SBS2011 SSL certificate / DNS resolving

Here's what's happening. SBS2011 Server. Uses service and client updater app - to maintain it's ip as it is also an in-house email server. to access remote workplace it only works if you use  i believe we need to have working insted so the self signed certificate works correctly. Below is some more background:

the problem is that the server's self signed ssl certificate is created during the internet wizard process.  i can use OWA, i can log into remote workplace but i cannot get passed the remote access to the pc  (RDP) due to the ssl mismatch. . the certificate does not match the site . the url is and the certificate is looking for i tried adding a cname to my hosts dns to point to that had zero effect. I tried to import an ssl certificate from the sbs2003 server (from which we migrated from) that was set to but it will not show up in the wizard if i select "choose one from this server"... I added the ssl cert. via the mmc certificate snap in .   Hopefully this is being explained correctly. Thank You in advance for any input.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Fundamentally long term your going to need a static IP to link a your A record to. Which will serve as the prerequisite for obtaining a third party SSL certificate.

Get a static IP, create an A record 'remote' and point to your WAN IP. Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too.

Your Exchange will use a proper certificate and you have remote access with no prompts or problems. Done!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jsgouldAuthor Commented:
thank you. unfortunately i was hoping to get it working now and see if i can get to the configuration you mentioned soon. Alternatives or there are none?
Well most of the Microsoft portfolio is moving towards 3rd party certs for certain services, especially public facing, so I'm afraid that this is a cost you will have to take into account.

New shiny SBS2011 does require some prerequisites and I'm afraid this is a paid for UCC SSL certificate.

Lets see what other experts can suggest?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

jsgouldAuthor Commented:
I'm sure they would agree. so you said "...Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too...." is there a recommend set of dns settings? ssl cert settings? just want to make sure it's all done correctly.
Cliff GaliherCommented:
A static IP is certainly the easiest solution. In rare cases where this is absolutely not possible, you can use DynDNS or another dynamic service, but they must support the updating of a fully custom domain name (in other words, not * In the case of DynDNS, that is their paid-for upgrade. Cannot be done with their free service.

And while SBS 2011 standard can still be used with a self-issued certificate, the cost of an inexpensive cert front godaddy (12/year) makes this a relatively avoidable option as well. With SBS, a UCC/SAN cert is not at all necessary, and in fact if you stick to the wizards and use the SBS wizard to generate the CSR you'll submit to cert providers, the CSR does not include additional subject names, so a simple cert works fine in this scenario.

Perform the certificate request via Exchange:

Creating the certificate:

Installing the certificate:

When creating your certificate, your CN will be and your SAN will be, internalservername.domain.local, internalservername.

You need to ensure that the 'remote' and 'autodiscover' A records are created on your public DNS and ensure it points to your Exchange server WAN IP from the internet. You only need to open up port 443 to get OWA and remote access to your PCs.
Cliff GaliherCommented:
As with many things in SBS, it is best to stick its the wizards. If you make the certificate request via exchange instead of the SBS wizard, you cannot later finish installing the certificatenvianthe SBS wizard. And if you install the certificate via exchange, several components, most notably the RDGateway service for RWA, do not get associated with the certificate. And since one of the key points in your question was remote access to PCs via RWA, that is a fairly important place to get the certificate installed properly.

In short, I must disagree with previous advice given here. It is rarely a good idea to generate a CSR through exchange in SBS. Stick to the wizards.

You won't be able to add additional host names via the SBS wizard and you can select the certificate to be used via the wizard, which will create the bindings. I'm providing tried and tested information on a SBS 2011 server, not reading off the net.

Exchange CSR is wizard driven too. Were talking about 2010 here not 2007.
Cliff GaliherCommented:
While the SBS wizard does not create a CSR for UCC/SAN cert, one is not needed for SBS. If it were, the wizard would have been designed as such.

Equally importantly though, your method, nor your latest reply addresses the fact that the exchange wizard will NOT associate the certificate with the RDGateway, which is the service that allows RWA remote desktop to work. That is functionality the question asker specifically calls out, and your solution will NOT fix that problem. The SBS wizard will. So no matter how "tried and tested" your solution is, it does not address the original problem. RWA remote desktop will not work fpgiven your solution.

Okay, well then it appears to working correctly for our clients who have a mixture of SBS 2008 and 2011 servers. We have one certificate serving RWA and OWA, all working flawlessly per deployment.

jsgould, your call on how to proceed.
jsgouldAuthor Commented:
thanks for all of the input. much appreciated. we need to get the staic ip and some legit ssl certs.
I realise that this is an old post, but the best option for most users in this situation would be to use Microsoft's free ddns service.

This is highlighted towards the end of this post:-

The only problem I had with this was that my router supports dyndns natively but not this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.