Solved

Exchange 2007 SSL and .LOCAL Domain Name Issue

Posted on 2014-03-03
15
466 Views
Last Modified: 2014-03-10
I currently have an Exchange 2007 server.  I was using a UCC SSL cert from GoDaddy.  I had it configured as such:


autodiscover.abc.com
autodiscover.xyz.com
webmail.abc.com
webmail.xyz.com
autodiscover.ABC.LOCAL
mailserver.ABC.LOCAL

The certificate expired and I generated a NEW CSR to renew the Cert.  I purchased a 3 year renewal and when I pasted the CSR info in the box it returned an error stating you can NO LONGER have any .LOCAL names in the certificate.  This is apparently a new regulation.

My question is with all that being said... how do you issue a certificate for your FQDNs AND stop that pesky security box from popping up when internal users launch Outlook?
0
Comment
Question by:BSModlin
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39902296
The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.


http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39902299
0
 
LVL 29

Expert Comment

by:becraig
ID: 39902304
More detailed info on this issue:
http://support.microsoft.com/kb/940726


I guess this restriction on SANs for domains you cannot prove ownership of will be a huge issue for all of us who were advised to design our AD architecture with a .local tld.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 25

Expert Comment

by:-MAS
ID: 39902400
Check the accepted solution in this.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27630546.html
I have attached a txt file on how to configure external name to use internally in that question. You can completely remove your internal FQDNs from your certificate.

Note: I hope you have externaldomainname.com zone created in your internal DNS server
if not please create one zone externaldomain.com and please create an A record autodiscover.externaldomain.com which points to exchange server
0
 

Author Comment

by:BSModlin
ID: 39905173
Ok, so if I do the following:

"The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle."

My question is will my Outlook users need to change anything?  Server name?
0
 

Author Comment

by:BSModlin
ID: 39905179
Also.... I found this on the digicert link above:

"Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems."

Does this mean that existing Outlook Anywhere users will stop working?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39905498
Only difference is users will use external names even within the network.

I have configured for a customer and till now no issues even outlook anywhere clients and MAPI clients.

You have to run the commands from exchange management shell
0
 

Author Comment

by:BSModlin
ID: 39906141
Ok.... Do you have a good walk thru link to send me?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39906209
First of all
Do you have "externaldomain.com" in your internal DNS server?
Did you configure as per the text in link above?

-->Do you have a good walk thru link to send me?
I am not clear on this.
You need guide to configure the above steps?

Please make me clear
0
 

Author Comment

by:BSModlin
ID: 39906219
Sorry... Lots of information above. Which link are you referring to?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39906225
0
 

Author Comment

by:BSModlin
ID: 39906814
What I see in the attachment is Exchange Shell instructions.

What specific DNS modifications do I need to make?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39906836
Ok So I think I outlined the steps earlier for changing the URLS, as for DNS it depends on how your internal configuration is set.

If you already resolve externally (i.e. DNS forwarding for you domain.com zone) and all your clients are able to reach the public internet then there is nothing to be done.

However if you resolve your .com domain internally and want to point to the internal IPs you need to ensure the host entries match the internal ips.
0
 

Author Comment

by:BSModlin
ID: 39907020
Ok, I went through the URLs and have a question:

In the examples it refers to HUB1 and HUB2... That is because they have 2 exchange servers?

Can you please send me a list of the total amount of URLs that need to be changed if I have 1 exchange server and what they are?

I have identified these:

Set-ClientAccessServer -Identity hub1 -AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory -Identity "exchange\oab (default web site)"
set-UMVirtualDirectory -Identity "exchange\UnifiedMessaging (Default Web Site)"
set-WebservicesVirtualDirectory -Identity "exchange\EWS (default web site)"

Are there more?

Sorry for all the questions...
0
 
LVL 25

Expert Comment

by:-MAS
ID: 39909126
No need of unified messaging if you are not using UM. The other three is enough.

Did you create "externaldomain.com" in your internal DNS server?
if yes
Did you create A record"Autodiscover.externaldomain.com" in the new zone?
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question