Solved

Exchange SSL error for internal users.  Works fine for external

Posted on 2014-01-15
6
304 Views
Last Modified: 2014-01-17
Due to the new rules about SSL for internal domains I have a problem.  We just replaced our SSL on our exchange server and lost the ability to have internal domain on it.  We are now getting SSL errors on everyone using outlook.

Anyone have a solution to this as we have many clients that will run into this issue moving forward.
0
Comment
Question by:sidelogic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39784637
Since your internal hostnames are not in new certifiacte SAN names, you are getting errros

You can use SRV records for client discovery instead of Autodiscover to eliminate cert errors

http://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

Also i suggest you to change your internal URLs to match with external URLs (Split DNS) to avoid cert errors

Mahesh
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39784665
Internal SRV records are NOT required, and a waste of time unless you don't have Autodiscover.example.com on the certificate AND you have clients on your network which are not members of the domain.

The changes required are pretty straight forward - I have outlined them here:

http:/semb.ee/hostnames

Simon.
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39784872
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 9

Accepted Solution

by:
dipersp earned 500 total points
ID: 39785362
You just need to update your internal URLs.  Also need to setup mail.domain.com (Or whatever is on your cert) to resolve internally to the Exchange server's internal IP.  Let me know if you need help on doing this in DNS.

On your 2010 server, run these powershell commands from Exchange Shell -

Get-ClientAccessServer | fl *uri
Get-WebServicesVirtualDirectory | fl *lurl
get-OabVirtualDirectory | fl *url

Some or all of these are probably pointing to exchange.domain.local and need to be changed to mail.domain.com.  To fix these, first record the results from above for backup purposes.  Then -

Set-ClientAccessServer -Identity [Exchange Netbios] -AutodiscoverServiceInternalUri https://mail.[DOMAIN].com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "[Exchange Netbios]\EWS (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "[Exchange Netbios]\oab (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/oab

I set ALL of these (Internal and external) to mail.domain.com as mail.domain.com internally should be resolving to the internet IP of your mail server anyway.  Usually this is set correctly already for the externals, so the above commands (For set-web and set-oab) are only setting the internals.  If your externals are wrong, fix those as well.

Also check in Exchange Console that things are set correctly under Server Config\Client Access and then check each of the tabs at the bottom of the screen (OWA, ECP, ActiveSync, etc.) and make sure internal and external point to mail.domain.com (Without altering the rest of the url, such as /owa /ecp, etc.)
0
 

Author Closing Comment

by:sidelogic
ID: 39789327
That worked great!  Sembe your link took me to no article so you may want to check on that...
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39789443
The EE system got in the way as it was missing an extra slash. It should have been http://semb.ee/hostnames

Simon.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question