• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

Exchange 2007 SSL and .LOCAL Domain Name Issue

I currently have an Exchange 2007 server.  I was using a UCC SSL cert from GoDaddy.  I had it configured as such:


autodiscover.abc.com
autodiscover.xyz.com
webmail.abc.com
webmail.xyz.com
autodiscover.ABC.LOCAL
mailserver.ABC.LOCAL

The certificate expired and I generated a NEW CSR to renew the Cert.  I purchased a 3 year renewal and when I pasted the CSR info in the box it returned an error stating you can NO LONGER have any .LOCAL names in the certificate.  This is apparently a new regulation.

My question is with all that being said... how do you issue a certificate for your FQDNs AND stop that pesky security box from popping up when internal users launch Outlook?
0
BSModlin
Asked:
BSModlin
  • 6
  • 5
  • 3
  • +1
1 Solution
 
becraigCommented:
The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.


http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
0
 
becraigCommented:
More detailed info on this issue:
http://support.microsoft.com/kb/940726


I guess this restriction on SANs for domains you cannot prove ownership of will be a huge issue for all of us who were advised to design our AD architecture with a .local tld.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
MASTechnical Department HeadCommented:
Check the accepted solution in this.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27630546.html
I have attached a txt file on how to configure external name to use internally in that question. You can completely remove your internal FQDNs from your certificate.

Note: I hope you have externaldomainname.com zone created in your internal DNS server
if not please create one zone externaldomain.com and please create an A record autodiscover.externaldomain.com which points to exchange server
0
 
BSModlinAuthor Commented:
Ok, so if I do the following:

"The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle."

My question is will my Outlook users need to change anything?  Server name?
0
 
BSModlinAuthor Commented:
Also.... I found this on the digicert link above:

"Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems."

Does this mean that existing Outlook Anywhere users will stop working?
0
 
MASTechnical Department HeadCommented:
Only difference is users will use external names even within the network.

I have configured for a customer and till now no issues even outlook anywhere clients and MAPI clients.

You have to run the commands from exchange management shell
0
 
BSModlinAuthor Commented:
Ok.... Do you have a good walk thru link to send me?
0
 
MASTechnical Department HeadCommented:
First of all
Do you have "externaldomain.com" in your internal DNS server?
Did you configure as per the text in link above?

-->Do you have a good walk thru link to send me?
I am not clear on this.
You need guide to configure the above steps?

Please make me clear
0
 
BSModlinAuthor Commented:
Sorry... Lots of information above. Which link are you referring to?
0
 
MASTechnical Department HeadCommented:
0
 
BSModlinAuthor Commented:
What I see in the attachment is Exchange Shell instructions.

What specific DNS modifications do I need to make?
0
 
becraigCommented:
Ok So I think I outlined the steps earlier for changing the URLS, as for DNS it depends on how your internal configuration is set.

If you already resolve externally (i.e. DNS forwarding for you domain.com zone) and all your clients are able to reach the public internet then there is nothing to be done.

However if you resolve your .com domain internally and want to point to the internal IPs you need to ensure the host entries match the internal ips.
0
 
BSModlinAuthor Commented:
Ok, I went through the URLs and have a question:

In the examples it refers to HUB1 and HUB2... That is because they have 2 exchange servers?

Can you please send me a list of the total amount of URLs that need to be changed if I have 1 exchange server and what they are?

I have identified these:

Set-ClientAccessServer -Identity hub1 -AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory -Identity "exchange\oab (default web site)"
set-UMVirtualDirectory -Identity "exchange\UnifiedMessaging (Default Web Site)"
set-WebservicesVirtualDirectory -Identity "exchange\EWS (default web site)"

Are there more?

Sorry for all the questions...
0
 
MASTechnical Department HeadCommented:
No need of unified messaging if you are not using UM. The other three is enough.

Did you create "externaldomain.com" in your internal DNS server?
if yes
Did you create A record"Autodiscover.externaldomain.com" in the new zone?
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 6
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now