Solved

SBS2011 SSL certificate / DNS resolving

Posted on 2012-03-20
12
1,230 Views
Last Modified: 2013-12-30
Hello,
Here's what's happening. SBS2011 Server. Uses dyndns.org service and client updater app -  companyname.dyndns.org to maintain it's ip as it is also an in-house email server. to access remote workplace it only works if you use companyname.dyndns.org/remote.  i believe we need to have https://remote.companyname.com/remote working insted so the self signed certificate works correctly. Below is some more background:

the problem is that the server's self signed ssl certificate is remote.companyname.com. created during the internet wizard process.  i can use OWA, i can log into remote workplace but i cannot get passed the remote access to the pc  (RDP) due to the ssl mismatch. . the certificate does not match the site . the url is companyname.dyndns.org and the certificate is looking for remote.companyname.com. i tried adding a cname to my hosts dns to point remote.companyname.com to companyname.dyndns.org. that had zero effect. I tried to import an ssl certificate from the sbs2003 server (from which we migrated from) that was set to companyname.dyndns.org but it will not show up in the wizard if i select "choose one from this server"... I added the ssl cert. via the mmc certificate snap in .   Hopefully this is being explained correctly. Thank You in advance for any input.
0
Comment
Question by:jsgould
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 300 total points
ID: 37745412
Hi,

Fundamentally long term your going to need a static IP to link a your A record to. Which will serve as the prerequisite for obtaining a third party SSL certificate.

Get a static IP, create an A record 'remote' and point to your WAN IP. Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too.

Your Exchange will use a proper certificate and you have remote access with no prompts or problems. Done!
0
 

Author Comment

by:jsgould
ID: 37745420
thank you. unfortunately i was hoping to get it working now and see if i can get to the configuration you mentioned soon. Alternatives or there are none?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37745432
Well most of the Microsoft portfolio is moving towards 3rd party certs for certain services, especially public facing, so I'm afraid that this is a cost you will have to take into account.

New shiny SBS2011 does require some prerequisites and I'm afraid this is a paid for UCC SSL certificate.

Lets see what other experts can suggest?
0
 

Author Comment

by:jsgould
ID: 37745446
I'm sure they would agree. so you said "...Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too...." is there a recommend set of dns settings? ssl cert settings? just want to make sure it's all done correctly.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 37745597
A static IP is certainly the easiest solution. In rare cases where this is absolutely not possible, you can use DynDNS or another dynamic service, but they must support the updating of a fully custom domain name (in other words, not *.dyndns.org). In the case of DynDNS, that is their paid-for upgrade. Cannot be done with their free service.

And while SBS 2011 standard can still be used with a self-issued certificate, the cost of an inexpensive cert front godaddy (12/year) makes this a relatively avoidable option as well. With SBS, a UCC/SAN cert is not at all necessary, and in fact if you stick to the wizards and use the SBS wizard to generate the CSR you'll submit to cert providers, the CSR does not include additional subject names, so a simple cert works fine in this scenario.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37746610
Perform the certificate request via Exchange:

Creating the certificate: http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

Installing the certificate: http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

When creating your certificate, your CN will be remote.domain.com and your SAN will be autodiscover.domain.com, internalservername.domain.local, internalservername.

You need to ensure that the 'remote' and 'autodiscover' A records are created on your public DNS and ensure it points to your Exchange server WAN IP from the internet. You only need to open up port 443 to get OWA and remote access to your PCs.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 37747065
As with many things in SBS, it is best to stick its the wizards. If you make the certificate request via exchange instead of the SBS wizard, you cannot later finish installing the certificatenvianthe SBS wizard. And if you install the certificate via exchange, several components, most notably the RDGateway service for RWA, do not get associated with the certificate. And since one of the key points in your question was remote access to PCs via RWA, that is a fairly important place to get the certificate installed properly.

In short, I must disagree with previous advice given here. It is rarely a good idea to generate a CSR through exchange in SBS. Stick to the wizards.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747262
You won't be able to add additional host names via the SBS wizard and you can select the certificate to be used via the wizard, which will create the bindings. I'm providing tried and tested information on a SBS 2011 server, not reading off the net.

Exchange CSR is wizard driven too. Were talking about 2010 here not 2007.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
ID: 37747505
While the SBS wizard does not create a CSR for UCC/SAN cert, one is not needed for SBS. If it were, the wizard would have been designed as such.

Equally importantly though, your method, nor your latest reply addresses the fact that the exchange wizard will NOT associate the certificate with the RDGateway, which is the service that allows RWA remote desktop to work. That is functionality the question asker specifically calls out, and your solution will NOT fix that problem. The SBS wizard will. So no matter how "tried and tested" your solution is, it does not address the original problem. RWA remote desktop will not work fpgiven your solution.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747679
Okay, well then it appears to working correctly for our clients who have a mixture of SBS 2008 and 2011 servers. We have one certificate serving RWA and OWA, all working flawlessly per deployment.

jsgould, your call on how to proceed.
0
 

Author Closing Comment

by:jsgould
ID: 37773047
thanks for all of the input. much appreciated. we need to get the staic ip and some legit ssl certs.
0
 

Expert Comment

by:mystikiel
ID: 39745745
I realise that this is an old post, but the best option for most users in this situation would be to use Microsoft's free ddns service.

This is highlighted towards the end of this post:-

http://titlerequired.com/2011/07/15/setting-up-remote-web-access-on-sbs-2011-essentials-part-2/

The only problem I had with this was that my router supports dyndns natively but not this.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now