SBS 2008 Do I need the remote.company.com ser cert?

Andreas200
Andreas200 used Ask the Experts™
on
Hi,
In the certificate mms I see the files in the attachment; However if I check the SBS console | Networks| Connectivity | Certificates I see only the trusted cert from Equifax used for pushmail.

How should I renew the remote.company.com for which I get a warning 64.
(We are not using remote Workplace etc.)

Andreas
Neues-Textdokument--3-.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you have to install website certificate from the IIS console.

http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm

Commented:
In SBS to bind all services correctly, even if you are not using one or more. In the connectivity tab-select Add a Trusted Certificate. It will give you the option to renew cert. Generate the CSR and paste that info into the your certificate provider.

The above information is correct in a non-sbs environment, but because SBS relies on wizards, it is not best practice to go through the IIS console.

-Jared

Author

Commented:
Thanks both Anuroopsundd and Jared!

Jared, are you sure I can regenerate the selfsigned certificate (remote.company.com) without touching the 3rd party certificate from Equifax (mail.company.com)??

Andreas
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Commented:
You should not have multiple certificates. My apologies for not reviewing your request correctly. With SBS they make it so you can accomodate everything into one domain name. Can you explain which is doing what?

If mail.* is your default for OWA, perhaps we can make it so that, all services fall under that. In my opinion that would make more sense, so you would not have a self-signed for RWW.

My recommendation would be to delete, the certificates you have currently in place, minus the one that is used in exchange for SMTP-this was is not verified. Next, I would go solely through the SBS console-first confirming that you internet address wizard has been run and you set the prefix to mail.*. This will make it so that you can access mail.company.com/remote as well as mail.company.com/owa under the same cert as well as prefix. Next, I would go to add a trusted cert and make sure you enter in all the info. Then, I would copy the CSR and then paste it to your cert provider. Paste the cert info back from the provider, and you should not have all sites successfully under the cert.

This is definitely the cleanest way to do it, and will allow you for much more maneuverability in the future if you do in fact begin to use RWW.

-Jared

Author

Commented:
Jared,
I do not completely understand your advice - Sorry!
1 ) I run the Internet address wizard with the domain mail.* (star) instead of mail.company.com or company.com - correct?
2) I run the add a trusted cert wizard and then I copy the request and paste it into the cert provider (Is that the local SBS-CA or a 3rd party provider like the Equifax one?
3)The cert info from the provider: Is this after I generated a certificate with the request I made?

Andreas
Top Expert 2013

Commented:
>>"How should I renew the remote.company.com for which I get a warning 64.
(We are not using remote Workplace etc.)"
If you are getting a warning relating to remote.company.com I suspect when you origianly configured the SBS you did not do so correctly, using the SBS wizards, thus that FQDN, which is the default, was created.

I would re-run the "Set up your Internet address" wizard and in step #7 of the following link select advanced so that you can chage from Remote to your prefix of the FQDN.  This should not change the public certificate association but should eliminate the error.
http://blogs.technet.com/b/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx
Commented:
My apologies.

1. The * is suppose to represent a variable to show your company name. You will have the option to select your prefix, which I suppose you will want to set to mail.company.com
2.3rd party provider. What the concept that I am stating to you is to have you get rid of your self-signed cert. it will alleviate many problems that may occur.
3. The wizard will provde you with everything that you need to enter. It will then generate the CSR which you will paste in your cert provider. Your cert provider will come back with a response and you will paste that in.

-Jared

Author

Commented:
Rob,
you wrote :
I would re-run the "Set up your Internet address" wizard and in step #7 of the following link select advanced so that you can chage from Remote to your prefix of the FQDN.  This should not change the public certificate association but should eliminate the error

Due to the fact that I have already a cert for mail.company.com, can I just go through the wizard and enter compay.com without prefix or should I enter again mail.company.com?

Commented:
That should be the case. However, if you did not run either of those wizards at the beginning it may be to your benefit to start over on those two wizards.

-Jared
Top Expert 2013

Commented:
>>"Due to the fact that I have already a cert for mail.company.com, can I just go through the wizard and enter compay.com without prefix "
No, it will default to remote unless you click advanced settings and insert the prefix of your choosing.
That prefix, the public DNS name, and the certificate must all agree.

With SBS it is imperative to use the appropriate wizards and not configure manually as you would on Server standard.
Do what jaredr80 said get your SBS working with the wizards. I know the first time I did a SBS I tried to do ting the enterprise way and messed up the whole thing.

Once you have that done then setup an SRV record in your DNS and that is all you should need. You do not have to have a SRV record but it really makes things run better.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/

Author

Commented:
Jared,

I will partly follow your advise:
1) I had to renable the IPv6 connectivity
2) I run the Internet connection wizard
3) I started the Internet address wizard and set the advanced option to mail(.company.com
4) I get a warning that I am already using a trusted cert and that I would have to reinstall the 3rd party cert or request a new 3rd party cert and to install it - if I continue - what I did not yet.
5) I checked and I assume that I have the 3rd party cert as .cert and as pfx ready for reinstallation.
6) I will postpone the work 1 week until the next weekend and let you know how it went on.
In case you completely disagree, let me know.
Thanks
Andreas
Top Expert 2013

Commented:
It sounds like you did not follow SBS procedures when configuring the server.
Do not disable IPv6, it will break some networking features.

I would recommend you make sure the server is properly cleaned up.
Leave IPv6 enabled
Make sure there is ONLY 1 NIC enabled.
Make sure on that NIC the server points ONLY to itself for DNS
Have the SBS as your DHCP server, not the router.
Run the Connect to the Internet wizard which will configure networking, DHCP, and more
Run the Configure your Internet address to configure DNS, SBS services, Exchange and MUCH more
Repair the certificate if necessary
Run the SBS BPA (link below) and check for any additional errors.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6231

SBS is not server standard. All of us have pretty much destroyed or first SBS by not using the wizards. It always comes back to haunt you either with errors or problems with updates at a later date.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial