Solved

Exchange 2010 UCC Certificate - Can't get internal domain name listed in cert so we have issues.

Posted on 2013-12-12
14
23 Views
Last Modified: 2016-07-13
I have a customer with a new Exchange 2010 install.  They were ready to turn up OutlookAnywhere and we purchased the appropriate UCC cert for them. We added in owa.domain.com as well as any other FQDNs we thought appropriate. All was well, remote devices could connect.

But now internal users are complaining that every time they launch Outlook they get a security alert. The name on the cert doesn't match the name of the server they are connecting to.

I went to modify the UCC cert to add the internal FQDN of the Exchange server and I can't because the internal FQDN is something they don't own, but is a real domain name: Exchange.RealDomainName.com

There is no way for me to add this FQDN to the cert. How do I get the internal Outlook users to either accept this, or to go back to using the self signed cert they were using before?
0
Comment
Question by:cogenttech
  • 5
  • 5
  • 2
14 Comments
 

Author Comment

by:cogenttech
ID: 39715149
Screen shot attached for reference.
abc.JPG
0
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39715162
You wouldn't add internal to the certificate and typically I register mail.domain.com and that's how I setup my internal and external.

UCC would look something like this

mail.domain.com
autodiscover.domain.com
domain.com
domain

Setup internal DNS and resolve mail.domain.com to the exchange server
0
 

Author Comment

by:cogenttech
ID: 39715177
Makes sense. Outlook is currently try to connecting to Exchange via the internal but invalid FQDN.

How would I change the connection for Outlook to use the desired external/public FQDN that the cert is registered for?


Just in case my scenraio isn't clear, let's say the customer's public domain name is bigprint.com, so our public mail server name is mail.bigprint.com. The cert has:

mail.bigprint.com
owa.bigprint.com
autodiscover.bigprint.com

All works great externally. But their internal domain name is google.com (obviously not this, but they chose a public domain name for internal domain that wasn't theirs).
The mail server is exchange.google.com. All the clients access it as exchange.google.com which doesn't match the cert.

How do I tell Outlook to go ahead and use mail.bigprint.com instead, so it matches the cert?
0
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39715227
Create a 2nd DNS zone internally for bigprint.com

Create a DNS record then for mail.bigprint.com and autodiscover.bigprint.com and point them to the exchange server.  Keep in mind if you have a website or such as www.bigprint.com, you will have to create a www record and a blank record so internal users can get to the site.  That record will point to the IP of your website etc.  Its basically split DNS.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39716126
I don't think I would create a full zone for the external domain, as that causes more issues. The best way is to use a single host name replacement, so you are only doing zones for the actual hosts that you want to use.

Then change the configuration within Exchange to match.

I have outlined the full process here: http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:cogenttech
ID: 39720737
Simon

I followed the instructions in the link you said. I can see now that the Outlook clients are trying to connect via the public name. I thought this would do it, but they are still complaining about the certificate, even though in this case, the certificate matches the name.

Screenshots are of Outlook 2007
cert1.JPG
cert2.JPG
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39721240
Both of those errors are problems with the actual certificate itself, not Exchange configuration. Have you installed the intermediate certificate from GoDaddy? You may have to get the certificate rekeyed.

Simon.
0
 

Author Comment

by:cogenttech
ID: 39721856
Thanks Simon.
I rekeyed the cert and imported the intermediate. Same error as before.
Any other ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39721861
Is the same error happening on all clients? It isn't something I have seen before, so has to be something in your environment interfering.
Do you have a proxy on your network?

Simon.
0
 

Author Comment

by:cogenttech
ID: 39721934
It is multiple users.
Server is still on RTM code. Could updating to SP3 solve the problem?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39729526
If you are on RTM code then you should upgrade to SP3 before you do anything else. Exchange 2010 wasn't even finished until SP1.

Patch it, including the latest rollup.

Simon.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41704133
Object. I have provided multiple solutions to the problems posted.

ID: 39729526
ID: 39721240
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now