Exchange 2007 SSL and .LOCAL Domain Name Issue

I currently have an Exchange 2007 server.  I was using a UCC SSL cert from GoDaddy.  I had it configured as such:


autodiscover.abc.com
autodiscover.xyz.com
webmail.abc.com
webmail.xyz.com
autodiscover.ABC.LOCAL
mailserver.ABC.LOCAL

The certificate expired and I generated a NEW CSR to renew the Cert.  I purchased a 3 year renewal and when I pasted the CSR info in the box it returned an error stating you can NO LONGER have any .LOCAL names in the certificate.  This is apparently a new regulation.

My question is with all that being said... how do you issue a certificate for your FQDNs AND stop that pesky security box from popping up when internal users launch Outlook?
BSModlinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.


http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
becraigCommented:
More detailed info on this issue:
http://support.microsoft.com/kb/940726


I guess this restriction on SANs for domains you cannot prove ownership of will be a huge issue for all of us who were advised to design our AD architecture with a .local tld.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Check the accepted solution in this.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27630546.html
I have attached a txt file on how to configure external name to use internally in that question. You can completely remove your internal FQDNs from your certificate.

Note: I hope you have externaldomainname.com zone created in your internal DNS server
if not please create one zone externaldomain.com and please create an A record autodiscover.externaldomain.com which points to exchange server
0
BSModlinAuthor Commented:
Ok, so if I do the following:

"The solution here would be to configure your internal urls to reflect your external urls.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

    Open IIS Manager by clicking Start, then enter inetmgr.
    Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle."

My question is will my Outlook users need to change anything?  Server name?
0
BSModlinAuthor Commented:
Also.... I found this on the digicert link above:

"Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems."

Does this mean that existing Outlook Anywhere users will stop working?
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Only difference is users will use external names even within the network.

I have configured for a customer and till now no issues even outlook anywhere clients and MAPI clients.

You have to run the commands from exchange management shell
0
BSModlinAuthor Commented:
Ok.... Do you have a good walk thru link to send me?
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
First of all
Do you have "externaldomain.com" in your internal DNS server?
Did you configure as per the text in link above?

-->Do you have a good walk thru link to send me?
I am not clear on this.
You need guide to configure the above steps?

Please make me clear
0
BSModlinAuthor Commented:
Sorry... Lots of information above. Which link are you referring to?
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
0
BSModlinAuthor Commented:
What I see in the attachment is Exchange Shell instructions.

What specific DNS modifications do I need to make?
0
becraigCommented:
Ok So I think I outlined the steps earlier for changing the URLS, as for DNS it depends on how your internal configuration is set.

If you already resolve externally (i.e. DNS forwarding for you domain.com zone) and all your clients are able to reach the public internet then there is nothing to be done.

However if you resolve your .com domain internally and want to point to the internal IPs you need to ensure the host entries match the internal ips.
0
BSModlinAuthor Commented:
Ok, I went through the URLs and have a question:

In the examples it refers to HUB1 and HUB2... That is because they have 2 exchange servers?

Can you please send me a list of the total amount of URLs that need to be changed if I have 1 exchange server and what they are?

I have identified these:

Set-ClientAccessServer -Identity hub1 -AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory -Identity "exchange\oab (default web site)"
set-UMVirtualDirectory -Identity "exchange\UnifiedMessaging (Default Web Site)"
set-WebservicesVirtualDirectory -Identity "exchange\EWS (default web site)"

Are there more?

Sorry for all the questions...
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
No need of unified messaging if you are not using UM. The other three is enough.

Did you create "externaldomain.com" in your internal DNS server?
if yes
Did you create A record"Autodiscover.externaldomain.com" in the new zone?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.