Exchange 2007 SSL and .LOCAL Domain Name Issue

BSModlin
BSModlin used Ask the Experts™
on
I currently have an Exchange 2007 server.  I was using a UCC SSL cert from GoDaddy.  I had it configured as such:


autodiscover.abc.com
autodiscover.xyz.com
webmail.abc.com
webmail.xyz.com
autodiscover.ABC.LOCAL
mailserver.ABC.LOCAL

The certificate expired and I generated a NEW CSR to renew the Cert.  I purchased a 3 year renewal and when I pasted the CSR info in the box it returned an error stating you can NO LONGER have any .LOCAL names in the certificate.  This is apparently a new regulation.

My question is with all that being said... how do you issue a certificate for your FQDNs AND stop that pesky security box from popping up when internal users launch Outlook?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.


http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
More detailed info on this issue:
http://support.microsoft.com/kb/940726


I guess this restriction on SANs for domains you cannot prove ownership of will be a huge issue for all of us who were advised to design our AD architecture with a .local tld.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Check the accepted solution in this.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27630546.html
I have attached a txt file on how to configure external name to use internally in that question. You can completely remove your internal FQDNs from your certificate.

Note: I hope you have externaldomainname.com zone created in your internal DNS server
if not please create one zone externaldomain.com and please create an A record autodiscover.externaldomain.com which points to exchange server

Author

Commented:
Ok, so if I do the following:

"The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle."

My question is will my Outlook users need to change anything?  Server name?

Author

Commented:
Also.... I found this on the digicert link above:

"Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems."

Does this mean that existing Outlook Anywhere users will stop working?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Only difference is users will use external names even within the network.

I have configured for a customer and till now no issues even outlook anywhere clients and MAPI clients.

You have to run the commands from exchange management shell

Author

Commented:
Ok.... Do you have a good walk thru link to send me?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
First of all
Do you have "externaldomain.com" in your internal DNS server?
Did you configure as per the text in link above?

-->Do you have a good walk thru link to send me?
I am not clear on this.
You need guide to configure the above steps?

Please make me clear

Author

Commented:
Sorry... Lots of information above. Which link are you referring to?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:

Author

Commented:
What I see in the attachment is Exchange Shell instructions.

What specific DNS modifications do I need to make?
Ok So I think I outlined the steps earlier for changing the URLS, as for DNS it depends on how your internal configuration is set.

If you already resolve externally (i.e. DNS forwarding for you domain.com zone) and all your clients are able to reach the public internet then there is nothing to be done.

However if you resolve your .com domain internally and want to point to the internal IPs you need to ensure the host entries match the internal ips.

Author

Commented:
Ok, I went through the URLs and have a question:

In the examples it refers to HUB1 and HUB2... That is because they have 2 exchange servers?

Can you please send me a list of the total amount of URLs that need to be changed if I have 1 exchange server and what they are?

I have identified these:

Set-ClientAccessServer -Identity hub1 -AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory -Identity "exchange\oab (default web site)"
set-UMVirtualDirectory -Identity "exchange\UnifiedMessaging (Default Web Site)"
set-WebservicesVirtualDirectory -Identity "exchange\EWS (default web site)"

Are there more?

Sorry for all the questions...
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
No need of unified messaging if you are not using UM. The other three is enough.

Did you create "externaldomain.com" in your internal DNS server?
if yes
Did you create A record"Autodiscover.externaldomain.com" in the new zone?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial