Exchange 2010 SAN Certificate "Security Alert" message

I have a question related to generating the CSR code for a new Exchange Certificate.
Let’s say in a migration process (one Exchange2003 and one Exchange2010 scenario) your “Domain name you use to access Outlook Web App internally” in the Client Access server configuration section is servername.child.domain.com while your OWA on the internet is mail.domain.com.

1-What should I put for “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector? I put “mail.domain.com”

I am asking this because by default if I were to ckeck “Use Hub Transport server for POP/IMAP client submission, the FQDN of the connector turns out to be auto filled as “child.domain.com,domain.com”. Is it how it is also supposed to be for the “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector?

2-Even though I used the following while generating the code (with DigiCert):
a- Outlook Web App as “mail.domain.com”
b-ActiveSyn as “mail.domain.com”
c-Autodiscover as “autodiscover.domain.com”
d-legacy as “legacy.motovan.com”

and the names on the certificate are:
www.domain.com
mail.domain.com
autodiscover.domain.com
 

Note: The server FQDN (servername.child.domain.com) and child.domain.com were not included on the cert.

the “security alert” windows still managed to pop for some internal users. I am pretty confused why are some people only receiving it and not everyone. However, when I tried to load my own outlook profile to a new VM, then I receive the same “security alert” warning which I never received after the certificate was installed from my original PC, puting a red cross at ” The name on the security certificate is invalid or does not match the name of the site” referring to servername.child.domain.com.

DigiCert wants me to add the FQDN of the server to resolve the issue, is there any other alternative since I left the FQDN of the server out intentionally.

3- Should “child.domain.com” also be included on the certificate.

4-Am I missing DNS entries or extra configurations must be done in IIS?
TCPIPNetAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
When running the wizard, just skip to the end.
The wizard has no effect on what goes where, it is just there to help you decide what host names you need to include.

You need three in this scenario:

host.example.com (common name)
legacy.example.com
Autodiscover.example.com

Usually you would take the existing host name used by the clients and point that at your new Exchange server. That will ensure that everything is caught, such as ActiveSync clients.
A new host name for legacy.example.com would be used for the old server, configured within Exchange.
If you have used the server's real name, then you will need to get the clients reconfigured to work correctly. More work unfortunately.

As for host names themselves, you cannot include internal server names (server.domain.local) on public SSL certificates. Therefore the best practise is to use split DNS, with the external name being used internally, with Exchange configured as appropriate.
http://semb.ee/hostnames2010

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TCPIPNetAuthor Commented:
Simon,

Thanks for your input, and the great article you wrote from the link you provided.

 I did not know "From November 2015, you will no longer be able to get SSL certificates from commercial providers with internal server names on them. Therefore external names will need to be used internally as well as externally. This will require modifications to the configuration of Exchange so that the correct information is issued by Autodiscover and clients are able to connect on the new URLs."

The only config I have done so far on my Exchange 2010 was to generate the CSR code and the completion of the pending request.
I did  leave the “Domain name you use to access Outlook Web App internally” to the default which was the FQDN of the server which happens to be in a child domain like EX2010.abc.example.com including all computers.  However, I plan to used mail.example.com for others services like (OWA, ActiveSyn, OA).

No other configuration have been done (i.e Client Access URLs). Would the following still applies to me "If you have used the server's real name, then you will need to get the clients reconfigured to work correctly. More work unfortunately"?

In sum, regardless of  where the Exchange2010 server is located (as long as it is within the same site), I should use mail.example.com for both   “Domain name you use to access Outlook Web App internally”  and  “Domain name you use to access Outlook Web App" which is over the internet.

Thanks in advance.
Simon Butler (Sembee)ConsultantCommented:
Basically yes.
Move everything internal and external to the same host name.
It will make life a lot easier for you, plus it is easier for the end users to remember.

The unknown bit is the legacy host name. Was it the real server's name that you used for ActiveSync clients? If not, then just add the name to the certificate and point it at the new server. Then when you configure new clients, use the new name.

Simon.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

TCPIPNetAuthor Commented:
For ActiveSyn I also used "mail.example.com". As far as legacy is concerned I used a new public IP for legacy.example.com.

What got me more confused while I was doing was the default I had for Autodiscover (autodiscover.abd.example.com,autodiscover.example.com). I removed the first one and kept autodiscover.example.com.

Since no other configuration have been done (i.e Client Access URLs) like in your article. Would the following still applies to me "If you have used the server's real name, then you will need to get the clients reconfigured to work correctly. More work unfortunately"?
Simon Butler (Sembee)ConsultantCommented:
I am referring to existing clients.
If you have existing ActiveSync clients, what host name have they used for the server to connect to?

The wizard takes all of the domains that you have configured, and adds Autodiscover to them.
However you only need Autodiscover for domains where users have it as their primary email address.
Autodiscover works by taking everything after the @ sign in the email address, putting autodiscover in front of it and trying to connect to that address.

