Proper SBS 2011 Third Party Certificate
I was hoping to get some advice on purchasing a proper third party certificate for my SBS 2011 server. Currently we are using the self-issued certificate but I am going to be purchasing one through GoDaddy to have a proper one installed.
Right now I have two domain names, for example, office.domain1.com (primary SBS domain), and a second domain used primarily just for email, domain2.com. I would also like to make sure that all SBS/Exchange services are valid with the new certificate, such as autodiscover and anything else needed for remote clients to properly communicate with my SBS/Exchange server.
With these details what would need to be on the GoDaddy certificate in order for everything to function correctly? I just want to make sure I get the settings right when I go to purchase this so I don't forget anything that should be there.
Any information is appreciated.
Thanks
Right now I have two domain names, for example, office.domain1.com (primary SBS domain), and a second domain used primarily just for email, domain2.com. I would also like to make sure that all SBS/Exchange services are valid with the new certificate, such as autodiscover and anything else needed for remote clients to properly communicate with my SBS/Exchange server.
With these details what would need to be on the GoDaddy certificate in order for everything to function correctly? I just want to make sure I get the settings right when I go to purchase this so I don't forget anything that should be there.
Any information is appreciated.
Thanks
What URL is used for ActiveSync, Outlook Anywhere, Remote Web Access portal, and other externally accessed services?
That is the URL to use.
NOTE: To allow RDGateway to use the certificate properly the GoDaddy certificate chain requires the Intermediates be imported into the Intermediate Certificate Store _before_ running the final step in the Third Party Trusted Certificates Wizard.
http://bit.ly/14Zr481
Install in the following order:
gd_cross_intermediate.crt
gd_intermediate.crt
More details on our SBS 2011 Standard Setup Guide in step 36: http://bit.ly/p3YbXO
Philip
That is the URL to use.
NOTE: To allow RDGateway to use the certificate properly the GoDaddy certificate chain requires the Intermediates be imported into the Intermediate Certificate Store _before_ running the final step in the Third Party Trusted Certificates Wizard.
http://bit.ly/14Zr481
Install in the following order:
gd_cross_intermediate.crt
gd_intermediate.crt
More details on our SBS 2011 Standard Setup Guide in step 36: http://bit.ly/p3YbXO
Philip
ASKER
Thank you for the information. Since I am currently using the self-signed certificate, I have a DNS entry in my public and local DNS for autodiscover.domain.com to work. Once I install the GoDaddy certificate with the autodiscover.domain.com added should I remove the public and local entries?
ASKER
The URL I use for activesync, outlook anywhere and remote web access is office.domain.com.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh ok, I was under the impression that the public and local autodiscover DNS entries are not needed with a proper third party certificate. But if that's not the case then I will keep those entries.
ASKER
Would it be best to start this process using the SBS certificate wizard request, or should I just contact GoDaddy directly to get the certificate, then install it on the SBS server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, the wizards were used in the initial setup. But my goal is to have a proper SSL certificate installed instead of using the self-signed certificate. That way it can be properly authenticated with a paid for certificate and be professional as can be.
So if I understand you correctly, you advise to not use CNAME or HOST (A) records, instead use SRV records with a proper GoDaddy certificate?
Sorry for all the questions. I just want to make sure I am doing this properly.
So if I understand you correctly, you advise to not use CNAME or HOST (A) records, instead use SRV records with a proper GoDaddy certificate?
Sorry for all the questions. I just want to make sure I am doing this properly.
For the URL/SSL certificate you will have a DNS A record for office.domain.com pointing the WAN IP on your edge device.
The TXT record would also be set in your public DNS with the noted autodiscover setup and points to your office.domain.com DNS A record.
A DNS A/CNAME for autodiscover.domain.com should _not_ be used at all as this causes problems.
Philip
The TXT record would also be set in your public DNS with the noted autodiscover setup and points to your office.domain.com DNS A record.
A DNS A/CNAME for autodiscover.domain.com should _not_ be used at all as this causes problems.
Philip
ASKER
Currently I have an A record for office.domain.com pointing to the correct WAN IP, so I should be good there.
I do apologize for the confusion as I was mostly just referring to the autodiscover/activesync entries and the best implementation of them. Since I am currently using a CNAME record for autodiscover, I will take your advice and once I have a trusted certificate through GoDaddy I will remove those entries and replace them with SRV records instead. Does this sound like the best approach?
Thanks again.
I do apologize for the confusion as I was mostly just referring to the autodiscover/activesync entries and the best implementation of them. Since I am currently using a CNAME record for autodiscover, I will take your advice and once I have a trusted certificate through GoDaddy I will remove those entries and replace them with SRV records instead. Does this sound like the best approach?
Thanks again.
Autodiscover set up using the TXT file makes things work just fine.
ActiveSync and other such services are configured by the wizards and will use the URL set by the wizards.
The Third Party Trusted Certificates Wizard should be used to generate the CSR (use the 2048 bit option please if it requests) and then again to import the newly generated certificate.
NOTE: The intermediates need to be imported _before_ completing the CSR if using the GoDaddy certificate chain (other is StarField - we don't use this one).
Philip
ActiveSync and other such services are configured by the wizards and will use the URL set by the wizards.
The Third Party Trusted Certificates Wizard should be used to generate the CSR (use the 2048 bit option please if it requests) and then again to import the newly generated certificate.
NOTE: The intermediates need to be imported _before_ completing the CSR if using the GoDaddy certificate chain (other is StarField - we don't use this one).
Philip
ASKER
MPECSInc, in reviewing your recommendations again, are you saying that in a typical SBS 2011 environment you don't really need to purchase a third party certificate? Instead just use the typical self-signed cert with SRV records for autodiscover/activesync to work properly? I only ask because I did use the wizards in the initial setup, so do I really have a need to purchase a third party cert? One of my goals, for example, is to get the certificate warnings to stop when I configure, say an iPhone, for Exchange email. Is the only way to get those warnings to stop is to purchase a certificate?
No.
I am giving you the "How-To" get things going with a GoDaddy certificate.
Yes, there is no point in running with self-issued certificates when a GD cert price can be found for $12/Year or less.
Third Party = Less Support Contact + Easier device/Outlook Anywhere setup as outlined above.
Philip
I am giving you the "How-To" get things going with a GoDaddy certificate.
Yes, there is no point in running with self-issued certificates when a GD cert price can be found for $12/Year or less.
Third Party = Less Support Contact + Easier device/Outlook Anywhere setup as outlined above.
Philip
ASKER
Thank you Philip. Just to verify, do I also need to add an SRV record in my own internal DNS, or only public DNS?
There is a Service Connection Point in AD that takes care of internal Outlook connections. No need to change anything/add anything to the internal DNS please.
Philip
Philip
Best and easiest to use both in my opinion for internal and external DNS.
SBS2011 just run the certificate wizard, add the URL's to it
Here for step by step: http://blog.ronnypot.nl/?p=414
SBS2011 just run the certificate wizard, add the URL's to it
Here for step by step: http://blog.ronnypot.nl/?p=414
mail.domain.com
autodiscover.domain.com
domain.com
That should cover your mail, outlook anywhere, activesync etc.
Its hard to tell because that is a general guideline for I am not aware of what you all have in-place.
Refer to this as a general rule:
http://www.petri.co.il/forums/showthread.php?t=58277