Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2013 .local internal vs. public domain name SSL cert

Posted on 2014-10-22
9
Medium Priority
?
1,146 Views
Last Modified: 2015-10-13
Hello all,

After checking and verifying pretty much every solution to the now well known public domain name SSL cert vs. internal .local domain name problem, I'm stumped to find a fix for my client's EX2013 environment.

1. Bought and installed SSL Plus cert from digicert.com: mail.domain.com
2. Internal AD domain was previously configured as domain.local
3. Internal EX2013 server (W2K12R2) host name is ex01.domain.local
4. Changed IIS bindings for Default Site from self-signed cert to the digicert.com cert for 443 * All Unassigned
5. Added DNS zone on DC (W2K12R2) of domain.com (and reverse lookup zone to match)
6. Added host A record of 'mail' to new domain.com zone pointing to internal IP of ex01.domain.local
7. Added host A record of 'autodiscover' to new domain.com zone pointing to internal IP of ex01.domain.local
8. Ran digicert.com's Internal Name Change Tool which basically just runs the following EMS commands and then recycles the app pools:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.domain.com/oab

9. Verified above using the corresponding Get commands in EMS.
10. Verified mail.domain.com cert is valid and assigned to IMAP, POP, IIS, SMTP services in EX2013 EAC.
11. Restarted the EX2013 server just to be safe.
12. Fired up Outlook on a workstation, got the same 'There is a problem with the proxy server's security certificate. The name of the security certificate is invalid or does not match the name of the target site ex01.domain.local'.

After this I verified Outlook can still sending emails internally to other mailboxes on the same EX2013 server.

So how do I get rid of this error message everytime we start Outlook?

Thanks!
0
Comment
Question by:tspreston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398545
Check out my article here. It doesn't look like it changed all the URLs.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
 

Author Comment

by:tspreston
ID: 40398558
Thanks for the reply Gareth.

Actually I saw your Ex2010 article and surmised from the updated post you supplied there may be a couple other directories that might need to be changed. I'll revisit this in the morning and report back.
0
 

Author Comment

by:tspreston
ID: 40399158
There were a few things different I found in config. The Powershell vdirectory still needed to be changed, along with the Outlook Anywhere external host name. I changed those and tried again but still the same error when I open an Outlook client on a LAN PC.

Then I noticed the CA signed cert itself - it is a single name cert (not a SAN UCC), with just the mail.domain.com name included. Is it the fact that the autodiscover.domain.com and the root domain.com names are not included that Outlook is complaining?

Please confirm and I'll spend another $300 to get the proper SAN cert from Digicert.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 2000 total points
ID: 40399249
Definitely. It is possible to do it with a single name certificate. As long as your external DNS provider supports SRV records. I typically recommend a UC / SAN certificate but they are more expensive.

Not sure who you have now for SSL certs, but I personally recommend Digicert for compatibility with any number of client devices.
http://supertekboy.com/certificates-for-microsoft-exchange/
0
 

Author Comment

by:tspreston
ID: 40399355
Thanks Gareth.

I have my new Digicert UC cert for mail.domain.com installed in Exchange. It also has autodiscover.domain.com and the root domain.com in the cert. However when I'm assigning services SMTP, POP, IMAP and IIS I get a prompt to overwrite the existing default SMTP certificate which makes me nervous as it was not included in your post's steps.

Is it ok to overwrite the default SMTP self-signed cert that was installed when Exchange was originally set up?

Thanks
Tim
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40399489
It is. You only need to assign it to SMTP if you plan to do encrypted email with someone else. If not, it doesn't matter. IIS is the critical one to assign to the cert.
0
 

Author Comment

by:tspreston
ID: 40399602
Awesome, looks like the UC cert did the trick. I opened and closed OL a number of times on a PC and tested sending and receiving internal mail. The error has gone.

Your guide is a great resource. I'll be sending it out to my associates. They will be sure to find it useful, as many have clients in the same .local situation.

Thanks again!
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40400074
Glad to help!
0
 
LVL 1

Expert Comment

by:CFB_Surfgoddess
ID: 41038340
Here is an additional problem that I experienced.  Since the clients were set to cache the autodiscover, after I corrected the .local problem I got security warnings on the clients outlook.  I had to basically turn auto discover caching off.

Here is how:

https://support.microsoft.com/en-us/kb/3073002
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question