• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Exchange SSL error for internal users. Works fine for external

Due to the new rules about SSL for internal domains I have a problem.  We just replaced our SSL on our exchange server and lost the ability to have internal domain on it.  We are now getting SSL errors on everyone using outlook.

Anyone have a solution to this as we have many clients that will run into this issue moving forward.
0
sidelogic
Asked:
sidelogic
1 Solution
 
MaheshArchitectCommented:
Since your internal hostnames are not in new certifiacte SAN names, you are getting errros

You can use SRV records for client discovery instead of Autodiscover to eliminate cert errors

http://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

Also i suggest you to change your internal URLs to match with external URLs (Split DNS) to avoid cert errors

Mahesh
0
 
Simon Butler (Sembee)ConsultantCommented:
Internal SRV records are NOT required, and a waste of time unless you don't have Autodiscover.example.com on the certificate AND you have clients on your network which are not members of the domain.

The changes required are pretty straight forward - I have outlined them here:

http:/semb.ee/hostnames

Simon.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
diperspCommented:
You just need to update your internal URLs.  Also need to setup mail.domain.com (Or whatever is on your cert) to resolve internally to the Exchange server's internal IP.  Let me know if you need help on doing this in DNS.

On your 2010 server, run these powershell commands from Exchange Shell -

Get-ClientAccessServer | fl *uri
Get-WebServicesVirtualDirectory | fl *lurl
get-OabVirtualDirectory | fl *url

Some or all of these are probably pointing to exchange.domain.local and need to be changed to mail.domain.com.  To fix these, first record the results from above for backup purposes.  Then -

Set-ClientAccessServer -Identity [Exchange Netbios] -AutodiscoverServiceInternalUri https://mail.[DOMAIN].com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "[Exchange Netbios]\EWS (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "[Exchange Netbios]\oab (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/oab

I set ALL of these (Internal and external) to mail.domain.com as mail.domain.com internally should be resolving to the internet IP of your mail server anyway.  Usually this is set correctly already for the externals, so the above commands (For set-web and set-oab) are only setting the internals.  If your externals are wrong, fix those as well.

Also check in Exchange Console that things are set correctly under Server Config\Client Access and then check each of the tabs at the bottom of the screen (OWA, ECP, ActiveSync, etc.) and make sure internal and external point to mail.domain.com (Without altering the rest of the url, such as /owa /ecp, etc.)
0
 
sidelogicIT ManagerAuthor Commented:
That worked great!  Sembe your link took me to no article so you may want to check on that...
0
 
Simon Butler (Sembee)ConsultantCommented:
The EE system got in the way as it was missing an extra slash. It should have been http://semb.ee/hostnames

Simon.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now