Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

New SSL certificates with SBS 2011

Posted on 2014-11-24
10
Medium Priority
?
391 Views
Last Modified: 2014-11-27
Hi experts,

The new SSL certificates could not include local names. What do we need to take care about to keep all the services to work correctly with these new SSL certificates  on a SBS 2011 server please ? It is easier on SBS because internal and extrenal URL are the same for OWA and ActiveSync. What about the internal autodiscover ?

Thanks in advance for your help !
0
Comment
Question by:jet-info
10 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 40461899
For SBS2011 ideally you should be a SAN cert. Exchange 2010 uses Subject Alternative Names and this is why you require SAN cert.

Please see the link below.

https://social.technet.microsoft.com/Forums/exchange/en-US/df276ba0-fc50-4ce1-ad9d-13a150a3874c/best-practices-for-subject-alternative-names-on-your-exchange-2010-ssl?forum=exchange2010
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 700 total points
ID: 40461908
Just renew the SSL certificate without the .local names, install the certificate and then modify and run the following Exchange Management Shell commands (replace mail.domain.com with your Public FQDN) and this will resolve the internal URL's to the Public FQDN and you won't see any certificate errors:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Alan
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40461916
You will need to configure what's called "split brain DNS" and then update the Exchange internal URLs to point to your external domain name. Digicert have a great tool which can do this for you.

Here's a great article which will outline the steps required to reconfigure DNS on your SBS server: http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

Here's the link to Digicert's Internal Name Tool which will update your internal Exchange URLs for you: https://www.digicert.com/internal-domain-name-tool.htm
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:jet-info
ID: 40462404
I already added the remote.domain.com and mail.domain.com which are working fine  for DNS resolution. I created the same way the autodiscover.domain.com zone but it doesn't resolve the IP of the server.
I found some issues on the server, like the fact that there was no external URL for OWA, ECS and AS and that the internal URL was the local address of the server. The certificate used is a self signed and not the one we created on GoDaddy.

Do you recommend to run the "Fix my network" and "add new certificate" SBS wizard in this situation? If so, I prefer to do it only when I'll on site.

Thanks,
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40462471
Hey Jet,

See if this article helps. It is a good check list to make sure you have covered all the bases. Discusses split-brain DNS, how to configure all your Exchange URLs and also how to design your certificate.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 400 total points
ID: 40463818
If you have applied Update Rollup 4 to SBS 2011, when you run the Trusted Certificate Wizard, it will no longer include any reference to the .local domain in the request.   http://support.microsoft.com/kb/2885319
"After the update is installed, the Adding a trusted Certificate wizard in Windows Small Business Server 2011 does not add the internal fully qualified domain name (FQDN) of the server as a subject alternative name in the certificate request."
0
 

Author Comment

by:jet-info
ID: 40464045
This is a good news, we'll update the server with the SP4 before doing anything when we'll be on site.

I'll come back to you all for some feedback.

Thanks.
0
 

Author Comment

by:jet-info
ID: 40468714
Dear Gareth,

I followed your great tuto and I wonder if we can set the autodiscover long URL with mail.domain.com in the SSL certificate request. It could be great since you set the AutoDiscoverServiceInternalUri also with this name (mail.domain.com), this way we need only one name in the certificate.

Is there some restriction or needs from Microsoft to set the public autodiscover url starting with autodiscover.xxx ?

or could we set the internaluri to autodiscover.domain.com and add it in the split brain DNS config ?

Thank in advance for your help.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 900 total points
ID: 40469056
Yes. You can set it to mail.domain.com. You would need to make sure your external DNS provider supports SRV records. Check out this TechNet article for more details: http://support.microsoft.com/kb/940881

How it looks at your hosing provider will vary. But these are the key fields.
Service: _autodiscover
 Protocol: _tcp
 Port Number: 443
 Host: mail.domain.com
0
 

Author Closing Comment

by:jet-info
ID: 40469246
Thank you for your very appreciated help !
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question