Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2013 SSL and DNS Configuration

Posted on 2013-05-30
5
Medium Priority
?
613 Views
Last Modified: 2013-06-14
I am currently working on a migration from Exchange 07 to 2013.  My current DNS setup is as follows:

Internal server name: EXCHANGE
External DNS for OWA and smartphones: webmail.abc.com
MX record: mail.abc.com (Which points to barracuda spam device)

My question is what DNS entries do I need to configure for the new server to work internally and externally.

Also, as a side note I have a mixed environment of Windows XP and Windows 7 workstations ALL running Office 2010.  The reason I mention this is because I am having issues with XP machines connecting to Exchange 13. My research is saying that XP does not know how to "handle" the SAN certs and so it does not autodiscover successfully and configure the Outlook Anywhere settings.  It keeps prompting for username and passwords during setup process and never finishes successfully.

I have purchased a WildCard SSL cert for the production environment, but my lab is failing with the default self signed certs from Exchange.

Any help would be greatly appreciated......
0
Comment
Question by:BSModlin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 1336 total points
ID: 39209611
Is your exchange 2013 going to be in coexitance with exchange 2007 if so you need

Following entries on both internal and external DNS

webmail.abc.com ..Pointing to exchange 2013
Autodiscover.abc.com ..Pointing to exchange 2013
exchange2013.abc.com
Legacyexchange.abc.com   ..Pointing to exchange 2007

Windows Xp with outlook 2010 should work as well. It shouldn't be problem.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 664 total points
ID: 39209612
Windows XP doesn't cope well if the host name being used for Outlook Anywhere does not match 100% the common name of the SSL certificate.

So *.example.com doesn't match host.example.com. You have to make changes to the Outlook Anywhere configuration to get it to accept it:
http://technet.microsoft.com/en-us/library/cc535023.aspx (Exchange 2007 but still valid for all later versions).

That is the only issue I am aware of with Windows XP clients (not withstanding their numerous security flaws and IT pros hanging on to them because they are scared of anything else, but that is another issue for another day).

You cannot put internal names on commercial SSL certificats, so the method here is to use a split DNS system, configure the same host names internally and externally.
You can get away with two:

host.example.com
autodiscover.example.com

However both of those need to be on the SSL certificate.

I don't have an Exchange 2013 version of the changes required, but the 2010 version has the same settings: http://semb.ee/hostnames

Simon
0
 

Author Comment

by:BSModlin
ID: 39209633
No they are NOT going to Co-exist. I am a bit confused regarding the Cert.  To be clear you are saying the wild card cert will NOT work.  I need a SAN cert with specific names:

Autodiscover.abc.com
webmail.abc.com
exchange13.abc.com (Internal Name)

And then in DNS (Internal) I need to configure A records for each of these to point to Exchange Server.... Correct....

My last question is after installing the Exchange 13 server how and where do I go in the EAC to input these URLs above or will they work with the default settings?
0
 
LVL 23

Accepted Solution

by:
Malli Boppe earned 1336 total points
ID: 39209649
As said above you just need two names in the SAn cert

Autodiscover.abc.com
webmail.abc.com

Yes you need to create the internal DNS records to point to the exchange


You got the below where computername is exchange 2013 clientaccess server->servers- Virtual directory settings

https://%computername%/ecp/?ExchClientVer=15
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39211088
Wildcard certificates will work, but there are extra steps required and they can cause issues in certain scenarios. If the certificate hasn't been purchased then I will usually try to steer clients towards a UC (aka SAN) certificate.

You do NOT need the internal name on the server, just configure Exchange to use the external name everywhere.

For the changes, some have to be made in the console, some through the Shell. The commands on the page I linked to above still work on Exchange 2013.

Simon.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question