Link to home
Create AccountLog in
Avatar of macxpres
macxpresFlag for Denmark

asked on

Intranet ssl problem with exchange server (.local name and cert.)

Hey guys,
I have an exchange server with name mail.server.local
Usually I add the name to the cert., so the local terminal users don't get an cert. warning.
But now after the Certificate Authorities Browser Forum have blacklisted intranet names, I don't know what to do.

I have the name mail.server.com and autodiscover.server.com in the cert. but the server is called mail.server.local when running autodiscover locally on the network or auto-setup on the local domain.

Any ideas?
SOLUTION
Avatar of Timothy McCartney
Timothy McCartney
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Everyone will have this problem soon you need to setup split DNS.

i.e.

if you cert is called

server.mypublicname.com

then create a DNS forward lookup zone called mypublicname.com
then create an A/Host record in it called server with the INTERNAL ip address of the server itself.
Then tell your users to got to https://server.mypublicname.com and it will work without error.

Yes I know its a pain, Yes I know your users will moan.

Gotcha: if you have www.mypublicname.com as your public website don't forget to create a record called www that points to the PUBLIC ip- address of the web server or your internal hosts will no longer be able to access your public website.

Pete
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of macxpres

ASKER

Beautiful guys, thanks so much.
So if I create another cert. using the Certificate Authority role with the .local domain and only assign it to imap, pop and smtp it would work without the users getting an error when opening outlook?
And I'll still have the IIS service attached to the correct cert. from digicert for example to autodiscover and owa.
Yes, that is correct :-)
Thanks so much guys, It's really appreciated :-)
Anytime! :-)