?
Solved

SBS2011 SSL certificate / DNS resolving

Posted on 2012-03-20
12
Medium Priority
?
1,258 Views
Last Modified: 2013-12-30
Hello,
Here's what's happening. SBS2011 Server. Uses dyndns.org service and client updater app -  companyname.dyndns.org to maintain it's ip as it is also an in-house email server. to access remote workplace it only works if you use companyname.dyndns.org/remote.  i believe we need to have https://remote.companyname.com/remote working insted so the self signed certificate works correctly. Below is some more background:

the problem is that the server's self signed ssl certificate is remote.companyname.com. created during the internet wizard process.  i can use OWA, i can log into remote workplace but i cannot get passed the remote access to the pc  (RDP) due to the ssl mismatch. . the certificate does not match the site . the url is companyname.dyndns.org and the certificate is looking for remote.companyname.com. i tried adding a cname to my hosts dns to point remote.companyname.com to companyname.dyndns.org. that had zero effect. I tried to import an ssl certificate from the sbs2003 server (from which we migrated from) that was set to companyname.dyndns.org but it will not show up in the wizard if i select "choose one from this server"... I added the ssl cert. via the mmc certificate snap in .   Hopefully this is being explained correctly. Thank You in advance for any input.
0
Comment
Question by:jsgould
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 1200 total points
ID: 37745412
Hi,

Fundamentally long term your going to need a static IP to link a your A record to. Which will serve as the prerequisite for obtaining a third party SSL certificate.

Get a static IP, create an A record 'remote' and point to your WAN IP. Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too.

Your Exchange will use a proper certificate and you have remote access with no prompts or problems. Done!
0
 

Author Comment

by:jsgould
ID: 37745420
thank you. unfortunately i was hoping to get it working now and see if i can get to the configuration you mentioned soon. Alternatives or there are none?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37745432
Well most of the Microsoft portfolio is moving towards 3rd party certs for certain services, especially public facing, so I'm afraid that this is a cost you will have to take into account.

New shiny SBS2011 does require some prerequisites and I'm afraid this is a paid for UCC SSL certificate.

Lets see what other experts can suggest?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jsgould
ID: 37745446
I'm sure they would agree. so you said "...Add additional SANs to your certificate to include 'autodiscover' and your SBS internal name too...." is there a recommend set of dns settings? ssl cert settings? just want to make sure it's all done correctly.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 37745597
A static IP is certainly the easiest solution. In rare cases where this is absolutely not possible, you can use DynDNS or another dynamic service, but they must support the updating of a fully custom domain name (in other words, not *.dyndns.org). In the case of DynDNS, that is their paid-for upgrade. Cannot be done with their free service.

And while SBS 2011 standard can still be used with a self-issued certificate, the cost of an inexpensive cert front godaddy (12/year) makes this a relatively avoidable option as well. With SBS, a UCC/SAN cert is not at all necessary, and in fact if you stick to the wizards and use the SBS wizard to generate the CSR you'll submit to cert providers, the CSR does not include additional subject names, so a simple cert works fine in this scenario.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37746610
Perform the certificate request via Exchange:

Creating the certificate: http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

Installing the certificate: http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

When creating your certificate, your CN will be remote.domain.com and your SAN will be autodiscover.domain.com, internalservername.domain.local, internalservername.

You need to ensure that the 'remote' and 'autodiscover' A records are created on your public DNS and ensure it points to your Exchange server WAN IP from the internet. You only need to open up port 443 to get OWA and remote access to your PCs.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 37747065
As with many things in SBS, it is best to stick its the wizards. If you make the certificate request via exchange instead of the SBS wizard, you cannot later finish installing the certificatenvianthe SBS wizard. And if you install the certificate via exchange, several components, most notably the RDGateway service for RWA, do not get associated with the certificate. And since one of the key points in your question was remote access to PCs via RWA, that is a fairly important place to get the certificate installed properly.

In short, I must disagree with previous advice given here. It is rarely a good idea to generate a CSR through exchange in SBS. Stick to the wizards.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747262
You won't be able to add additional host names via the SBS wizard and you can select the certificate to be used via the wizard, which will create the bindings. I'm providing tried and tested information on a SBS 2011 server, not reading off the net.

Exchange CSR is wizard driven too. Were talking about 2010 here not 2007.
0
 
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 800 total points
ID: 37747505
While the SBS wizard does not create a CSR for UCC/SAN cert, one is not needed for SBS. If it were, the wizard would have been designed as such.

Equally importantly though, your method, nor your latest reply addresses the fact that the exchange wizard will NOT associate the certificate with the RDGateway, which is the service that allows RWA remote desktop to work. That is functionality the question asker specifically calls out, and your solution will NOT fix that problem. The SBS wizard will. So no matter how "tried and tested" your solution is, it does not address the original problem. RWA remote desktop will not work fpgiven your solution.

-Cliff
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747679
Okay, well then it appears to working correctly for our clients who have a mixture of SBS 2008 and 2011 servers. We have one certificate serving RWA and OWA, all working flawlessly per deployment.

jsgould, your call on how to proceed.
0
 

Author Closing Comment

by:jsgould
ID: 37773047
thanks for all of the input. much appreciated. we need to get the staic ip and some legit ssl certs.
0
 

Expert Comment

by:mystikiel
ID: 39745745
I realise that this is an old post, but the best option for most users in this situation would be to use Microsoft's free ddns service.

This is highlighted towards the end of this post:-

http://titlerequired.com/2011/07/15/setting-up-remote-web-access-on-sbs-2011-essentials-part-2/

The only problem I had with this was that my router supports dyndns natively but not this.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question