Solved

New SSL certificates with SBS 2011

Posted on 2014-11-24
10
324 Views
Last Modified: 2014-11-27
Hi experts,

The new SSL certificates could not include local names. What do we need to take care about to keep all the services to work correctly with these new SSL certificates  on a SBS 2011 server please ? It is easier on SBS because internal and extrenal URL are the same for OWA and ActiveSync. What about the internal autodiscover ?

Thanks in advance for your help !
0
Comment
Question by:jet-info
10 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 40461899
For SBS2011 ideally you should be a SAN cert. Exchange 2010 uses Subject Alternative Names and this is why you require SAN cert.

Please see the link below.

https://social.technet.microsoft.com/Forums/exchange/en-US/df276ba0-fc50-4ce1-ad9d-13a150a3874c/best-practices-for-subject-alternative-names-on-your-exchange-2010-ssl?forum=exchange2010
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 175 total points
ID: 40461908
Just renew the SSL certificate without the .local names, install the certificate and then modify and run the following Exchange Management Shell commands (replace mail.domain.com with your Public FQDN) and this will resolve the internal URL's to the Public FQDN and you won't see any certificate errors:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Alan
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40461916
You will need to configure what's called "split brain DNS" and then update the Exchange internal URLs to point to your external domain name. Digicert have a great tool which can do this for you.

Here's a great article which will outline the steps required to reconfigure DNS on your SBS server: http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

Here's the link to Digicert's Internal Name Tool which will update your internal Exchange URLs for you: https://www.digicert.com/internal-domain-name-tool.htm
0
 

Author Comment

by:jet-info
ID: 40462404
I already added the remote.domain.com and mail.domain.com which are working fine  for DNS resolution. I created the same way the autodiscover.domain.com zone but it doesn't resolve the IP of the server.
I found some issues on the server, like the fact that there was no external URL for OWA, ECS and AS and that the internal URL was the local address of the server. The certificate used is a self signed and not the one we created on GoDaddy.

Do you recommend to run the "Fix my network" and "add new certificate" SBS wizard in this situation? If so, I prefer to do it only when I'll on site.

Thanks,
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40462471
Hey Jet,

See if this article helps. It is a good check list to make sure you have covered all the bases. Discusses split-brain DNS, how to configure all your Exchange URLs and also how to design your certificate.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 100 total points
ID: 40463818
If you have applied Update Rollup 4 to SBS 2011, when you run the Trusted Certificate Wizard, it will no longer include any reference to the .local domain in the request.   http://support.microsoft.com/kb/2885319
"After the update is installed, the Adding a trusted Certificate wizard in Windows Small Business Server 2011 does not add the internal fully qualified domain name (FQDN) of the server as a subject alternative name in the certificate request."
0
 

Author Comment

by:jet-info
ID: 40464045
This is a good news, we'll update the server with the SP4 before doing anything when we'll be on site.

I'll come back to you all for some feedback.

Thanks.
0
 

Author Comment

by:jet-info
ID: 40468714
Dear Gareth,

I followed your great tuto and I wonder if we can set the autodiscover long URL with mail.domain.com in the SSL certificate request. It could be great since you set the AutoDiscoverServiceInternalUri also with this name (mail.domain.com), this way we need only one name in the certificate.

Is there some restriction or needs from Microsoft to set the public autodiscover url starting with autodiscover.xxx ?

or could we set the internaluri to autodiscover.domain.com and add it in the split brain DNS config ?

Thank in advance for your help.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 225 total points
ID: 40469056
Yes. You can set it to mail.domain.com. You would need to make sure your external DNS provider supports SRV records. Check out this TechNet article for more details: http://support.microsoft.com/kb/940881

How it looks at your hosing provider will vary. But these are the key fields.
Service: _autodiscover
 Protocol: _tcp
 Port Number: 443
 Host: mail.domain.com
0
 

Author Closing Comment

by:jet-info
ID: 40469246
Thank you for your very appreciated help !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now