Exchange 2013 .local internal vs. public domain name SSL cert

Hello all,

After checking and verifying pretty much every solution to the now well known public domain name SSL cert vs. internal .local domain name problem, I'm stumped to find a fix for my client's EX2013 environment.

1. Bought and installed SSL Plus cert from digicert.com: mail.domain.com
2. Internal AD domain was previously configured as domain.local
3. Internal EX2013 server (W2K12R2) host name is ex01.domain.local
4. Changed IIS bindings for Default Site from self-signed cert to the digicert.com cert for 443 * All Unassigned
5. Added DNS zone on DC (W2K12R2) of domain.com (and reverse lookup zone to match)
6. Added host A record of 'mail' to new domain.com zone pointing to internal IP of ex01.domain.local
7. Added host A record of 'autodiscover' to new domain.com zone pointing to internal IP of ex01.domain.local
8. Ran digicert.com's Internal Name Change Tool which basically just runs the following EMS commands and then recycles the app pools:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.domain.com/oab

9. Verified above using the corresponding Get commands in EMS.
10. Verified mail.domain.com cert is valid and assigned to IMAP, POP, IIS, SMTP services in EX2013 EAC.
11. Restarted the EX2013 server just to be safe.
12. Fired up Outlook on a workstation, got the same 'There is a problem with the proxy server's security certificate. The name of the security certificate is invalid or does not match the name of the target site ex01.domain.local'.

After this I verified Outlook can still sending emails internally to other mailboxes on the same EX2013 server.

So how do I get rid of this error message everytime we start Outlook?

Thanks!
tsprestonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gareth GudgerCommented:
Check out my article here. It doesn't look like it changed all the URLs.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
tsprestonAuthor Commented:
Thanks for the reply Gareth.

Actually I saw your Ex2010 article and surmised from the updated post you supplied there may be a couple other directories that might need to be changed. I'll revisit this in the morning and report back.
0
tsprestonAuthor Commented:
There were a few things different I found in config. The Powershell vdirectory still needed to be changed, along with the Outlook Anywhere external host name. I changed those and tried again but still the same error when I open an Outlook client on a LAN PC.

Then I noticed the CA signed cert itself - it is a single name cert (not a SAN UCC), with just the mail.domain.com name included. Is it the fact that the autodiscover.domain.com and the root domain.com names are not included that Outlook is complaining?

Please confirm and I'll spend another $300 to get the proper SAN cert from Digicert.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Gareth GudgerCommented:
Definitely. It is possible to do it with a single name certificate. As long as your external DNS provider supports SRV records. I typically recommend a UC / SAN certificate but they are more expensive.

Not sure who you have now for SSL certs, but I personally recommend Digicert for compatibility with any number of client devices.
http://supertekboy.com/certificates-for-microsoft-exchange/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tsprestonAuthor Commented:
Thanks Gareth.

I have my new Digicert UC cert for mail.domain.com installed in Exchange. It also has autodiscover.domain.com and the root domain.com in the cert. However when I'm assigning services SMTP, POP, IMAP and IIS I get a prompt to overwrite the existing default SMTP certificate which makes me nervous as it was not included in your post's steps.

Is it ok to overwrite the default SMTP self-signed cert that was installed when Exchange was originally set up?

Thanks
Tim
0
Gareth GudgerCommented:
It is. You only need to assign it to SMTP if you plan to do encrypted email with someone else. If not, it doesn't matter. IIS is the critical one to assign to the cert.
0
tsprestonAuthor Commented:
Awesome, looks like the UC cert did the trick. I opened and closed OL a number of times on a PC and tested sending and receiving internal mail. The error has gone.

Your guide is a great resource. I'll be sending it out to my associates. They will be sure to find it useful, as many have clients in the same .local situation.

Thanks again!
0
Gareth GudgerCommented:
Glad to help!
0
CFB_SurfgoddessIT ManagerCommented:
Here is an additional problem that I experienced.  Since the clients were set to cache the autodiscover, after I corrected the .local problem I got security warnings on the clients outlook.  I had to basically turn auto discover caching off.

Here is how:

https://support.microsoft.com/en-us/kb/3073002
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.