• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1309
  • Last Modified:

Exchange 2013 .local internal vs. public domain name SSL cert

Hello all,

After checking and verifying pretty much every solution to the now well known public domain name SSL cert vs. internal .local domain name problem, I'm stumped to find a fix for my client's EX2013 environment.

1. Bought and installed SSL Plus cert from digicert.com: mail.domain.com
2. Internal AD domain was previously configured as domain.local
3. Internal EX2013 server (W2K12R2) host name is ex01.domain.local
4. Changed IIS bindings for Default Site from self-signed cert to the digicert.com cert for 443 * All Unassigned
5. Added DNS zone on DC (W2K12R2) of domain.com (and reverse lookup zone to match)
6. Added host A record of 'mail' to new domain.com zone pointing to internal IP of ex01.domain.local
7. Added host A record of 'autodiscover' to new domain.com zone pointing to internal IP of ex01.domain.local
8. Ran digicert.com's Internal Name Change Tool which basically just runs the following EMS commands and then recycles the app pools:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.domain.com/oab

9. Verified above using the corresponding Get commands in EMS.
10. Verified mail.domain.com cert is valid and assigned to IMAP, POP, IIS, SMTP services in EX2013 EAC.
11. Restarted the EX2013 server just to be safe.
12. Fired up Outlook on a workstation, got the same 'There is a problem with the proxy server's security certificate. The name of the security certificate is invalid or does not match the name of the target site ex01.domain.local'.

After this I verified Outlook can still sending emails internally to other mailboxes on the same EX2013 server.

So how do I get rid of this error message everytime we start Outlook?

Thanks!
0
tspreston
Asked:
tspreston
  • 4
  • 4
1 Solution
 
Gareth GudgerCommented:
Check out my article here. It doesn't look like it changed all the URLs.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
 
tsprestonAuthor Commented:
Thanks for the reply Gareth.

Actually I saw your Ex2010 article and surmised from the updated post you supplied there may be a couple other directories that might need to be changed. I'll revisit this in the morning and report back.
0
 
tsprestonAuthor Commented:
There were a few things different I found in config. The Powershell vdirectory still needed to be changed, along with the Outlook Anywhere external host name. I changed those and tried again but still the same error when I open an Outlook client on a LAN PC.

Then I noticed the CA signed cert itself - it is a single name cert (not a SAN UCC), with just the mail.domain.com name included. Is it the fact that the autodiscover.domain.com and the root domain.com names are not included that Outlook is complaining?

Please confirm and I'll spend another $300 to get the proper SAN cert from Digicert.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Gareth GudgerCommented:
Definitely. It is possible to do it with a single name certificate. As long as your external DNS provider supports SRV records. I typically recommend a UC / SAN certificate but they are more expensive.

Not sure who you have now for SSL certs, but I personally recommend Digicert for compatibility with any number of client devices.
http://supertekboy.com/certificates-for-microsoft-exchange/
0
 
tsprestonAuthor Commented:
Thanks Gareth.

I have my new Digicert UC cert for mail.domain.com installed in Exchange. It also has autodiscover.domain.com and the root domain.com in the cert. However when I'm assigning services SMTP, POP, IMAP and IIS I get a prompt to overwrite the existing default SMTP certificate which makes me nervous as it was not included in your post's steps.

Is it ok to overwrite the default SMTP self-signed cert that was installed when Exchange was originally set up?

Thanks
Tim
0
 
Gareth GudgerCommented:
It is. You only need to assign it to SMTP if you plan to do encrypted email with someone else. If not, it doesn't matter. IIS is the critical one to assign to the cert.
0
 
tsprestonAuthor Commented:
Awesome, looks like the UC cert did the trick. I opened and closed OL a number of times on a PC and tested sending and receiving internal mail. The error has gone.

Your guide is a great resource. I'll be sending it out to my associates. They will be sure to find it useful, as many have clients in the same .local situation.

Thanks again!
0
 
Gareth GudgerCommented:
Glad to help!
0
 
CFB_SurfgoddessIT ManagerCommented:
Here is an additional problem that I experienced.  Since the clients were set to cache the autodiscover, after I corrected the .local problem I got security warnings on the clients outlook.  I had to basically turn auto discover caching off.

Here is how:

https://support.microsoft.com/en-us/kb/3073002
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now