Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange SSL error for internal users.  Works fine for external

Posted on 2014-01-15
6
303 Views
Last Modified: 2014-01-17
Due to the new rules about SSL for internal domains I have a problem.  We just replaced our SSL on our exchange server and lost the ability to have internal domain on it.  We are now getting SSL errors on everyone using outlook.

Anyone have a solution to this as we have many clients that will run into this issue moving forward.
0
Comment
Question by:sidelogic
6 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39784637
Since your internal hostnames are not in new certifiacte SAN names, you are getting errros

You can use SRV records for client discovery instead of Autodiscover to eliminate cert errors

http://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

Also i suggest you to change your internal URLs to match with external URLs (Split DNS) to avoid cert errors

Mahesh
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39784665
Internal SRV records are NOT required, and a waste of time unless you don't have Autodiscover.example.com on the certificate AND you have clients on your network which are not members of the domain.

The changes required are pretty straight forward - I have outlined them here:

http:/semb.ee/hostnames

Simon.
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39784872
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 9

Accepted Solution

by:
dipersp earned 500 total points
ID: 39785362
You just need to update your internal URLs.  Also need to setup mail.domain.com (Or whatever is on your cert) to resolve internally to the Exchange server's internal IP.  Let me know if you need help on doing this in DNS.

On your 2010 server, run these powershell commands from Exchange Shell -

Get-ClientAccessServer | fl *uri
Get-WebServicesVirtualDirectory | fl *lurl
get-OabVirtualDirectory | fl *url

Some or all of these are probably pointing to exchange.domain.local and need to be changed to mail.domain.com.  To fix these, first record the results from above for backup purposes.  Then -

Set-ClientAccessServer -Identity [Exchange Netbios] -AutodiscoverServiceInternalUri https://mail.[DOMAIN].com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "[Exchange Netbios]\EWS (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "[Exchange Netbios]\oab (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/oab

I set ALL of these (Internal and external) to mail.domain.com as mail.domain.com internally should be resolving to the internet IP of your mail server anyway.  Usually this is set correctly already for the externals, so the above commands (For set-web and set-oab) are only setting the internals.  If your externals are wrong, fix those as well.

Also check in Exchange Console that things are set correctly under Server Config\Client Access and then check each of the tabs at the bottom of the screen (OWA, ECP, ActiveSync, etc.) and make sure internal and external point to mail.domain.com (Without altering the rest of the url, such as /owa /ecp, etc.)
0
 

Author Closing Comment

by:sidelogic
ID: 39789327
That worked great!  Sembe your link took me to no article so you may want to check on that...
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39789443
The EE system got in the way as it was missing an extra slash. It should have been http://semb.ee/hostnames

Simon.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question