Solved

SBS2011 SSL certificate / DNS resolving

Posted on 2012-03-20
12
1,238 Views
Last Modified: 2013-12-30
Hello,
Here's what's happening. SBS2011 Server. Uses dyndns.org service and client updater app -  companyname.dyndns.org to maintain it's ip as it is also an in-house email server. to access remote workplace it only works if you use companyname.dyndns.org/remote.  i believe we need to have https://remote.companyname.com/remote working insted so the self signed certificate works correctly. Below is some more background:

the problem is that the server's self signed ssl certificate is remote.companyname.com. created during the internet wizard process.  i can use OWA, i can log into remote workplace but i cannot get passed the remote access to the pc  (RDP) due to the ssl mismatch. . the certificate does not match the site . the url is companyname.dyndns.org and the certificate is looking for remote.companyname.com. i tried adding a cname to my hosts dns to point remote.companyname.com to companyname.dyndns.org. that had zero effect. I tried to import an ssl certificate from the sbs2003 server (from which we migrated from) that was set to companyname.dyndns.org but it will not show up in the wizard if i select "choose one from this server"... I added the ssl cert. via the mmc certificate snap in .   Hopefully this is being explained correctly. Thank You in advance for any input.
0
Comment
Question by:jsgould
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 300 total points
ID: 37745412
Hi,

Fundamentally long term your going to need a static IP to link a your A record to. Which will serve as the prerequisite for obtaining a third party SSL certificate.

Get a static IP, create an A record 'remote' and point to your WAN IP. Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too.

Your Exchange will use a proper certificate and you have remote access with no prompts or problems. Done!
0
 

Author Comment

by:jsgould
ID: 37745420
thank you. unfortunately i was hoping to get it working now and see if i can get to the configuration you mentioned soon. Alternatives or there are none?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37745432
Well most of the Microsoft portfolio is moving towards 3rd party certs for certain services, especially public facing, so I'm afraid that this is a cost you will have to take into account.

New shiny SBS2011 does require some prerequisites and I'm afraid this is a paid for UCC SSL certificate.

Lets see what other experts can suggest?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:jsgould
ID: 37745446
I'm sure they would agree. so you said "...Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too...." is there a recommend set of dns settings? ssl cert settings? just want to make sure it's all done correctly.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 37745597
A static IP is certainly the easiest solution. In rare cases where this is absolutely not possible, you can use DynDNS or another dynamic service, but they must support the updating of a fully custom domain name (in other words, not *.dyndns.org). In the case of DynDNS, that is their paid-for upgrade. Cannot be done with their free service.

And while SBS 2011 standard can still be used with a self-issued certificate, the cost of an inexpensive cert front godaddy (12/year) makes this a relatively avoidable option as well. With SBS, a UCC/SAN cert is not at all necessary, and in fact if you stick to the wizards and use the SBS wizard to generate the CSR you'll submit to cert providers, the CSR does not include additional subject names, so a simple cert works fine in this scenario.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37746610
Perform the certificate request via Exchange:

Creating the certificate: http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

Installing the certificate: http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

When creating your certificate, your CN will be remote.domain.com and your SAN will be autodiscover.domain.com, internalservername.domain.local, internalservername.

You need to ensure that the 'remote' and 'autodiscover' A records are created on your public DNS and ensure it points to your Exchange server WAN IP from the internet. You only need to open up port 443 to get OWA and remote access to your PCs.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 37747065
As with many things in SBS, it is best to stick its the wizards. If you make the certificate request via exchange instead of the SBS wizard, you cannot later finish installing the certificatenvianthe SBS wizard. And if you install the certificate via exchange, several components, most notably the RDGateway service for RWA, do not get associated with the certificate. And since one of the key points in your question was remote access to PCs via RWA, that is a fairly important place to get the certificate installed properly.

In short, I must disagree with previous advice given here. It is rarely a good idea to generate a CSR through exchange in SBS. Stick to the wizards.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747262
You won't be able to add additional host names via the SBS wizard and you can select the certificate to be used via the wizard, which will create the bindings. I'm providing tried and tested information on a SBS 2011 server, not reading off the net.

Exchange CSR is wizard driven too. Were talking about 2010 here not 2007.
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
ID: 37747505
While the SBS wizard does not create a CSR for UCC/SAN cert, one is not needed for SBS. If it were, the wizard would have been designed as such.

Equally importantly though, your method, nor your latest reply addresses the fact that the exchange wizard will NOT associate the certificate with the RDGateway, which is the service that allows RWA remote desktop to work. That is functionality the question asker specifically calls out, and your solution will NOT fix that problem. The SBS wizard will. So no matter how "tried and tested" your solution is, it does not address the original problem. RWA remote desktop will not work fpgiven your solution.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747679
Okay, well then it appears to working correctly for our clients who have a mixture of SBS 2008 and 2011 servers. We have one certificate serving RWA and OWA, all working flawlessly per deployment.

jsgould, your call on how to proceed.
0
 

Author Closing Comment

by:jsgould
ID: 37773047
thanks for all of the input. much appreciated. we need to get the staic ip and some legit ssl certs.
0
 

Expert Comment

by:mystikiel
ID: 39745745
I realise that this is an old post, but the best option for most users in this situation would be to use Microsoft's free ddns service.

This is highlighted towards the end of this post:-

http://titlerequired.com/2011/07/15/setting-up-remote-web-access-on-sbs-2011-essentials-part-2/

The only problem I had with this was that my router supports dyndns natively but not this.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 do not offer the option to configure the location of the SharePoint diagnostic trace log files during installation.  This can, however, be configured through Central Administr…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now