dpcsit
asked on
Exchange 2013 coexistance during phaseout of Exchange 2007 Certificate Problem
I am in the process of moving our email to a new Exchange 2013 server. I am at the coexistence point and have moved owa to point to the new server. The Certificate includes the new server name and internal emails seem to be fine. The one test account I have on the new server is able to send and receive emails from the old server. However my iphone generates a certificate not trusted for the owa server name.
The Certificate was created from a request from the old server while it was the owa ip address. Now I have altered the IP address to the new server making it the owa source. It passes owa to the old server fine however when the mailbox is on the old server.
So what am I missing on the Iphone that would cause this cert error? It also appears to only be on one of the two email accounts I have on the phone. The second generates the error and it is our helpdesk account. But the first does not generate any errors and email flows fine. The helpdesk emails do not however. So my phone does not have any of the emails since the transition to the new IP address for owa.
The IP address is an internal IP, the external IP is of course our public address. I have a Cisco 5505 ASA as the firewall for the private network and it has rules passing email traffic to the old ip address. So should I change those rules to the new IP allowing all emails to flow to the exchange 2013 in the hopes the server sends them on to the old server, or do I need to generate a new certificate request from the new server.
I'm stumped!
The Certificate was created from a request from the old server while it was the owa ip address. Now I have altered the IP address to the new server making it the owa source. It passes owa to the old server fine however when the mailbox is on the old server.
So what am I missing on the Iphone that would cause this cert error? It also appears to only be on one of the two email accounts I have on the phone. The second generates the error and it is our helpdesk account. But the first does not generate any errors and email flows fine. The helpdesk emails do not however. So my phone does not have any of the emails since the transition to the new IP address for owa.
The IP address is an internal IP, the external IP is of course our public address. I have a Cisco 5505 ASA as the firewall for the private network and it has rules passing email traffic to the old ip address. So should I change those rules to the new IP allowing all emails to flow to the exchange 2013 in the hopes the server sends them on to the old server, or do I need to generate a new certificate request from the new server.
I'm stumped!
ASKER
SSL provider godaddy and I installed the intermediate cert in intermediate Certificate Authorities on both servers using MMC.
The ActiveSync was changed to the legacy address as in legacy.xxx.xxx on the 2007 server.
On the 2013 server it points to the name of the new exchange sever. As in https://xxx.xxx.xxx/Microsoft-Server-ActiveSync
The ActiveSync was changed to the legacy address as in legacy.xxx.xxx on the 2007 server.
On the 2013 server it points to the name of the new exchange sever. As in https://xxx.xxx.xxx/Microsoft-Server-ActiveSync
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It isn't a GoDaddy rule that was changed - it is a global thing.
From November 2015 no certificates can have internal only names (so hostname, hostname.domain.local) or IP addresses listed.
Simon.
From November 2015 no certificates can have internal only names (so hostname, hostname.domain.local) or IP addresses listed.
Simon.
ASKER
The actual issue was a change on the godaddy rules that removed a server name without a FQDN. The suggestion by the expert however would be a good starting point for this type of error!
You haven't said who your SSL provider is, but a lot of them require an additional intermediate or root certificate to be installed on the server. You should check if that is the case and install it.
Simon.