• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 666
  • Last Modified:

sbs 2011 remote.xyz.com ssl certificate keeps popping up as invalid on clients

We have a migration that was completed from sbs 2003 to 2011 this weekend.  In order to keep things completely seamless, we wanted to use the same dns for external access as mail.xyz.com instead of the standard remote.xyz.com

We imported a valid SSL from godaddy and its working and validates when you use mail.yxz.com to access.

I have checked all the settings in the exchange management console to point to mail. instead of remote. but still the clients are poping up certificate errors because they are not valid on all 3 points.  When i view the cert its trying to use the mail.cert but its using the remote. URL.  

Anyways, i think i need to remove the remote. certs because one of them is assigned to SMTP but it will not let me in the EMC.  Any ideas on how to get this working?
0
jhuntin
Asked:
jhuntin
  • 4
  • 3
  • 2
  • +3
1 Solution
 
Sushil SonawaneCommented:
Checked the exchange certificate thumprint and run the following command in exchange power shell.

Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e

Refer link : (http://technet.microsoft.com/en-us/library/aa997569(v=exchg.80).aspx)
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
In EMC make sure that the External URL is pointing to Mail ... also make sure that the Cert is imported in IIS.

- Rancy
0
 
Rob WilliamsCommented:
I would recommend running the "Configure your internet address" wizard in the SBS console and in step #7 in the following link select advanced settings and replace remote with mail.  This is the proper way to configure the SBS server when setting it up.
http://blogs.technet.com/b/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I agree with RobWill :) - please try if there is any issues we can surely jump to assist you.

- Rancy
0
 
vSolutionsITCommented:
If you still face the issue after running Configure your internet address wizard, then run test-outlookwebservices | fl command in Exchange poweshell and check if it errors anywhere. If it does then provde the complete output here.
0
 
Exchange_GeekCommented:
"Configure your internet address" wizard in the SBS console

Will basically provide you the following details from your SBS console.

=> autodiscover.domain.com
=> mail.domain.com
=> CAS Server
=> CAS FQDN

You'll simply need the above URL on your cert to have your folks go error free. However, in order to simplify the process - the process id defined above AND mentioned in earlier post.

Regards,
Exchange_Geek
0
 
jhuntinAuthor Commented:
When I run the reconfigure your internet address it will remove the SSL that I have imported via godaddy and assign its own self signed.  Will I still be able to then re-import the godaddy, or do i need to rekey and reissue it?
0
 
Exchange_GeekCommented:
You'll need to re-issue the cert against a new key. I think GoDaddy doesn't charge for re-issuing certs.

Regards,
Exchange_Geek
0
 
Exchange_GeekCommented:
@Sushil84: The link doesn't talk about SBS, which is what is being talked about.

Regards,
Exchange_Geek
0
 
Rob WilliamsCommented:
I am not certain you will need to re-key.

Running the wizard will create a new self-signed certificate but I don't believe it will replace the 3rd party cert.  Without changing the prefix you can safely run the wizard at any time with no repercussions, I have done so often.  To the best of my knowledge changing the prefix and running the wizard  will not have any ill effects either, though I have not had the need to try that.  Of course the new prefix and certificate must match but in your case you they will.

Normally installing the 3rd party certificate the 'SBS way' (see link) adds a certificate, and does not replace the existing cert.  You might have to re-associate the 3rd party cert with the appropriate sites.
http://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/
0
 
Sushil SonawaneCommented:
@Exchange_Geek : On SBS also it will be work.
0
 
Exchange_GeekCommented:
SBS works differently, natively Microsoft has provided it wizards that help it configure - one should stick to what is provided and not mess around.

To what you have provided is industry standard for E2007 boxes - but understand this is SBS

Read the details provided by MS about the wizard.

http://technet.microsoft.com/en-us/library/cc546055(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc546059.aspx

Regards,
Exchange_Geek
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now