Exchange 2010 SSL Cert Only Works In Either LAN or WAN

We have Exchange 2010 running on a single Server 2012 DataCenter machine.

I have an Exchange self-signed cert - exchange01.domain.local
AND
I have a public cert - owa.domain.com

When I assign SMTP and IIS services to the exchange01 cert, WAN access on the OWA site shows an invalid cert error.
When I assign SMTP and IIS services to the owa cert, internal Outlook clients show an error stating that the server name and certificate don't match.

How can I get both of them to work properly?
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
fix up your owa.domain.com by adding the right subject alternative name (san)
like autodiscover.domain.com and etc

check on
https://www.digicert.com/ssl-support/exchange-2010-san-names.htm
0
Simon Butler (Sembee)ConsultantCommented:
Reconfigure Exchange to use the external host name internally as well as externally - via a split DNS system.
http://semb.ee/hostnames2010

You cannot have internal host names on SSL certificates any longer, so you need to move to that model - then tell users to stop using the server's real name.

Simon.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
@Simon
The problem is that even when I had the external cert being used, the internal Outlook clients still got a name mismatch issue. When they first set up outlook, it automatically finds their name and sets up the account. When they first open Outlook, it shows the server name mismatch error for the cert. I suppose that means I have to change something in the way the Outlook is auto-configured for clients but am not sure where.

@limjianan
My owa cert already is a 5-domain cert with owa, autodiscover, etc. I didn't want to confuse the issue.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Simon Butler (Sembee)ConsultantCommented:
You haven't changed the host names to match the certificate.
The prompt is almost certainly coming from Autodiscover, and internal Autodiscover needs to be changed with EMS.

It has nothing to do with the name of the server within Outlook - that will always be the real name of the server - which is fine because it doesn't make an SSL connection.

Simon.
0
Berkson WeinTech FreelancerCommented:
We tend to use single name SSL certificates, but if you already have a SAN SSL cert, that's fine too.  You can't use a a self signed cert and a properly issued one concurrently though unless you're setting up multiple front end servers or additional virtual iis servers.

Here's what I would do:

You can use a single certificate, mail.yourdomain.com for example

Then you need to set the names that are used:



-- change owa
Set-OwaVirtualDirectory -Identity "servername\owa (default web site)" -ExternalUrl https://mail.yourdomain.com/owa -InternalUrl https://mail.yourdomain.com/owa

confirm: Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl


-- change ecp
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.yourdomain.com/ecp -InternalUrl https://mail.yourdomain.com/ecp

confirm : Get-EcpVirtualDirectory | select server,externalurl,internalurl | fl

-- change activesync
Set-ActiveSyncVirtualDirectory -Identity "ServerName\Microsoft-Server-Activesync (Default Web Site)" -ExternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync

confirm: Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl

-- change exchange web services
Set-WebServicesVirtualDirectory -Identity "ServerName\EWS (Default Web Site)" -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx

OR FOR ALL Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx
confirm: Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
iis

--      change oab
Set-OabVirtualDirectory -Identity "ServerName\oab (default web site)" -ExternalUrl https://mail.yourdomain.com/OAB -InternalUrl https://mail.yourdomain.com/OAB
confirm: Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl


-- change autodiscover
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri https://mail.yourdomain.com/Autodiscover/Autodiscover.xml

confirm: Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI


Keep in mind that the autodiscover rename requires a workaround.  THe alternative is to have a multiple name (SAN) certificate that has autodiscover in it.  We use a _SRV record in DNS to tell the client to look to mail.yourdomain.com


The internal clients will look at the autodiscover record in your public domain's dns servers and will auto configure from there.



Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul WagnerFriend To Robots and RocksAuthor Commented:
@weinberk and @Simon
I'll be taking a look at it this morning. Will let you know.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
@weinberk

Our cert has autodiscover.domain.com in it as well as owa.domain.com and a few others. Should I then adjust your command to look like this?

-- change autodiscover
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri https://autodiscover.yourdomain.com/Autodiscover/Autodiscover.xml
0
Berkson WeinTech FreelancerCommented:
exactly.  And the OWA one. The key is that none should have your .local.

Of course you need to make sure that the DNS entries exist for all of the records too.

Being that you have a SAN certificate (multiple names), you do not need (or want to) do the _autodiscover._tcp.domain.com SRV record that I referenced unless you have other domain names that need auto configuration.  If you do have other domain names, you'd need to modify the SAN certificate with another autodiscover record or uses the SRV dns record method.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
@weinberk

One caveat - we currently have our "old" Exchange 2010 server responding to autodiscover.domain.com requests. :-(

Without getting into it, we are migrating from one domain/exchange server to another domain/exchange server.
The old one is owa.domain.com
The new one is mail.domain.com
They both use the same multi-cert that has autodiscover.domain.com

My thoughts are that the internal users on the new domain will resolve to the proper "new" server via local DNS so there shouldn't be a problem there. Until we get everyone moved over and take down the old server, we won't be able have people authenticate externally on the new server using autodiscover.domain.com since the public DNS points to the old server. This shouldn't impact users in the new domain from setting up Exchange via Active-Sync on their phones since that URL has mail.domain.com. (??)

That sound about right?
0
Berkson WeinTech FreelancerCommented:
That does sound about right.  Migrations are always "fun."

I hate split DNS, but that could work for you if your domain.com public domain name doesn't have too many records.  Essentially, create a zone in your AD DNS for domain.com and add duplicate ALL of the records in your public DNS space.  Then change those that should point to something internal instead.  So for example:
www.domain.com is the same public IP in the public DNS and AD DNS
mail.domain.com, autodiscover, owa would be the public IP in public DNS (the ex 2010 server for autodiscover) and the correct internal IP for the AD DNS
It ain't elegant and can be a maintenance nightmare if you change/add/delete dns records frequently, but it works.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
Sweet. We already point domain.com addresses to local IP's on the AD DNS anyway, so now I get to do that in two domains. Sounds like "fun". Setting everything up now. Will keep you posted.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
@weinberk

Ok, everything is working!


I do have another dilemma with autodiscover but that is kind of a separate issue than the original question. You're welcome to help me out with it! ;-)

Some points to Simon since he was helpful as well.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
Excellent guidance and  instructions! Thanks so much to @weinberk
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.