Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange Certs after Oct 2015

Posted on 2013-11-20
10
Medium Priority
?
394 Views
Last Modified: 2013-11-25
Okay, I seem to be running into this a bit lately, but nobody seems to be able to answer this.  When setting up an Exchange server 2007/2010 I used to get a UCC certificate that has the following names in them:
exchange.company.local
autodiscover.company.com
mail.company.com

These three entries would get me up an running in a single server Exchange setup.  But, now if I request a certificate that is past Oct 2015, I'm being told I can't have the exchange.company.local included.  

So how do I get my internal users to connect with Outlook, if I don't have a certificate with the internal name on it?
0
Comment
Question by:Computech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39664693
For smaller deployments, Exchange does not, never has, and most importantly (for security reasons) SHOULD not have certificates with .local in them. You set your URLs to a public FQDN via powershell and you deploy split DNS if necessary

for very large deployments, you can have internal CAS servers with private FQDN certificates issued by your internal CA but you'd want to prevent any and all public traffic to those CAS servers to prevent any MITM attacks.

so, in short, refer to the exchange deployment guides and pick your URLs accordingly so you can get a legit public cert.
0
 
LVL 9

Expert Comment

by:Mahesh Sharma
ID: 39665429
Have you deployed this certificate on all exchange servers or on your public facing security device.

If exchange servers are using only self signed certs then you can go for internal CA certs
Other thing you may try is to create a CName record for .local pointing to some certificate name
0
 

Author Comment

by:Computech
ID: 39666528
Well, what I have been doing may not be best practice, but it got the job done!  Anyways, so I still don't see a solution here.

Exchange 2010 doesn't support having 2 certificates on a single service, so I can't have an internal cert and a public cert installed, to cover both internal users and external users.

I cannot change my internal domain on my AD to match, or to something real.

How does everyone do this?  I can't be the only guy to run into this?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39666553
As I said, you don't need to use your internal domain name at all. Simply set your various directories (you can do this in the GUI or PowerShell) to use a public FQDN. Those URLs will be what exchange gives to outlook clients (even internal ones) so those are the only names you need on the cert.

And if you want internal clients to hit an internal IP instead of looping out and back in through a router, you can additionally set up split DNS. Does that make more sense?
0
 

Author Comment

by:Computech
ID: 39666879
I think so!?  Let me repeat it back to make sure I'm understanding correctly.

So, I should go into my virtual directories and change the internal URLs to the same thing externally.  Then, go and create a new zone in my DNS for my external domain so I can internally resolve my URLs.

Is this the recommended way to do this?  I don't mind doing this, but I just want to make sure I'm not going to run into anymore issues with these certificates, by doing this.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39667091
Yep
0
 

Author Comment

by:Computech
ID: 39667660
Okay, so I tried what you suggested and I'm still getting a certificate error saying, because its still looking at the internal name.  Anything else that I need to change?  We've opened and closed Outlook a few times to see if it was something that needed to be propagated, but no joy.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39667750
Make sure you'd updated all URLs, including OA, offline address books, EWS, and auto discover. Outlook's connectivity tests are also helpful in troubleshooting
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39668397
There are quite a few bits that need to be changed. I have recorded them all, including a script to change them for you in one go here: http://semb.ee/hostnames

The one most people miss is the Autodiscover URI on set-clientaccessserver

Simon.
0
 

Author Closing Comment

by:Computech
ID: 39676234
Once I followed the prescribed steps, the error in Outlook went away.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video discusses moving either the default database or any database to a new volume.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question