Solved

New Exchange Certificate Exchange 2010 & Which Exchange server is sending/receiving mail.

Posted on 2014-03-26
24
725 Views
Last Modified: 2014-03-29
I just purchased a Standard UCC SLL (up to 5) certificate from Godaddy.  I currently have an SSL Certificate installed on an Exchange 2003 server.  I've installed a new Exchange 2010 server, and have them coexisting for the time being.  I have not moved the mailboxes over yet, but will soon.

I want to get the SSL certificate setup and ready on the Exchange 2010 server, and when I initiated the New Exchange Certificate, I selected all items on Exchange Configuration (Share, Outlook WebApp, Exchange ActiveSync, Web Services, OWA, and Autodiscover, POP/IMAP, Hub Transport, and Legacy).  I omitted Unified Messaging.

Anyway, when pasting the CSR I see 7 subject names when there is a limit of 5 as per the certificate that was purchased.  Please note our AD domain uses .local.

I need to enable secure communications for OWA and ActiveSync.

I am not sure if I need Outlook Web App, Hub Transport Server, or Legacy Exchange Server.  I do not believe we use POP/IMAP, so they can be excluded if necessary.  

I contacted Godaddy support about this, and they suggested upgrading the cert to one that supports 8 names.  They also suggested I use the following article to reconfigure MS Exchange to use a FQDN.

http://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

I need to know which exchange configuration options to select when generating the CSR as described above, and then know if I should follow the steps defined in the above link to reconfigure Exchange to use FQDN.

I would like to get this certificate installed on the new Exchange 2010 server, move all the mailboxes, ensure all pubic folders replicate, and decommission the exchange 2003 server.  

I also had a question as to how to tell whether the new Exchange 2010 server can send and receive mail without the existing Exchange 2010 server.  I can't tell which server actually receives/sends mail.  As of this morning I was able to resolve a troubling issue with the routing group connector/SMTP virtual server that would not allow mail from Exchange 2003 to a test user's mailbox on the Exchange 2010 server.  So, I am curious to know how I can force mail to be sent and received on the Exchange 2010 server once all the mailboxes are moved to it.  

Thank you for any feedback.  I included a screenshot for a quick review.
0
Comment
Question by:cmp119
  • 15
  • 9
24 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39956890
You only need 2 names - mail.domain.com (or whatever you want to use) and autodiscover.domain.com.

Anything else is no longer necessary unless you have other requirements for the SSL certificate.
0
 

Author Comment

by:cmp119
ID: 39956926
So when I create the CSR the only Exchange Configuration options I need to select are the second option Exchange ActiveSync and the third one Web Services, Outlook Anywhere, and Autodiscover?  

What about following the procedures Godaddy support sent me:

http://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

Or can I simply continue processing the existing CSR  and remove all the .local references along with legacy.domain.com and anywhere.domain.com?
SSL-Cert-Names.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39956934
You can select the majority of the options but just choose the names you want to use.

mail. for everything except autodiscover and autodiscover. for the autodiscover part.
0
 

Author Comment

by:cmp119
ID: 39956951
Okay, what about the .local ones?  Do I follow the steps in the article Godaddy suggested I do or its not necessary?  

I will most likely use the following names then:

mail.domain.com
autodiscover.domain.com
anywhere.domain.com
legacy.domain.com

meaning the remaining three .local ones will be removed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39956954
Ignore those - .local won't be accepted past Nov 2015.  You can point the internal URL's to the external FQDN to match the SSL cert name.

Not sure about the article - I'll check in a sec.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39956977
Use the article after installing the certificate, or just amend then copy / paste the following into the Exchange Management Shell:

et-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"
0
 

Author Comment

by:cmp119
ID: 39963937
I initiated all the above commands individually modifying the mail.domain.com with mail.rcsch13.com, and they all completed successfully.  All mailboxes now reside on the Exchange 2010 server.  

OWA works fine internally, in that https://ajax.ch13.local/owa works fine.

However, from an external location, https://mail.rcsch13.com/owa changes to https://ajax.ch13.local/owa and indicates page not found.  

https://mail.rcsch13.com/exchange indicates page not found as well.  

I tried recycling IIS on the Exchange 2010 server, but no joy.

