Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SBS2011 SSL certificate / DNS resolving

Posted on 2012-03-20
12
Medium Priority
?
1,256 Views
Last Modified: 2013-12-30
Hello,
Here's what's happening. SBS2011 Server. Uses dyndns.org service and client updater app -  companyname.dyndns.org to maintain it's ip as it is also an in-house email server. to access remote workplace it only works if you use companyname.dyndns.org/remote.  i believe we need to have https://remote.companyname.com/remote working insted so the self signed certificate works correctly. Below is some more background:

the problem is that the server's self signed ssl certificate is remote.companyname.com. created during the internet wizard process.  i can use OWA, i can log into remote workplace but i cannot get passed the remote access to the pc  (RDP) due to the ssl mismatch. . the certificate does not match the site . the url is companyname.dyndns.org and the certificate is looking for remote.companyname.com. i tried adding a cname to my hosts dns to point remote.companyname.com to companyname.dyndns.org. that had zero effect. I tried to import an ssl certificate from the sbs2003 server (from which we migrated from) that was set to companyname.dyndns.org but it will not show up in the wizard if i select "choose one from this server"... I added the ssl cert. via the mmc certificate snap in .   Hopefully this is being explained correctly. Thank You in advance for any input.
0
Comment
Question by:jsgould
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 1200 total points
ID: 37745412
Hi,

Fundamentally long term your going to need a static IP to link a your A record to. Which will serve as the prerequisite for obtaining a third party SSL certificate.

Get a static IP, create an A record 'remote' and point to your WAN IP. Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too.

Your Exchange will use a proper certificate and you have remote access with no prompts or problems. Done!
0
 

Author Comment

by:jsgould
ID: 37745420
thank you. unfortunately i was hoping to get it working now and see if i can get to the configuration you mentioned soon. Alternatives or there are none?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37745432
Well most of the Microsoft portfolio is moving towards 3rd party certs for certain services, especially public facing, so I'm afraid that this is a cost you will have to take into account.

New shiny SBS2011 does require some prerequisites and I'm afraid this is a paid for UCC SSL certificate.

Lets see what other experts can suggest?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jsgould
ID: 37745446
I'm sure they would agree. so you said "...Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too...." is there a recommend set of dns settings? ssl cert settings? just want to make sure it's all done correctly.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 37745597
A static IP is certainly the easiest solution. In rare cases where this is absolutely not possible, you can use DynDNS or another dynamic service, but they must support the updating of a fully custom domain name (in other words, not *.dyndns.org). In the case of DynDNS, that is their paid-for upgrade. Cannot be done with their free service.

And while SBS 2011 standard can still be used with a self-issued certificate, the cost of an inexpensive cert front godaddy (12/year) makes this a relatively avoidable option as well. With SBS, a UCC/SAN cert is not at all necessary, and in fact if you stick to the wizards and use the SBS wizard to generate the CSR you'll submit to cert providers, the CSR does not include additional subject names, so a simple cert works fine in this scenario.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37746610
Perform the certificate request via Exchange:

Creating the certificate: http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

Installing the certificate: http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

When creating your certificate, your CN will be remote.domain.com and your SAN will be autodiscover.domain.com, internalservername.domain.local, internalservername.

You need to ensure that the 'remote' and 'autodiscover' A records are created on your public DNS and ensure it points to your Exchange server WAN IP from the internet. You only need to open up port 443 to get OWA and remote access to your PCs.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 37747065
As with many things in SBS, it is best to stick its the wizards. If you make the certificate request via exchange instead of the SBS wizard, you cannot later finish installing the certificatenvianthe SBS wizard. And if you install the certificate via exchange, several components, most notably the RDGateway service for RWA, do not get associated with the certificate. And since one of the key points in your question was remote access to PCs via RWA, that is a fairly important place to get the certificate installed properly.

In short, I must disagree with previous advice given here. It is rarely a good idea to generate a CSR through exchange in SBS. Stick to the wizards.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747262
You won't be able to add additional host names via the SBS wizard and you can select the certificate to be used via the wizard, which will create the bindings. I'm providing tried and tested information on a SBS 2011 server, not reading off the net.

Exchange CSR is wizard driven too. Were talking about 2010 here not 2007.
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 800 total points
ID: 37747505
While the SBS wizard does not create a CSR for UCC/SAN cert, one is not needed for SBS. If it were, the wizard would have been designed as such.

Equally importantly though, your method, nor your latest reply addresses the fact that the exchange wizard will NOT associate the certificate with the RDGateway, which is the service that allows RWA remote desktop to work. That is functionality the question asker specifically calls out, and your solution will NOT fix that problem. The SBS wizard will. So no matter how "tried and tested" your solution is, it does not address the original problem. RWA remote desktop will not work fpgiven your solution.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747679
Okay, well then it appears to working correctly for our clients who have a mixture of SBS 2008 and 2011 servers. We have one certificate serving RWA and OWA, all working flawlessly per deployment.

jsgould, your call on how to proceed.
0
 

Author Closing Comment

by:jsgould
ID: 37773047
thanks for all of the input. much appreciated. we need to get the staic ip and some legit ssl certs.
0
 

Expert Comment

by:mystikiel
ID: 39745745
I realise that this is an old post, but the best option for most users in this situation would be to use Microsoft's free ddns service.

This is highlighted towards the end of this post:-

http://titlerequired.com/2011/07/15/setting-up-remote-web-access-on-sbs-2011-essentials-part-2/

The only problem I had with this was that my router supports dyndns natively but not this.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question