Exchange 2010 SSL Cert

Have Exchange 2010 Server
Have Outlook 2010 Clients

Everything has been working correctly for over 2 years.

Had to renew SSL Cert (via Godaddy)
5 UCC Cert, All Alternative Names were related to external references (i.e. mail.theclient.com, connect.theclient.com, www.theclient.com)

Renewed, Installed, Assigned Services, All External connections and references are working correctly.

When my Outlook users login at the office, they get an SSL Cert warning.
If you view it and try to install it, it won't install, even though it says its installed.  When you open Outlook the next time, the SSL warning presents itself again.

My question is should I have put the internal name of the mail server on the SSL cert as one of the Alternative names, is that why I have this issue?

Need some guidance
LVL 3
tech911Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
depends on how the outlook client is connecting to is and how its resolving through DNS.  If the internal name was excluded from it and thats how it was working that is the issue.
0
GawaiCommented:
did you contact godaddy customer care ?
0
tech911Author Commented:
Didn't contact anyone yet, wanted to get my arms around the problem before looking for help.

Internally it is  referencing the internal server via auto-discover.  So I am guessing that I need the internal name on the cert.

What names are required on the SSL cert for exchange to work correctly?
connect.theclientname.com
internalmailserver
?
?
?

Thoughts?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Simon Butler (Sembee)ConsultantCommented:
You cannot put the internal name on the SSL certificate.
Therefore you need to setup a split DNS system and configure Exchange to use the external names internally.

http://semb.ee/hostnames

Simon.
0
tech911Author Commented:
I understand what you are saying.

Read your split DNS and Webservices posts.

Pretty sure I would be replacing single host, but honestly it seems a little confusing as to the particulars.

Your Split DNS Instructions below:

SETTING UP NEW ZONE
    On your primary DNS server, start the DNS administration tool.
    Right click on the server and choose New Zone.
    Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated    
    (you may have to deselect an option).
 
When asked for the domain name, enter the host that you want to replace... ??????

This is where I am confused:

 For example if you want to replace owa.example.com then you would enter owa.example.com

Do I want a public address to be replaced like mail.theclient.com or do I want my private theclientmailserver.local to be replaced?  

If I have multiple to be replaced like, autodiscover.theclientmailserver.local and theclientmailserver.local

Do I need to repeat the process for each one that I need to resolve internally?

Help?

    Accept the option about creating a file.
    As this is not an AD integrated zone, disable dynamic updates.


I will comment on my confusion or concerns with the Adding a Host instructions after we get this figured out.
0
Simon Butler (Sembee)ConsultantCommented:
You are only replacing external hosts.
That allows mail.example.com to resolve to an internal IP address.
In the main, most people have two hosts that they replace:

host.example.com (the common name, used for OWA, Outlook Anywhere etc)
autodiscover.example.com

You have to do it for each host name that you want to resolve internally.

You don't have autodiscover.example.local, as Outlook doesn't use it.

Simon.
0
tech911Author Commented:
SIMON SAID:
You are only replacing external hosts.
That allows mail.example.com to resolve to an internal IP address.

CHRIS SAID:
This would only allow mail.example.com to resolve to an internal address only from behind our firewall using our internal DNS server.

Is that correct?
0
Nick RhodeIT DirectorCommented:
Basically you have to point your DNS correctly so for instance.

Internal

ExchangeServer - IP: 192.0.0.10

DNS records to resolve (again this is only to how you have your environment)

Autodiscover.domain.com
Mail.domain.com
Domain.com

All these records point to your exchange server IP so these are what you want on your certificate.  I used mail.domain.com to simplify my records for an easier understanding but yours might be different for your mail.  So if I wanted to get to OWA i would type in mail.domain.com/owa.  

What we are trying to say is your naming schema has to match whats on exchange so if you check the URLs on the exchange server you would get a better idea of what to have on the certificate.  The above is a general guidline for I do not know what URLs you specified on the exchange server.

**If you do not have Split DNS setup and your internal DNS is domain.local you would have to create a 2nd zone in your DNS for domain.com**
0
Simon Butler (Sembee)ConsultantCommented:
That is pretty much correct.
I would advise against creating a zone for the root of the domain though - as that means you have to replace everything in that external zone - such as www and FTP. If you do a single host name as you have already discovered it doesn't affect everything else.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tech911Author Commented:
It took me awhile to figure out what you guys were talking about.  It is important to note that there are two steps to this process...

Step 1 :  Setup your split DNS, basically providing users behind your firewall with the ability to use an external URL (the ones on your certificate that you feel are necessary to use) so that they will in-actuality route/resolve to the internal IP of your Exchange server if you try to access them behind your firewall.

Step 2 :  Modify the internal URi's of autodiscover and web services using the Exchange Power Shell ( I can remember what its called right now) then make them match the external URL's you have on your certificate, these will be the same ones you setup in your split DNS in step 1.

Thanks again for the help, I am grateful for the assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.