Solved

Exchange 2013 .local internal vs. public domain name SSL cert

Posted on 2014-10-22
9
892 Views
Last Modified: 2015-10-13
Hello all,

After checking and verifying pretty much every solution to the now well known public domain name SSL cert vs. internal .local domain name problem, I'm stumped to find a fix for my client's EX2013 environment.

1. Bought and installed SSL Plus cert from digicert.com: mail.domain.com
2. Internal AD domain was previously configured as domain.local
3. Internal EX2013 server (W2K12R2) host name is ex01.domain.local
4. Changed IIS bindings for Default Site from self-signed cert to the digicert.com cert for 443 * All Unassigned
5. Added DNS zone on DC (W2K12R2) of domain.com (and reverse lookup zone to match)
6. Added host A record of 'mail' to new domain.com zone pointing to internal IP of ex01.domain.local
7. Added host A record of 'autodiscover' to new domain.com zone pointing to internal IP of ex01.domain.local
8. Ran digicert.com's Internal Name Change Tool which basically just runs the following EMS commands and then recycles the app pools:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.domain.com/oab

9. Verified above using the corresponding Get commands in EMS.
10. Verified mail.domain.com cert is valid and assigned to IMAP, POP, IIS, SMTP services in EX2013 EAC.
11. Restarted the EX2013 server just to be safe.
12. Fired up Outlook on a workstation, got the same 'There is a problem with the proxy server's security certificate. The name of the security certificate is invalid or does not match the name of the target site ex01.domain.local'.

After this I verified Outlook can still sending emails internally to other mailboxes on the same EX2013 server.

So how do I get rid of this error message everytime we start Outlook?

Thanks!
0
Comment
Question by:tspreston
  • 4
  • 4
9 Comments
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Check out my article here. It doesn't look like it changed all the URLs.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
 

Author Comment

by:tspreston
Comment Utility
Thanks for the reply Gareth.

Actually I saw your Ex2010 article and surmised from the updated post you supplied there may be a couple other directories that might need to be changed. I'll revisit this in the morning and report back.
0
 

Author Comment

by:tspreston
Comment Utility
There were a few things different I found in config. The Powershell vdirectory still needed to be changed, along with the Outlook Anywhere external host name. I changed those and tried again but still the same error when I open an Outlook client on a LAN PC.

Then I noticed the CA signed cert itself - it is a single name cert (not a SAN UCC), with just the mail.domain.com name included. Is it the fact that the autodiscover.domain.com and the root domain.com names are not included that Outlook is complaining?

Please confirm and I'll spend another $300 to get the proper SAN cert from Digicert.
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
Comment Utility
Definitely. It is possible to do it with a single name certificate. As long as your external DNS provider supports SRV records. I typically recommend a UC / SAN certificate but they are more expensive.

Not sure who you have now for SSL certs, but I personally recommend Digicert for compatibility with any number of client devices.
http://supertekboy.com/certificates-for-microsoft-exchange/
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:tspreston
Comment Utility
Thanks Gareth.

I have my new Digicert UC cert for mail.domain.com installed in Exchange. It also has autodiscover.domain.com and the root domain.com in the cert. However when I'm assigning services SMTP, POP, IMAP and IIS I get a prompt to overwrite the existing default SMTP certificate which makes me nervous as it was not included in your post's steps.

Is it ok to overwrite the default SMTP self-signed cert that was installed when Exchange was originally set up?

Thanks
Tim
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
It is. You only need to assign it to SMTP if you plan to do encrypted email with someone else. If not, it doesn't matter. IIS is the critical one to assign to the cert.
0
 

Author Comment

by:tspreston
Comment Utility
Awesome, looks like the UC cert did the trick. I opened and closed OL a number of times on a PC and tested sending and receiving internal mail. The error has gone.

Your guide is a great resource. I'll be sending it out to my associates. They will be sure to find it useful, as many have clients in the same .local situation.

Thanks again!
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Glad to help!
0
 
LVL 1

Expert Comment

by:CFB_Surfgoddess
Comment Utility
Here is an additional problem that I experienced.  Since the clients were set to cache the autodiscover, after I corrected the .local problem I got security warnings on the clients outlook.  I had to basically turn auto discover caching off.

Here is how:

https://support.microsoft.com/en-us/kb/3073002
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now