Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2010 SSL Cert

Posted on 2014-02-18
Medium Priority
1 Endorsement
Last Modified: 2014-02-19
What is the best method for getting internal and external SSL certification's working with Exchange 2010.  Namely for autodiscover and owa.

Our FQDN is a company.local, so that makes it more difficult since the SSL standards have changed from what I have read.

I do own a GoDaddy UCC cert, which would work for my external pointed mail.company.com, autodiscover.company.com, etc.  

Is there a way to use the GoDaddy cert for external, just IIS services I assume, then use an internal self signed for when users use Outlook, Owa internal address, etc?

We are a company of 10 offices, so re-doing the domain is not really an option at this point.
Question by:DerekFG
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 43

Expert Comment

by:Adam Brown
ID: 39868861
You can use a SRV record to get rid of the certificate errors. I wrote a blog on the subject here: http://acbrownit.wordpress.com/2012/12/

The key is to create a SRV record in your Internal domain that points to autodiscover.company.com. If you don't have split horizon DNS, this will force your internal clients to query the public IP address, but if you have an internal company.com DNS zone with autodiscover.company.com pointing to the internal IP of the the CAS server you can prevent this. The SRV record should be set up in your .local DNS zone and you should not have an autodiscover.company.local record.

Author Comment

ID: 39868910
Okay, so can I do the same thing for internal OWA?

We are set up so that mail.company.com forwards to the public static ip of our main firewall for smtp, then is sent to our Barracuda unit.

mail.company.com/owa forwards to the exchange server for https

autodiscover.company.com forwards to public ip of main firewall then to exchange server

All of that should work as is...

Do I need to create another SRV record for mail.company.com so if users try to access https://mail.company.com/owa internally they will not get an SSL error?

I do have a company.com DNS zone, current mail. has an A record that points at the exchange server.  I also have an autodiscover.com A record that points to the same.  These should be removed as well since we are creating the SRV records, as well as any A records in the .local zone?

Sorry for all the questions, just need to wrap my head around how this is going to route owa and autodiscover and get rid of those ssl errors.
LVL 43

Expert Comment

by:Adam Brown
ID: 39869145
For owa you would need to have an internal dns zone that had mail.company.com pointing to the internal ip of the cas server. No srv record needed. The srv record tells outlook where to go for autodiscover. Owa just needs to be accessed using aa host name on the certificate.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 11

Accepted Solution

NetoMeter Screencasts earned 2000 total points
ID: 39869266
If you already have a GoDaddy UCC, using a SRV record for autodiscover is definitely not the smartest approach (with all due respect to the Genius advice).

You would like to use a SRV record with a single domain certificate, and it comes with the corresponding redirection popup.

If the UCC is valid and:
1. Contains the minimum required FQDN - "autodiscover.company.com" and ex. "mail.company.com"
2. You have the corresponding records for these FQDN in the external DNS zone

no changes are required in the certificate and external DNS zone. If you have internal FQDN in it, such certificates will be revoked 2016. You can get fully compliant by generating a new CSR without the internal name and replacing the existing cert.

You need to perform the following changes on the internal network, though:
1. Configure Split-Brain DNS or PinPoint DNS zones (I recommend the latter) for the Public FQDN in certificate on the local network DNS.
2. Modify the internal Exchange URL.

Since we are talking about Exchange 2010, you can change the OAB, OWA, ActiveSync in EMC (just copy the external URL over the internal one).

The SCP (Autodiscover Internal URI) and Web Services (which is often forgotten) should be modified the same way but in EMS.
LVL 43

Expert Comment

by:Adam Brown
ID: 39869437
Srv records are a perfectly valid approach. So is modifying the uris. Srv requires less effort.
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39870199
Yes, it is a valid approach and I do recommend it to companies on a tight budget with a small number of remote clients. As I've mentioned, you get a redirection popup warning (Outlook Anywhere) and that is frustrating when you have a lot of remote clients.

In this example, there is already a GoDaddy UCC in place. It supports Subject Alternative names and you can set one of them to be "autodiscover.company.com" (if it's not already set).

if you already have UCC, using a server record for autodiscover is plain stupid.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39871124
The only way I would deploy this is split DNS so the external name resolves internally.
Configure Exchange to use the external host name for internal purposes as well.
Autodiscover DNS - well you can leave that where it is internally, but if you don't have any clients on the internal network that are NOT members of the domain, then you don't even need it.  http://semb.ee/hostnames

Autodiscover SRV records I use only when I am stuck with a single name certificate (usually because someone bought a VeriSign overpriced certificate for five years) or hosting a lot of domains. Otherwise I do not use them.

LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871183
That's exactly what I've said, Sembee.

The only difference is that I recommend PinPoint DNS zones instead of Split Brain DNS zones, and that's the intelligent way to go, especially if you have just one or two zones to create - it's the set it and forget it approach, instead of managing two zones (internal and external one).

#Autodiscover DNS - well you can leave that where it is internally

I don't agree with that as well. It doesn't cost you anything to configure it, and leaving it is looking for trouble. The fact is that you do have tablets and mobile devices that use the internal wireless and are not members of the domain.

Author Comment

ID: 39871205
Thank you for all of the answers.  I think NetoMeter has it nailed for my environment, although it seems there are a lot of ways to achieve what I am looking to do.

NetoMeter (love the site by the way) - is there anyway to contact you directly on a few questions semi relevant to this?  I don't see a PM feature on this site, and would not wish to fill this thread with back and forth chat not fully related.
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871211
The contact info or the chat button.

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question