Simon.
TCPIPNetAuthor Commented:
Simon,

Thanks again for your reply.
 ActiveSync was never implemented on the Exchange 2003 server. IMAP was used instead.  In fact only OWA was implemented.
 Pretty clear the way you explained how  Autodiscover  works.  I believe I did it correctly from your explanation since only example.com is used after the @ sign as domain.  

Is it then normal that I get the "Security Alert" stating  ” The name on the security certificate is invalid or does not match the name of the site” referring to servername.abc.example.com when I try to load a new outlook profile since no other configuration has been done except the completion of the SAN pending request?

The test should be conducted after the co-existence  configuration are done, rather than now then ( i.e when legacy.example.com point to the Exchange 2003, mail.example.com point to the Exchange 2010, and all internal DNS records are properly configured.) Is this correct?
Simon Butler (Sembee)ConsultantCommented:
You need to get the DNS and SSL certificates sorted out before you can make any conclusions from testing.
Due to the way that Outlook 2007 and higher works with Autodiscover, the URL configuration is particularly important. Get it wrong and you get errors like you are seeing.

Simon.
TCPIPNetAuthor Commented:
Simon,

Thanks a lot for your help.
I will let you know how it goes. Any recommendations on how to go about sorting out the DNS and SSL certificate in my case where only 3 people had it over 100+ users.

Thanks once again for your prompt replies.
Simon Butler (Sembee)ConsultantCommented:
"Any recommendations on how to go about sorting out the DNS and SSL certificate in my case where only 3 people had it over 100+ users."

I don't understand what you are asking.
TCPIPNetAuthor Commented:
Simon,

I have been going through these links from your website:
1-http://exchange.sembee.info/2010/cas/autodiscover.asp  (Exchange 2010 - Autodiscover Troubleshooting)
2-http://exchange.sembee.info/2010/install/ssl.asp (Exchange 2010 - Exchange 2010 SSL Certificates)
3- others..

I wish I had found your site earlier.
I was asking if you can give me any recommendation on troubleshooting regarding the SSL certificate issue I am having. After completing the certificate pending request only 3 users over 100+ received the "Security Alert" which state "The name on the security certificate is invalid or does not match the name of the site”. Also when  try to load any new user outlook profile in a new PC I get the same same  "Security Alert"  warning.

I also found from the above links that:

1-  If autodiscover is not properly configure, one will likely have issue with the Schedule + Free Busy Folder from the Exchange 2003.  (I currently cannot access that folder).

2- When I try to navigate to https://servername.adc.example.com/autodiscover/autodiscover.xml , I also get the certificate message.

I did double check the autodiscover infos and it seems fine but something is definitely wrong.

Any idea what I can further check?

Thanks once again
Simon Butler (Sembee)ConsultantCommented:
First thing you need to do is test whether the host name you have put in resolves to the internal IP address of the Exchange server. Test from a client.
If it does, browse to the host name. You shouldn't get any SSL prompts, if you browse to host.example.com/owa then you should get the OWA login prompt.

If you do get an SSL prompt, then you need to look at the certificate. Check it is your certificate, the one you are expecting. If it is, then you need to check why it is failing.

Simon.
TCPIPNetAuthor Commented:
Simon,

The SSL issue I am  having is related to the names on the certificate. I will  adjust the names accordingly  and I will follow the best practice as you pointed out "Therefore the best practise is to use split DNS, with the external name being used internally, with Exchange configured as appropriate. http://semb.ee/hostnames2010". However, it is true that
"this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems." ?

Thanks,
Simon Butler (Sembee)ConsultantCommented:
Outlook Anywhere would only kick in if a connection over TCP/IP cannot be made.
Therefore if your VPN allows any ports to be used Outlook Anywhere wouldn't be involved.
If you are restricting the ports on the VPN, then you would need to ensure that the DNS being returned to the VPN clients is correct, so that Outlook can connect without getting confused.

Simon.
TCPIPNetAuthor Commented:
Thanks for the clarification on Outlook Anywhere.

Base on your article titled "Split DNS" here http://exchange.sembee.info/network/split-dns.asp ,
 are the statements  below correct if external name are being used internally in a Zone Replacement Method:  


1-mail.example.com and autodiscover.example.com are also added as an Internet Based Resource after being of course set as a Public  DNS "A" records.

2- legacy.example .com is only set as a Public DNS "A" records.

 Thanks,
Simon Butler (Sembee)ConsultantCommented:
I would include legacy on internal DNS records as well. Simply because a user on the old system could login to OWA and then be redirected.

Simon.
TCPIPNetAuthor Commented:
Simon,

I overlooked an important detail about Adding Internet Based Resources :
You wrote "4. Enter the external IP address for the web site."
 If there is a Firewall, wouldn't  the IP be an internal IP to which the Public IP gets to via NAT?
Simon Butler (Sembee)ConsultantCommented:
Most people do not host their public web site internally on the same network - I know I have no clients doing so and never recommend it. Therefore the public web site would be on an external IP address.

Simon.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.