• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Changing from Wildcard Certificate to SAN Certificate in Exchange 2010

My wildcard cert is up for renewal soon and I've purchased a SAN certificate this time around to use. Is there anything I should take note of if I swap the certificate from a wildcard to a SAN? Also, would I need to change the certificate principal name from *.domainname.com to the Exchange server name?
0
snapmetobits
Asked:
snapmetobits
2 Solutions
 
Matt_D_GreenCommented:
The principal name should be whatever you're using for OWA/ActiveSync (e.g. webmail.domain.com).  If you do not publish server names (typically not recommended), you'll want to change the internal URLs for your virtual subdirectories to make sure they don't reference the server name, otherwise you end up with certificate errors on client connections.  
You can review this blog for a better idea of what I'm talking about: http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
0
 
snapmetobitsAuthor Commented:
Hi Matt,

Thanks for the prompt reply. I have published my server names and both internal and external URLs for my virtual subdirectories are pointing to https://mail.domainname.com. Is that consider good practice or should I have seperated internal and external services? I have not deployed split brained DNS though. Is that something I should look at? If my internet link goes down, i keep getting certificate errors, will a SAN cert solve this?
0
 
Exchange_GeekCommented:
We've got this setup at many of our clients with both internal and external URL the same, and haven't faced much of issues.

Split brain DNS is normally seen across all the environment, if that was the case - then you'd need to configure a method in DNS to resolve mail.domainname.com to point to your internal CAS Server - for users to resolve it.

If your internet is inaccessible, you would loose conncetivity with your Exchange server, as simple as that. However your cert errors has nothing to do with it.

OL will fail to connect to your Exchange server - so cert or no cert, how does that help?

It wouldn't be the case where you could say "look my internet doesn't work, but my OL does and so i don't want that stupid cert errors coming all the time"

Regards,
Exchange_Geek
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
snapmetobitsAuthor Commented:
I would still like to be able to able maintain email connectivity internally if the internet link was down. If I enable split dns, would I still be able to maintain OOF, OAB and autodiscover despite the downed link? Or at the very least, basic email communication?
0
 
Exchange_GeekCommented:
You wouldn't require internet connection for local users - so that cert would help you work internally and externally considering you're going to have the following SAN Names

autodiscover.domain.com
webmail.domain.com
CAS Server NETBIOS
CAS Server FQDN

AND have internal DNS own a SRV Record _autodiscover._tcp.domain.com to point to your CAS Server FQDN.

That's it.

Regards,
Exchange_Geek
0
 
Malli BoppeCommented:
@Exchange_Geek

I have setup exchange 2010 servers with just the following names in the SAN certificate

autodiscover.domain.com
webmail.domain.com
CAS Server FQDN

Also had just a host A record in the internal DNS called autodisver pointing to the CAS server.
0
 
Exchange_GeekCommented:
I'd recommend SRV Record than A Record, however that should work, you've got an OL machine to test OR access to Exchange Powershell?

To test if your cert has correct data on it you could use the following link using OL
Test-EmailAutoConfiguration

uncheck both Guessmart checkboxes while testing.

To test if your cert has correct data on it you could use the following link using shell.
Go to following folder in Scripts folder (located in installation drive for Exchange) in shell
For example D:\exchsrvr\Scripts\> and search for new-TestCasConnectivityUser.ps1

So, the shell command should look like

D:\exchsrvr\Scripts\>.\new-TestCasConnectivityUser.ps1

Run this command, wait for few minutes then run the following command

D:\exchsrvr\Scripts\>Test-WebServicesConnectivity –ClientAccessServer CASServer –MailboxCredential (Get-Credential domain\username)

Regards,
Exchange_Geek
0
 
snapmetobitsAuthor Commented:
Hmm, I'll give that a shot during the weekend and let you know of the results. Thanks to all that responded
0
 
Exchange_GeekCommented:
Your welcome,

Regards,
Exchange_Geek
0
 
snapmetobitsAuthor Commented:
Ok, just added in the 4 names for the SAN certificate and pending approval. The SRV record has already been pointing to my CAS server (mail.domain.com.)

Just another quick question, if I enable split DNS and I have an external website of the same domain name, isnt that going to point back to an internal server if I were to access it internally? How would I go about viewing the site then?
0
 
Exchange_GeekCommented:
It wouldn't- since if you have an external site (say: Nokia.com) and if you have an internal site (say: Nokia.local).

You're SRV _autodiscover._tcp.nokia.com would point to webmail.nokia.com

webmail.nokia.com would point to the Internet facing NIC of your firewall, which in turn using port forwarding point to your CAS.

Internally, you're SRV would point directly to your CAS.

That's the difference.

Regards,
Exchange_Geek
0
 
snapmetobitsAuthor Commented:
This might be probably more of a A host entry than a SRV record. Currently we have domain.internal as our AD domain name. If I enable a new zone in AD DNS with domain.com (for split brain) and I have an external hosted company website (nothing to do with webmail/autodiscover) that also ends with domain.com, how would I view it internally?

I just tried it with the domain.internal zone with an A record pointed to the hosted website external IP and I got redirected back to my AD IIS site. I assume if i tried it with domain.com after split brain, my web browser isn't going to direct me to the external hosted site.
0
 
Exchange_GeekCommented:
You'll need to connect to www.domain.com - which is different than a normal A record.

If you create an internal zone for domain.com - all you are going to create is an A record, not www record.

Your DNS Server root hints will not look at A record, instead if it doesn't find www - it would look at other servers hosting www and retrieve information from it using external DNS recursive queries.

Regards,
Exchange_Geek
0
 
snapmetobitsAuthor Commented:
When you say i need to connect to www.domain.com, how would I go about doing that? There is no www entry option within AD DNS.
0
 
Exchange_GeekCommented:
Read: http://support.microsoft.com/kb/168322

Regards,
Exchange_Geek
0
 
snapmetobitsAuthor Commented:
I managed to install the certificate over the weekend and there were a few users having issues recognizing the certificate. ( Outlook is unable to connect to the proxy server Error Code 0) Occasionally, we get a popup from Outlook saying there is a problem with the proxy server's securty certificate and a login screen appears where we have to type in the login credentials and it happens to random users but we get full email connectivity including autodiscovery. I have already changed the certificate principal name to match the common name of the certificate and restarted the server.

What else can I try to completely remove this issue?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now