Solved

Exchange 2013 .local internal vs. public domain name SSL cert

Posted on 2014-10-22
9
982 Views
Last Modified: 2015-10-13
Hello all,

After checking and verifying pretty much every solution to the now well known public domain name SSL cert vs. internal .local domain name problem, I'm stumped to find a fix for my client's EX2013 environment.

1. Bought and installed SSL Plus cert from digicert.com: mail.domain.com
2. Internal AD domain was previously configured as domain.local
3. Internal EX2013 server (W2K12R2) host name is ex01.domain.local
4. Changed IIS bindings for Default Site from self-signed cert to the digicert.com cert for 443 * All Unassigned
5. Added DNS zone on DC (W2K12R2) of domain.com (and reverse lookup zone to match)
6. Added host A record of 'mail' to new domain.com zone pointing to internal IP of ex01.domain.local
7. Added host A record of 'autodiscover' to new domain.com zone pointing to internal IP of ex01.domain.local
8. Ran digicert.com's Internal Name Change Tool which basically just runs the following EMS commands and then recycles the app pools:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.domain.com/oab

9. Verified above using the corresponding Get commands in EMS.
10. Verified mail.domain.com cert is valid and assigned to IMAP, POP, IIS, SMTP services in EX2013 EAC.
11. Restarted the EX2013 server just to be safe.
12. Fired up Outlook on a workstation, got the same 'There is a problem with the proxy server's security certificate. The name of the security certificate is invalid or does not match the name of the target site ex01.domain.local'.

After this I verified Outlook can still sending emails internally to other mailboxes on the same EX2013 server.

So how do I get rid of this error message everytime we start Outlook?

Thanks!
0
Comment
Question by:tspreston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398545
Check out my article here. It doesn't look like it changed all the URLs.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
 

Author Comment

by:tspreston
ID: 40398558
Thanks for the reply Gareth.

Actually I saw your Ex2010 article and surmised from the updated post you supplied there may be a couple other directories that might need to be changed. I'll revisit this in the morning and report back.
0
 

Author Comment

by:tspreston
ID: 40399158
There were a few things different I found in config. The Powershell vdirectory still needed to be changed, along with the Outlook Anywhere external host name. I changed those and tried again but still the same error when I open an Outlook client on a LAN PC.

Then I noticed the CA signed cert itself - it is a single name cert (not a SAN UCC), with just the mail.domain.com name included. Is it the fact that the autodiscover.domain.com and the root domain.com names are not included that Outlook is complaining?

Please confirm and I'll spend another $300 to get the proper SAN cert from Digicert.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40399249
Definitely. It is possible to do it with a single name certificate. As long as your external DNS provider supports SRV records. I typically recommend a UC / SAN certificate but they are more expensive.

Not sure who you have now for SSL certs, but I personally recommend Digicert for compatibility with any number of client devices.
http://supertekboy.com/certificates-for-microsoft-exchange/
0
 

Author Comment

by:tspreston
ID: 40399355
Thanks Gareth.

I have my new Digicert UC cert for mail.domain.com installed in Exchange. It also has autodiscover.domain.com and the root domain.com in the cert. However when I'm assigning services SMTP, POP, IMAP and IIS I get a prompt to overwrite the existing default SMTP certificate which makes me nervous as it was not included in your post's steps.

Is it ok to overwrite the default SMTP self-signed cert that was installed when Exchange was originally set up?

Thanks
Tim
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40399489
It is. You only need to assign it to SMTP if you plan to do encrypted email with someone else. If not, it doesn't matter. IIS is the critical one to assign to the cert.
0
 

Author Comment

by:tspreston
ID: 40399602
Awesome, looks like the UC cert did the trick. I opened and closed OL a number of times on a PC and tested sending and receiving internal mail. The error has gone.

Your guide is a great resource. I'll be sending it out to my associates. They will be sure to find it useful, as many have clients in the same .local situation.

Thanks again!
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40400074
Glad to help!
0
 
LVL 1

Expert Comment

by:CFB_Surfgoddess
ID: 41038340
Here is an additional problem that I experienced.  Since the clients were set to cache the autodiscover, after I corrected the .local problem I got security warnings on the clients outlook.  I had to basically turn auto discover caching off.

Here is how:

https://support.microsoft.com/en-us/kb/3073002
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question