Solved

Exchange 2010 SSL Cert

Posted on 2014-02-18
10
1,043 Views
1 Endorsement
Last Modified: 2014-02-19
What is the best method for getting internal and external SSL certification's working with Exchange 2010.  Namely for autodiscover and owa.

Our FQDN is a company.local, so that makes it more difficult since the SSL standards have changed from what I have read.

I do own a GoDaddy UCC cert, which would work for my external pointed mail.company.com, autodiscover.company.com, etc.  

Is there a way to use the GoDaddy cert for external, just IIS services I assume, then use an internal self signed for when users use Outlook, Owa internal address, etc?

We are a company of 10 offices, so re-doing the domain is not really an option at this point.
1
Comment
Question by:DerekFG
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39868861
You can use a SRV record to get rid of the certificate errors. I wrote a blog on the subject here: http://acbrownit.wordpress.com/2012/12/

The key is to create a SRV record in your Internal domain that points to autodiscover.company.com. If you don't have split horizon DNS, this will force your internal clients to query the public IP address, but if you have an internal company.com DNS zone with autodiscover.company.com pointing to the internal IP of the the CAS server you can prevent this. The SRV record should be set up in your .local DNS zone and you should not have an autodiscover.company.local record.
0
 
LVL 2

Author Comment

by:DerekFG
ID: 39868910
Okay, so can I do the same thing for internal OWA?

We are set up so that mail.company.com forwards to the public static ip of our main firewall for smtp, then is sent to our Barracuda unit.

mail.company.com/owa forwards to the exchange server for https

autodiscover.company.com forwards to public ip of main firewall then to exchange server

All of that should work as is...

Do I need to create another SRV record for mail.company.com so if users try to access https://mail.company.com/owa internally they will not get an SSL error?

I do have a company.com DNS zone, current mail. has an A record that points at the exchange server.  I also have an autodiscover.com A record that points to the same.  These should be removed as well since we are creating the SRV records, as well as any A records in the .local zone?

Sorry for all the questions, just need to wrap my head around how this is going to route owa and autodiscover and get rid of those ssl errors.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39869145
For owa you would need to have an internal dns zone that had mail.company.com pointing to the internal ip of the cas server. No srv record needed. The srv record tells outlook where to go for autodiscover. Owa just needs to be accessed using aa host name on the certificate.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 500 total points
ID: 39869266
If you already have a GoDaddy UCC, using a SRV record for autodiscover is definitely not the smartest approach (with all due respect to the Genius advice).

You would like to use a SRV record with a single domain certificate, and it comes with the corresponding redirection popup.

If the UCC is valid and:
1. Contains the minimum required FQDN - "autodiscover.company.com" and ex. "mail.company.com"
2. You have the corresponding records for these FQDN in the external DNS zone

no changes are required in the certificate and external DNS zone. If you have internal FQDN in it, such certificates will be revoked 2016. You can get fully compliant by generating a new CSR without the internal name and replacing the existing cert.

You need to perform the following changes on the internal network, though:
1. Configure Split-Brain DNS or PinPoint DNS zones (I recommend the latter) for the Public FQDN in certificate on the local network DNS.
2. Modify the internal Exchange URL.

Since we are talking about Exchange 2010, you can change the OAB, OWA, ActiveSync in EMC (just copy the external URL over the internal one).

The SCP (Autodiscover Internal URI) and Web Services (which is often forgotten) should be modified the same way but in EMS.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39869437
Srv records are a perfectly valid approach. So is modifying the uris. Srv requires less effort.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39870199
Yes, it is a valid approach and I do recommend it to companies on a tight budget with a small number of remote clients. As I've mentioned, you get a redirection popup warning (Outlook Anywhere) and that is frustrating when you have a lot of remote clients.

In this example, there is already a GoDaddy UCC in place. It supports Subject Alternative names and you can set one of them to be "autodiscover.company.com" (if it's not already set).

if you already have UCC, using a server record for autodiscover is plain stupid.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39871124
The only way I would deploy this is split DNS so the external name resolves internally.
Configure Exchange to use the external host name for internal purposes as well.
Autodiscover DNS - well you can leave that where it is internally, but if you don't have any clients on the internal network that are NOT members of the domain, then you don't even need it.  http://semb.ee/hostnames

Autodiscover SRV records I use only when I am stuck with a single name certificate (usually because someone bought a VeriSign overpriced certificate for five years) or hosting a lot of domains. Otherwise I do not use them.

Simon.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871183
That's exactly what I've said, Sembee.

The only difference is that I recommend PinPoint DNS zones instead of Split Brain DNS zones, and that's the intelligent way to go, especially if you have just one or two zones to create - it's the set it and forget it approach, instead of managing two zones (internal and external one).

#Autodiscover DNS - well you can leave that where it is internally

I don't agree with that as well. It doesn't cost you anything to configure it, and leaving it is looking for trouble. The fact is that you do have tablets and mobile devices that use the internal wireless and are not members of the domain.
0
 
LVL 2

Author Comment

by:DerekFG
ID: 39871205
Thank you for all of the answers.  I think NetoMeter has it nailed for my environment, although it seems there are a lot of ways to achieve what I am looking to do.

NetoMeter (love the site by the way) - is there anyway to contact you directly on a few questions semi relevant to this?  I don't see a PM feature on this site, and would not wish to fill this thread with back and forth chat not fully related.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871211
The contact info or the chat button.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now