SSL Certificates install/setup Exchange 2010

Hey Experts! I haven't an issue setting up my exchange server 2010 to connect via outlook anywhere. Actually I can't connect to it from outside the building via web browser. I have 2 certificates, one is mail.jflusvi.org and the other is autodiscover.jflusvi.org. I have the mail.jflusvi.org certificate with the following assigned to it, IIS, SMTP, POP, IMAP. I only have SMTP to the autodiscover certificate. Can this be the problem? How can I troubleshoot to see where to start? Your help is greatly appreciated.
Zakee AbdurrasheedSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Try to use the  mail.jflusvi.org for the autodiscover service too. The SAN certificate would be appropriate for such  issues, Use the below link

http://exchangeserverpro.com/exchange-2013-assign-ssl-certificate-to-services/

Thanks
Manikandan
0
tigermattCommented:
I have 2 certificates, one is mail.jflusvi.org and the other is autodiscover.jflusvi.org
The problem is most likely that you have these names bound to two SEPARATE certificates, not a single certificate which covers multiple names.

While there might be various hacks to make this work, the easiest and recommended method is to obtain a single multi-name ("Unified Communications" or "Subject Alternative Name" - UC/SAN) certificate which lists both your mail.jflusvi.org and autodiscover.jflusvi.org names. These can be obtained for very little money from many online vendors.

You CAN get by with just the single-name mail.jflusvi.org certificate, if you make some specific configuration changes. In particular, you must ensure Outlook never attempts to reach the Autodiscover service using the autodiscover.jflusvi.org URL, as that will fail with a certificate error.

This involves setting both the internal Outlook Service Connection Point (SCP) to https://mail.jflusvi.org/Autodiscover/Autodiscover.xml -- use the Set-ClientAccessServer cmdlet to do this, with the -AutodiscoverServiceInternalUri.

For Outlook clients connecting from outside the domain (and cannot thus contact a domain controller to lookup the SCP) you will need to delete the autodiscover.jflusvi.org host record, and configure a SRV record for _autodiscover._tcp.jflusvi.org to redirect traffic for the Autodiscover service to mail.jflusvi.org. See (for example) this support article for details https://support.microsoft.com/en-us/kb/940881 -- but be advised the multi-name certificate is an easier approach, particularly since many popular DNS hosting platforms do not offer SRV record support.
0
Zakee AbdurrasheedSystems AdministratorAuthor Commented:
Hey Tigermatt, I'm trying to follow your instructions in regard to setting the internal Outlook SCP, but I'm getting the following error: A positional parameter cannot be found that accepts argument '-AutodiscoverServiceInternalUrl'
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

tigermattCommented:
Hey Tigermatt, I'm trying to follow your instructions in regard to setting the internal Outlook SCP, but I'm getting the following error: A positional parameter cannot be found that accepts argument '-AutodiscoverServiceInternalUrl'
Take care -- the parameter name is AutodiscoverServiceInternalUri, i.e. a lowercase I for Identifier on the end (Uniform Resource Identifier) rather than a lowercase "L". The font here on EE doesn't make that easy to distinguish; here it is in a monospaced font:
Get-ClientAccessServer <NAME> | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml

Open in new window

0
Zakee AbdurrasheedSystems AdministratorAuthor Commented:
I made the change, but am still not able to connect outside the building via web browser or Outlook anywhere. I can connect inside via both. When I run the test connectivity.microsoft.com it's again giving certificate errors... I also setup the SRV record (via NetworkSolutions.com). What else to check, or information you need to help troubleshoot this issue. Thanks!
0
tigermattCommented:
I made the change, but am still not able to connect outside the building via web browser or Outlook anywhere
The -AutodiscoverServiceInternalUri only affects internal traffic, so this is to be expected. At least it now works internally! :-)

via web browser
To be clear: are you totally unable to access https://yourserver.company.com/owa from an external machine, or the site loads and produces a certificate prompt in the browser?

I also setup the SRV record
Did you delete the autodiscover.company.com host (A/AAAA/CNAME) record in the process?
0
tigermattCommented:
I forgot you gave us your domain higher in the thread; apologies.

I can see the SRV record is correctly present, but you need to delete the autodiscover.jflusvi.org A record too, since that will take precedence over an autodiscover SRV record.

Please verify 208.50.79.103 is the IP address your Exchange server is associated with, and that port 443 has been opened in any packet filters which might sit between the Internet and the machine. If the machine sits on an internal IP on a LAN segment, you need to ensure address translation is provided using a NAT device or similar.
0
Zakee AbdurrasheedSystems AdministratorAuthor Commented:
Good Day! 208.50.79.103 is the IP address our Exchange server is associated with. I have removed the autodiscover.jflusvi.org from our DNS on networksolutions.com, but I see there's a default wildcard (*) all others .jflusvi.org A Record. Wouldn't that mean if autodiscover.jflusvi.org is used it'll still point to that one? (which is networksolutions under construction page.

That's correct, I'm unable to access https://mail.jflusvi.org/owa from an external machine. I'm checking the firewall now to make sure access rules are applied. I know we have a NAT for port 443 to the machine from the outside, but not sure about access rules allowing the same.
0
Zakee AbdurrasheedSystems AdministratorAuthor Commented:
I just verified that we do have a NAT with ports 443, 80 on our firewall that leads to our Exchange server, but I still can't access https://mail.jflusvi.org/owa externally, but I can access it internally.
0
tigermattCommented:
Wouldn't that mean if autodiscover.jflusvi.org is used it'll still point to that one? (which is networksolutions under construction page.
Typically, yes, but it looks like (at least at the moment) DNS is correctly returning a negative response for my query for the autodiscover address, which is correct if using a SRV record.

I just verified that we do have a NAT with ports 443, 80 on our firewall that leads to our Exchange server, but I still can't access https://mail.jflusvi.org/owa externally, but I can access it internally.
You have a networking problem in that case, rather than an Exchange problem. Since you can access the Exchange Server internally (via https://mail.jflusvi.org/owa, I presume?) this indicates some problem with a firewall or routing -- either your firewall or upstream at Network Solutions.

Can you plug a device in on the WAN leg of your firewall (i.e. on the "public" side) and attempt to test from there? This might not be possible -- depends on how your connectivity is delivered as to whether you have an Ethernet service on a public address which you can temporarily tap into?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.