recently procured a new SSL Certificate for my Exchange 2010 CAS box and I'd like to secure my External OWA page with it so I dont have to keep telling my users to "click continue to this website".
I've installed the certificate and this is fine, however when I bind https to the new certificate within IIS on the CAS server, and enable "Require SSL" on my OWA Virtual Directory all of my Outlook 2007 clients begin popping up with a "Certificate Warning"
Obviously this warning is telling me that the Internal URL of my Exchange CAS Box does not match the SSL certificate I applied to OWA.
THe problem i have is this: how can I install my SSL certificate and secure OWA without having to purchase another alternate name on the certificate. I know we can change the AutoDiscover URL to match the new domain name, which I'm fine doing but i'm concerned the effect this will have on my users.
It is worth bearing in mind I do have around 300 OUtlook 2003 users who dont get the certificate error.
Alan Hardisty
What names did you include in the certificate?
Have you installed the 3rd party certificate or self sign certificate. what are the name you have on your certificate?
@sumit_arora - How does your comment differ from mine exactly?
unfortuntly i wrote it and submitted it, it was By mistake. Sorry genius :)
ASKER
The certificate contains one name.
The name is our external Mail domain e.g. mail.mail.com
The name of our server (internal is) exchcas1.admin.com
I've an internal DNS record for mial.mail.com which points to exchcas1.admin.com
The name is our external Mail domain e.g. mail.mail.com
The name of our server (internal is) exchcas1.admin.com
I've an internal DNS record for mial.mail.com which points to exchcas1.admin.com
ASKER
Oh and the mail cert is from VERISIGN and is brand new
Run Get-ClientAccessServer | fl *uri and paste the output here.
Basically autodiscoverserviceinterna
Outlook 2003 will be fine as it doesn't recognize autodiscover, but 2007+ will prompt you.
Basically autodiscoverserviceinterna
Outlook 2003 will be fine as it doesn't recognize autodiscover, but 2007+ will prompt you.
You would be best advised to purchase a SAN / UCC SSL certificate (multi-name) and should include the following names:
mail.externaldomainname.co
autodicsover.externaldomai
internalservername.interna
internalservername
With all the above names included - you should not get any SSL certificate errors.
mail.externaldomainname.co
autodicsover.externaldomai
internalservername.interna
internalservername
With all the above names included - you should not get any SSL certificate errors.
ASKER
I know that I can purchase a SAN, to be honest i do want to avoid that because I'll have to go back to VeriSign and spend more money which obviously people arent going to be too keen on.
The autodiscover URL is the internal name when I do a get-clientacessserver |fl, which is different to that of my cert.
So, this brings me back to if I change this to reflect my external domain (the one on the certificate) how will my Outlook 2003 clients react when I come in the next day? and is this ill-advised?
I'm talking about doing this:
http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
The autodiscover URL is the internal name when I do a get-clientacessserver |fl, which is different to that of my cert.
So, this brings me back to if I change this to reflect my external domain (the one on the certificate) how will my Outlook 2003 clients react when I come in the next day? and is this ill-advised?
I'm talking about doing this:
http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
Don't spend Verisign sort of money - go to GoDaddy and spend a little and get the same results.
For £$60 you can buy a 1-year 5 name SAN / UCC cert that will work. Verisign will probably only let you log in for that money!!
For £$60 you can buy a 1-year 5 name SAN / UCC cert that will work. Verisign will probably only let you log in for that money!!
its more headache then you want to change this.
active sync devices look for autodiscover.domain.com by default for auto config. Exchange creates a scp in AD that outlook clients automatically look for. Outlook Anywhere looks for this to configure, and so on.
The other option is to just use a wildcard cert. if you went back to verisign and asked them to revoke the cert you bought, refund the money and then purchase a wildcard cert you would be OK using it internally on the CAS and published on the listener on isa/tmg
active sync devices look for autodiscover.domain.com by default for auto config. Exchange creates a scp in AD that outlook clients automatically look for. Outlook Anywhere looks for this to configure, and so on.
The other option is to just use a wildcard cert. if you went back to verisign and asked them to revoke the cert you bought, refund the money and then purchase a wildcard cert you would be OK using it internally on the CAS and published on the listener on isa/tmg
gleek,
Personally, I wouldn't use a wildcard certificate for Exchange Client Access anywhere. While it does make it easy to protect all services with on certificate, it also requires more Exchange modifications to get working correctly.
In all honesty, a wildcard certificate is usually more expensive than a multiple-name SAN certificate.
A single-name can be used, but as Alan has indicated, it is generally easier to purchase a SAN which contains all the proper names. A SAN certificate can quite happily sit on both a CAS listener in TMG and on the backend Exchange infrastructure. There also isn't a requirement to include the internal domain.local names on the SAN (none of my environments do) but I only recommend these are omitted where the user is very confident with the configuration of split DNS, firewalls, IP Routing, Active Directory, CAS URL properties etc.
-Matt
Personally, I wouldn't use a wildcard certificate for Exchange Client Access anywhere. While it does make it easy to protect all services with on certificate, it also requires more Exchange modifications to get working correctly.
In all honesty, a wildcard certificate is usually more expensive than a multiple-name SAN certificate.
A single-name can be used, but as Alan has indicated, it is generally easier to purchase a SAN which contains all the proper names. A SAN certificate can quite happily sit on both a CAS listener in TMG and on the backend Exchange infrastructure. There also isn't a requirement to include the internal domain.local names on the SAN (none of my environments do) but I only recommend these are omitted where the user is very confident with the configuration of split DNS, firewalls, IP Routing, Active Directory, CAS URL properties etc.
-Matt
tiger,
it can be done though. yes you may have to set-outlookprovider and change things but its not like it isn't supported or is very hard to set it up. this sounds like a smaller shop anyways.
a 5 yr UC cert with 2 SANs can get super pricey. I've found that in some cases a wildcard can be cost effective because you are able to use it throughout your organization for other needs if they should arise as well.
I've setup environments with both and lots of times it depends on customer needs. It can be done easily one way or another.
it can be done though. yes you may have to set-outlookprovider and change things but its not like it isn't supported or is very hard to set it up. this sounds like a smaller shop anyways.
a 5 yr UC cert with 2 SANs can get super pricey. I've found that in some cases a wildcard can be cost effective because you are able to use it throughout your organization for other needs if they should arise as well.
I've setup environments with both and lots of times it depends on customer needs. It can be done easily one way or another.
I spend £120 / $180 on a 3 year SAN / UCC for all my Exchange environments and they all work a treat and no messing with Exchange to get the certs to work happily.
Buy - request - approve - download - import - enable - work.
Simple as!
Buy - request - approve - download - import - enable - work.
Simple as!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Followed this guide, meant I did not have to procure other SSL certs.