Link to home
Start Free TrialLog in
Avatar of jet-info
jet-infoFlag for Switzerland

asked on

New SSL certificates with SBS 2011

Hi experts,

The new SSL certificates could not include local names. What do we need to take care about to keep all the services to work correctly with these new SSL certificates  on a SBS 2011 server please ? It is easier on SBS because internal and extrenal URL are the same for OWA and ActiveSync. What about the internal autodiscover ?

Thanks in advance for your help !
Avatar of James
James
Flag of Ireland image

For SBS2011 ideally you should be a SAN cert. Exchange 2010 uses Subject Alternative Names and this is why you require SAN cert.

Please see the link below.

https://social.technet.microsoft.com/Forums/exchange/en-US/df276ba0-fc50-4ce1-ad9d-13a150a3874c/best-practices-for-subject-alternative-names-on-your-exchange-2010-ssl?forum=exchange2010
SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You will need to configure what's called "split brain DNS" and then update the Exchange internal URLs to point to your external domain name. Digicert have a great tool which can do this for you.

Here's a great article which will outline the steps required to reconfigure DNS on your SBS server: http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

Here's the link to Digicert's Internal Name Tool which will update your internal Exchange URLs for you: https://www.digicert.com/internal-domain-name-tool.htm
Avatar of jet-info

ASKER

I already added the remote.domain.com and mail.domain.com which are working fine  for DNS resolution. I created the same way the autodiscover.domain.com zone but it doesn't resolve the IP of the server.
I found some issues on the server, like the fact that there was no external URL for OWA, ECS and AS and that the internal URL was the local address of the server. The certificate used is a self signed and not the one we created on GoDaddy.

Do you recommend to run the "Fix my network" and "add new certificate" SBS wizard in this situation? If so, I prefer to do it only when I'll on site.

Thanks,
Hey Jet,

See if this article helps. It is a good check list to make sure you have covered all the bases. Discusses split-brain DNS, how to configure all your Exchange URLs and also how to design your certificate.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is a good news, we'll update the server with the SP4 before doing anything when we'll be on site.

I'll come back to you all for some feedback.

Thanks.
Dear Gareth,

I followed your great tuto and I wonder if we can set the autodiscover long URL with mail.domain.com in the SSL certificate request. It could be great since you set the AutoDiscoverServiceInternalUri also with this name (mail.domain.com), this way we need only one name in the certificate.

Is there some restriction or needs from Microsoft to set the public autodiscover url starting with autodiscover.xxx ?

or could we set the internaluri to autodiscover.domain.com and add it in the split brain DNS config ?

Thank in advance for your help.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for your very appreciated help !