Solved

Exchange SSL error for internal users.  Works fine for external

Posted on 2014-01-15
6
301 Views
Last Modified: 2014-01-17
Due to the new rules about SSL for internal domains I have a problem.  We just replaced our SSL on our exchange server and lost the ability to have internal domain on it.  We are now getting SSL errors on everyone using outlook.

Anyone have a solution to this as we have many clients that will run into this issue moving forward.
0
Comment
Question by:sidelogic
6 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39784637
Since your internal hostnames are not in new certifiacte SAN names, you are getting errros

You can use SRV records for client discovery instead of Autodiscover to eliminate cert errors

http://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

Also i suggest you to change your internal URLs to match with external URLs (Split DNS) to avoid cert errors

Mahesh
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39784665
Internal SRV records are NOT required, and a waste of time unless you don't have Autodiscover.example.com on the certificate AND you have clients on your network which are not members of the domain.

The changes required are pretty straight forward - I have outlined them here:

http:/semb.ee/hostnames

Simon.
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39784872
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 9

Accepted Solution

by:
dipersp earned 500 total points
ID: 39785362
You just need to update your internal URLs.  Also need to setup mail.domain.com (Or whatever is on your cert) to resolve internally to the Exchange server's internal IP.  Let me know if you need help on doing this in DNS.

On your 2010 server, run these powershell commands from Exchange Shell -

Get-ClientAccessServer | fl *uri
Get-WebServicesVirtualDirectory | fl *lurl
get-OabVirtualDirectory | fl *url

Some or all of these are probably pointing to exchange.domain.local and need to be changed to mail.domain.com.  To fix these, first record the results from above for backup purposes.  Then -

Set-ClientAccessServer -Identity [Exchange Netbios] -AutodiscoverServiceInternalUri https://mail.[DOMAIN].com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "[Exchange Netbios]\EWS (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "[Exchange Netbios]\oab (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/oab

I set ALL of these (Internal and external) to mail.domain.com as mail.domain.com internally should be resolving to the internet IP of your mail server anyway.  Usually this is set correctly already for the externals, so the above commands (For set-web and set-oab) are only setting the internals.  If your externals are wrong, fix those as well.

Also check in Exchange Console that things are set correctly under Server Config\Client Access and then check each of the tabs at the bottom of the screen (OWA, ECP, ActiveSync, etc.) and make sure internal and external point to mail.domain.com (Without altering the rest of the url, such as /owa /ecp, etc.)
0
 

Author Closing Comment

by:sidelogic
ID: 39789327
That worked great!  Sembe your link took me to no article so you may want to check on that...
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39789443
The EE system got in the way as it was missing an extra slash. It should have been http://semb.ee/hostnames

Simon.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now