Still looking for a solution!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39964110
What do you get from the following EMS command: ?

get-owavirtualdirectory | fl externalurl

Alan
0
 

Author Comment

by:cmp119
ID: 39964143
[PS] C:\Windows\system32>get-owavirtualdirectory | fl externalurl


ExternalUrl : https://mail.rcsch13.com/owa
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39964294
Hmmm - that's correct.

Can you run the reset virtual directory wizard and select the OWA virtual directory please.

Exchange Management Console> Server Configuration> Client Access

Then run iisreset and test again.

Alan
0
 

Author Comment

by:cmp119
ID: 39964303
Okay hold on.  Thanks.
0
 

Author Comment

by:cmp119
ID: 39964311
I selected it, and the Microsoft Management Console is scrolling along.  Not sure how long this should take, but I would think it ought to run fast.
0
 

Author Comment

by:cmp119
ID: 39964314
Unable to end the task.  When I selected Reset Virtual Directory and error with the mmc was displayed, and then the MMC shows a scrolling green bar, but it does not appear to be doing anything since its been doing that for over 10 minutes now.
0
 

Author Comment

by:cmp119
ID: 39964324
I was able to end the task, but when I run Reset Virtual Directory there is an MMC snapin error that appears briefly, and the same green scrolling green bar scrolls along.

I decided using the command line instead.  I completed the following steps:

[PS] C:\Windows\system32>Remove-OwaVirtualDirectory -Identity 'ajax\owa (Default Web Site)''
>>
[PS] C:\Windows\system32>Remove-OwaVirtualDirectory -Identity 'ajax\owa (Default Web Site)'

Confirm
Are you sure you want to perform this action?
Outlook Web App virtual directory "ajax\owa (Default Web Site)" is being removed.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y
[PS] C:\Windows\system32>New-OwaVirtualDirectory -InternalUrl 'https://ajax.ch13.local/owa' -WebSiteName 'Default Web Si
te'

Name                                    Server                                  OwaVersion
----                                    ------                                  ----------
owa (Default Web Site)                  AJAX                                    Exchange2010
0
 

Author Comment

by:cmp119
ID: 39964327
I iisreset /noforce, and I received the service did not respond to the start or control the request in a timely fashion.  I waited for WWW service to completely stop and then I started it.  

When I go https://mail.rcsch13.com/owa, I receive the following error:

The page cannot be found

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Please try the following:

Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 404.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Web Site Setup, Common Administrative Tasks, and About Custom Error Messages.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39964350
Where is port 443 pointing to at the moment on your firewall?

It won't find the /owa page if it is pointing to the Exchange 2003 server.

Alan
0
 

Author Comment

by:cmp119
ID: 39964360
I have one inbound firewall rule for both exchange servers that passes traffic: 25,80, and 443.  So the exchange 2003 server is 172.16.2.6, and the exchange 2010 server is 172.16.2.7.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39964366
Do you have multiple Public IP's?
0
 

Author Comment

by:cmp119
ID: 39964369
No, just one.
0
 

Author Comment

by:cmp119
ID: 39964371
What is weird is when I type https://mail.rcsch13.com/owa it changes it to https://ajax.ch13.local/owa.
0
 

Author Comment

by:cmp119
ID: 39964374
From within the local network I receive the same error HTTP Error 404 - File or directory not found when entering https://mail.rcsch13.com/owa.  Entering https://ajax/owa works fine.
0
 

Author Comment

by:cmp119
ID: 39964375
One more thing, the Godaddy.com certificate info is as follows:

We have received a Certificate Signing Request for the following mail.rcsch13.com domain(s) :

anywhere.rcsch13.com
autodiscover.rcsch13.com
mail.rcsch13.com
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39964379
If you only have one Public IP Address, you can't forward the same port to multiple internal IP's - you would need a 2nd Public IP Address to be able to do that.

I would just simply move all the mailboxes from the 2003 server to the 2010 server and then change the port forwarding to the 2010 server on the firewall and that should be sufficient.

Alan
0
 

Author Closing Comment

by:cmp119
ID: 39964411
Definitely a firewall issue.  Removed the old exchange server and replaced it with the new exchange server, and now owa works.
0

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now