Solved

New SSL certificates with SBS 2011

Posted on 2014-11-24
10
350 Views
Last Modified: 2014-11-27
Hi experts,

The new SSL certificates could not include local names. What do we need to take care about to keep all the services to work correctly with these new SSL certificates  on a SBS 2011 server please ? It is easier on SBS because internal and extrenal URL are the same for OWA and ActiveSync. What about the internal autodiscover ?

Thanks in advance for your help !
0
Comment
Question by:jet-info
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 40461899
For SBS2011 ideally you should be a SAN cert. Exchange 2010 uses Subject Alternative Names and this is why you require SAN cert.

Please see the link below.

https://social.technet.microsoft.com/Forums/exchange/en-US/df276ba0-fc50-4ce1-ad9d-13a150a3874c/best-practices-for-subject-alternative-names-on-your-exchange-2010-ssl?forum=exchange2010
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 175 total points
ID: 40461908
Just renew the SSL certificate without the .local names, install the certificate and then modify and run the following Exchange Management Shell commands (replace mail.domain.com with your Public FQDN) and this will resolve the internal URL's to the Public FQDN and you won't see any certificate errors:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Alan
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40461916
You will need to configure what's called "split brain DNS" and then update the Exchange internal URLs to point to your external domain name. Digicert have a great tool which can do this for you.

Here's a great article which will outline the steps required to reconfigure DNS on your SBS server: http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

Here's the link to Digicert's Internal Name Tool which will update your internal Exchange URLs for you: https://www.digicert.com/internal-domain-name-tool.htm
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jet-info
ID: 40462404
I already added the remote.domain.com and mail.domain.com which are working fine  for DNS resolution. I created the same way the autodiscover.domain.com zone but it doesn't resolve the IP of the server.
I found some issues on the server, like the fact that there was no external URL for OWA, ECS and AS and that the internal URL was the local address of the server. The certificate used is a self signed and not the one we created on GoDaddy.

Do you recommend to run the "Fix my network" and "add new certificate" SBS wizard in this situation? If so, I prefer to do it only when I'll on site.

Thanks,
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40462471
Hey Jet,

See if this article helps. It is a good check list to make sure you have covered all the bases. Discusses split-brain DNS, how to configure all your Exchange URLs and also how to design your certificate.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 100 total points
ID: 40463818
If you have applied Update Rollup 4 to SBS 2011, when you run the Trusted Certificate Wizard, it will no longer include any reference to the .local domain in the request.   http://support.microsoft.com/kb/2885319
"After the update is installed, the Adding a trusted Certificate wizard in Windows Small Business Server 2011 does not add the internal fully qualified domain name (FQDN) of the server as a subject alternative name in the certificate request."
0
 

Author Comment

by:jet-info
ID: 40464045
This is a good news, we'll update the server with the SP4 before doing anything when we'll be on site.

I'll come back to you all for some feedback.

Thanks.
0
 

Author Comment

by:jet-info
ID: 40468714
Dear Gareth,

I followed your great tuto and I wonder if we can set the autodiscover long URL with mail.domain.com in the SSL certificate request. It could be great since you set the AutoDiscoverServiceInternalUri also with this name (mail.domain.com), this way we need only one name in the certificate.

Is there some restriction or needs from Microsoft to set the public autodiscover url starting with autodiscover.xxx ?

or could we set the internaluri to autodiscover.domain.com and add it in the split brain DNS config ?

Thank in advance for your help.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 225 total points
ID: 40469056
Yes. You can set it to mail.domain.com. You would need to make sure your external DNS provider supports SRV records. Check out this TechNet article for more details: http://support.microsoft.com/kb/940881

How it looks at your hosing provider will vary. But these are the key fields.
Service: _autodiscover
 Protocol: _tcp
 Port Number: 443
 Host: mail.domain.com
0
 

Author Closing Comment

by:jet-info
ID: 40469246
Thank you for your very appreciated help !
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question