Solved

Exchange 2007 SSL and .LOCAL Domain Name Issue

Posted on 2014-03-03
15
470 Views
Last Modified: 2014-03-10
I currently have an Exchange 2007 server.  I was using a UCC SSL cert from GoDaddy.  I had it configured as such:


autodiscover.abc.com
autodiscover.xyz.com
webmail.abc.com
webmail.xyz.com
autodiscover.ABC.LOCAL
mailserver.ABC.LOCAL

The certificate expired and I generated a NEW CSR to renew the Cert.  I purchased a 3 year renewal and when I pasted the CSR info in the box it returned an error stating you can NO LONGER have any .LOCAL names in the certificate.  This is apparently a new regulation.

My question is with all that being said... how do you issue a certificate for your FQDNs AND stop that pesky security box from popping up when internal users launch Outlook?
0
Comment
Question by:BSModlin
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39902296
The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.


http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39902299
0
 
LVL 29

Expert Comment

by:becraig
ID: 39902304
More detailed info on this issue:
http://support.microsoft.com/kb/940726


I guess this restriction on SANs for domains you cannot prove ownership of will be a huge issue for all of us who were advised to design our AD architecture with a .local tld.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 25

Expert Comment

by:-MAS
ID: 39902400
Check the accepted solution in this.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27630546.html
I have attached a txt file on how to configure external name to use internally in that question. You can completely remove your internal FQDNs from your certificate.

Note: I hope you have externaldomainname.com zone created in your internal DNS server
if not please create one zone externaldomain.com and please create an A record autodiscover.externaldomain.com which points to exchange server
0
 

Author Comment

by:BSModlin
ID: 39905173
Ok, so if I do the following:

"The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle."

My question is will my Outlook users need to change anything?  Server name?
0
 

Author Comment

by:BSModlin
ID: 39905179
Also.... I found this on the digicert link above:

"Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems."

Does this mean that existing Outlook Anywhere users will stop working?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39905498
Only difference is users will use external names even within the network.

I have configured for a customer and till now no issues even outlook anywhere clients and MAPI clients.

You have to run the commands from exchange management shell
0
 

Author Comment

by:BSModlin
ID: 39906141
Ok.... Do you have a good walk thru link to send me?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39906209
First of all
Do you have "externaldomain.com" in your internal DNS server?
Did you configure as per the text in link above?

-->Do you have a good walk thru link to send me?
I am not clear on this.
You need guide to configure the above steps?

Please make me clear
0
 

Author Comment

by:BSModlin
ID: 39906219
Sorry... Lots of information above. Which link are you referring to?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39906225
0
 

Author Comment

by:BSModlin
ID: 39906814
What I see in the attachment is Exchange Shell instructions.

What specific DNS modifications do I need to make?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39906836
Ok So I think I outlined the steps earlier for changing the URLS, as for DNS it depends on how your internal configuration is set.

If you already resolve externally (i.e. DNS forwarding for you domain.com zone) and all your clients are able to reach the public internet then there is nothing to be done.

However if you resolve your .com domain internally and want to point to the internal IPs you need to ensure the host entries match the internal ips.
0
 

Author Comment

by:BSModlin
ID: 39907020
Ok, I went through the URLs and have a question:

In the examples it refers to HUB1 and HUB2... That is because they have 2 exchange servers?

Can you please send me a list of the total amount of URLs that need to be changed if I have 1 exchange server and what they are?

I have identified these:

Set-ClientAccessServer -Identity hub1 -AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory -Identity "exchange\oab (default web site)"
set-UMVirtualDirectory -Identity "exchange\UnifiedMessaging (Default Web Site)"
set-WebservicesVirtualDirectory -Identity "exchange\EWS (default web site)"

Are there more?

Sorry for all the questions...
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39909126
No need of unified messaging if you are not using UM. The other three is enough.

Did you create "externaldomain.com" in your internal DNS server?
if yes
Did you create A record"Autodiscover.externaldomain.com" in the new zone?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question