Proper SBS 2011 Third Party Certificate

I was hoping to get some advice on purchasing a proper third party certificate for my SBS 2011 server.  Currently we are using the self-issued certificate but I am going to be purchasing one through GoDaddy to have a proper one installed.  

Right now I have two domain names, for example, office.domain1.com (primary SBS domain), and a second domain used primarily just for email, domain2.com.  I would also like to make sure that all SBS/Exchange services are valid with the new certificate, such as autodiscover and anything else needed for remote clients to properly communicate with my SBS/Exchange server.  

With these details what would need to be on the GoDaddy certificate in order for everything to function correctly?  I just want to make sure I get the settings right when I go to purchase this so I don't forget anything that should be there.  

Any information is appreciated.  

Thanks
ColumbiaMarketingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
I guess just make sure you have your domains down.  Go daddy UC allows I believe 5 so add at least these domains and anything else

mail.domain.com
autodiscover.domain.com
domain.com

That should cover your mail, outlook anywhere, activesync etc.

Its hard to tell because that is a general guideline for I am not aware of what you all have in-place.

Refer to this as a general rule:

http://www.petri.co.il/forums/showthread.php?t=58277
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
What URL is used for ActiveSync, Outlook Anywhere, Remote Web Access portal, and other externally accessed services?

That is the URL to use.

NOTE: To allow RDGateway to use the certificate properly the GoDaddy certificate chain requires the Intermediates be imported into the Intermediate Certificate Store _before_ running the final step in the Third Party Trusted Certificates Wizard.

http://bit.ly/14Zr481
Install in the following order:
gd_cross_intermediate.crt
gd_intermediate.crt

More details on our SBS 2011 Standard Setup Guide in step 36: http://bit.ly/p3YbXO

Philip
0
ColumbiaMarketingAuthor Commented:
Thank you for the information.  Since I am currently using the self-signed certificate, I have a DNS entry in my public and local DNS for autodiscover.domain.com to work.  Once I install the GoDaddy certificate with the autodiscover.domain.com added should I remove the public and local entries?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ColumbiaMarketingAuthor Commented:
The URL I use for activesync, outlook anywhere and remote web access is office.domain.com.
0
Nick RhodeIT DirectorCommented:
So your cert would typically look like this

office.domain.com
autodiscover.domain.com
domain.com
domain


You keep the entries above for autodiscover and make sure office.domain.com is also there.  You will just be assigning services to the certificate with the install certificate manager on SBS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ColumbiaMarketingAuthor Commented:
Oh ok, I was under the impression that the public and local autodiscover DNS entries are not needed with a proper third party certificate.  But if that's not the case then I will keep those entries.
0
ColumbiaMarketingAuthor Commented:
Would it be best to start this process using the SBS certificate wizard request, or should I just contact GoDaddy directly to get the certificate, then install it on the SBS server?
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Were the Getting Started Tasks Wizards used to set this server up?

A UCC is _not_ required for SBS.

Please use the wizards.

The Internet Address wizard will set up _one_ URL for _all_ services. Splitting them off manually in any way breaks things.

Please do not use autodiscover.domain.com as that also breaks things with the certificates setup since SBS is using one IP/SSL setting for everything.

Use the following to set up AutoDiscover using a TXT file in the public DNS:
_autodiscover._tcp IN SRV 0 0 443 office.contoso.com

Users will need to check the "Don't Ask Me" and ALLOW button on the prompt that comes up the first time they try to hook into Outlook Anywhere.

Philip
0
ColumbiaMarketingAuthor Commented:
Yes, the wizards were used in the initial setup.  But my goal is to have a proper SSL certificate installed instead of using the self-signed certificate.  That way it can be properly authenticated with a paid for certificate and be professional as can be.  

So if I understand you correctly, you advise to not use CNAME or HOST (A) records, instead use SRV records with a proper GoDaddy certificate?  

Sorry for all the questions.  I just want to make sure I am doing this properly.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
For the URL/SSL certificate you will have a DNS A record for office.domain.com pointing the WAN IP on your edge device.

The TXT record would also be set in your public DNS with the noted autodiscover setup and points to your office.domain.com DNS A record.

A DNS A/CNAME for autodiscover.domain.com should _not_ be used at all as this causes problems.

Philip
0
ColumbiaMarketingAuthor Commented:
Currently I have an A record for office.domain.com pointing to the correct WAN IP, so I should be good there.  

I do apologize for the confusion as I was mostly just referring to the autodiscover/activesync entries and the best implementation of them.  Since I am currently using a CNAME record for autodiscover, I will take your advice and once I have a trusted certificate through GoDaddy I will remove those entries and replace them with SRV records instead.  Does this sound like the best approach?  

Thanks again.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Autodiscover set up using the TXT file makes things work just fine.

ActiveSync and other such services are configured by the wizards and will use the URL set by the wizards.

The Third Party Trusted Certificates Wizard should be used to generate the CSR (use the 2048 bit option please if it requests) and then again to import the newly generated certificate.

NOTE: The intermediates need to be imported _before_ completing the CSR if using the GoDaddy certificate chain (other is StarField - we don't use this one).

Philip
0
ColumbiaMarketingAuthor Commented:
MPECSInc, in reviewing your recommendations again, are you saying that in a typical SBS 2011 environment you don't really need to purchase a third party certificate?  Instead just use the typical self-signed cert with SRV records for autodiscover/activesync to work properly?  I only ask because I did use the wizards in the initial setup, so do I really have a need to purchase a third party cert?  One of my goals, for example, is to get the certificate warnings to stop when I configure, say an iPhone, for Exchange email.  Is the only way to get those warnings to stop is to purchase a certificate?
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
No.

I am giving you the "How-To" get things going with a GoDaddy certificate.

Yes, there is no point in running with self-issued certificates when a GD cert price can be found for $12/Year or less.

Third Party = Less Support Contact + Easier device/Outlook Anywhere setup as outlined above.

Philip
0
ColumbiaMarketingAuthor Commented:
Thank you Philip.  Just to verify, do I also need to add an SRV record in my own internal DNS, or only public DNS?
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
There is a Service Connection Point in AD that takes care of internal Outlook connections. No need to change anything/add anything to the internal DNS please.

Philip
0
Nick RhodeIT DirectorCommented:
Best and easiest to use both in my opinion for internal and external DNS.

SBS2011 just run the certificate wizard, add the URL's to it

Here for step by step:  http://blog.ronnypot.nl/?p=414
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.