New SSL certificates with SBS 2011

Hi experts,

The new SSL certificates could not include local names. What do we need to take care about to keep all the services to work correctly with these new SSL certificates  on a SBS 2011 server please ? It is easier on SBS because internal and extrenal URL are the same for OWA and ActiveSync. What about the internal autodiscover ?

Thanks in advance for your help !
jet-infoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JamesSenior Cloud Infrastructure EngineerCommented:
For SBS2011 ideally you should be a SAN cert. Exchange 2010 uses Subject Alternative Names and this is why you require SAN cert.

Please see the link below.

https://social.technet.microsoft.com/Forums/exchange/en-US/df276ba0-fc50-4ce1-ad9d-13a150a3874c/best-practices-for-subject-alternative-names-on-your-exchange-2010-ssl?forum=exchange2010
0
Alan HardistyCo-OwnerCommented:
Just renew the SSL certificate without the .local names, install the certificate and then modify and run the following Exchange Management Shell commands (replace mail.domain.com with your Public FQDN) and this will resolve the internal URL's to the Public FQDN and you won't see any certificate errors:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Alan
0
VB ITSSpecialist ConsultantCommented:
You will need to configure what's called "split brain DNS" and then update the Exchange internal URLs to point to your external domain name. Digicert have a great tool which can do this for you.

Here's a great article which will outline the steps required to reconfigure DNS on your SBS server: http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

Here's the link to Digicert's Internal Name Tool which will update your internal Exchange URLs for you: https://www.digicert.com/internal-domain-name-tool.htm
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jet-infoAuthor Commented:
I already added the remote.domain.com and mail.domain.com which are working fine  for DNS resolution. I created the same way the autodiscover.domain.com zone but it doesn't resolve the IP of the server.
I found some issues on the server, like the fact that there was no external URL for OWA, ECS and AS and that the internal URL was the local address of the server. The certificate used is a self signed and not the one we created on GoDaddy.

Do you recommend to run the "Fix my network" and "add new certificate" SBS wizard in this situation? If so, I prefer to do it only when I'll on site.

Thanks,
0
Gareth GudgerCommented:
Hey Jet,

See if this article helps. It is a good check list to make sure you have covered all the bases. Discusses split-brain DNS, how to configure all your Exchange URLs and also how to design your certificate.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
Cris HannaCommented:
If you have applied Update Rollup 4 to SBS 2011, when you run the Trusted Certificate Wizard, it will no longer include any reference to the .local domain in the request.   http://support.microsoft.com/kb/2885319
"After the update is installed, the Adding a trusted Certificate wizard in Windows Small Business Server 2011 does not add the internal fully qualified domain name (FQDN) of the server as a subject alternative name in the certificate request."
0
jet-infoAuthor Commented:
This is a good news, we'll update the server with the SP4 before doing anything when we'll be on site.

I'll come back to you all for some feedback.

Thanks.
0
jet-infoAuthor Commented:
Dear Gareth,

I followed your great tuto and I wonder if we can set the autodiscover long URL with mail.domain.com in the SSL certificate request. It could be great since you set the AutoDiscoverServiceInternalUri also with this name (mail.domain.com), this way we need only one name in the certificate.

Is there some restriction or needs from Microsoft to set the public autodiscover url starting with autodiscover.xxx ?

or could we set the internaluri to autodiscover.domain.com and add it in the split brain DNS config ?

Thank in advance for your help.
0
Gareth GudgerCommented:
Yes. You can set it to mail.domain.com. You would need to make sure your external DNS provider supports SRV records. Check out this TechNet article for more details: http://support.microsoft.com/kb/940881

How it looks at your hosing provider will vary. But these are the key fields.
Service: _autodiscover
 Protocol: _tcp
 Port Number: 443
 Host: mail.domain.com
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jet-infoAuthor Commented:
Thank you for your very appreciated help !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.