We help IT Professionals succeed at work.

Exchange 2010 Server DNS - SSL help

ComexIT
ComexIT asked
on
Hi,

I am currently running 1 x MS exchange 2010 server on Windows 2008 r2. I have gone to renew the SSL cert today and got a warning explaining that if i carried on my SSL would expire on Nov 2015 as it contained a .local address etc. I have resent the cert but excluded the .local reference.

I have on my DNS currently a zone for mail.domain.com that points to the Exchange server and that does seem to work but i havent done anything for autodiscover.domain.com on the internal, I need it to be as smooth transition as possible to new cert as there are quite a few users externally and internally, I have read some reports as saying that people have had a popup asking them if its ok to redirect etc.......

Any help be grateful.

Regards
Comment
Watch Question

MikeIT Manager

Commented:
What type of SSL Cert did you originally purchase?

Does your Active Directory domain have a .local suffix?

Author

Commented:
it was a UCC SSL exactly the same as previous one, just renewed, yes .local
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

If your domain is .local then you need to use a split brain DNS where you need to create DNS zone with the external name you're going to have for autodiscover. Please refer the below link.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

Thanks
Manikandan

Author

Commented:
Thanks, will have a look shortly, is this the best way to handle it ?
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

Split brain DNS is normally used when internal and external namespace are different like in your case internal is .local. Also refer the below link this is basically for exchange 2013 with subject alternative certificate.  But this will help you understand the concept of split brain DNS and san

http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html

Thanks
Manikandan
Most Valuable Expert 2014

Commented:
If all of your clients are on the domain, then you don't need an internal Autodiscover record. The clients do not use them. Instead they query the domain for the information, which returns the value you can see here:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Therefore as long as the host name in that result is valid, resolves to the Exchange server and is in the SSL certificate, internal clients will continue to work correctly.

Simon.

Author

Commented:
Thanks Simon, the only prob is that the internal name will no longer be in the ssl cert as app from November they are not issuing them any more .....

Any ideas ?

Author

Commented:
when i run command the result is

AutoDiscoverServiceInternalUri
--------                                                    ------------------------------
EXCHANGE01                                                  https://exchange01.ssmc.local/Autodiscover/Autodiscover.xml

that cert will not be valid shortly and the new cert will not have the .local in it ......
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

Yes your understanding is correct.

Thanks
Manikandan

Author

Commented:
I know but if i install the new certificate without the .local in it will the local machines stop working ? How do i resolve it ?
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

As Simon mentioned if all the clients inside the domain then you don't need an internal autodiscover record. Instead it queries the domain. Hence the clients won't be affected.

Thanks
Manikandan

Author

Commented:
Hi Yes i understand that bit but the new SSL will not contain the .local name only the external.
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

The local name anyway is used by the internal clients as long they can query the Active directory and global catalog they don't need the .Local

Thanks
Manikandan

Author

Commented:
Ahh ok, So Internal clients will be trusted and dont need to be listed in the SSL Cert ?
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi,

Yes indeed

Thanks
Manikandan
Most Valuable Expert 2014

Commented:
I don't understand the answers that are being provided above.
As the internal name is not on the SSL certificate, you need to change it. The fact that it is an internal name has nothing to do with trust or anything.

Therefore you need to setup a split DNS system, then change all of the internal URLs to use the external host name. I have outlined the steps here: http://semb.ee/hostnames2010

Changing the host names is not an optional change - if you don't change them then you will get SSL prompts and core functionality of the server will stop working.

Simon.
Manikandan NarayanswamySecurity Specialist & IBM Security Guardium

Commented:
Hi Simon,

So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.  

Thanks for clearing my concern.

THanks
Manikandan

Author

Commented:
Thanks Simon, I will try this later this evening when users have gone home, The cert is authenticated and installed so i will just have to move the services onto the new cert first.
Most Valuable Expert 2014

Commented:
"So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.  "

Yes.
If you don't do that then the clients will fail to connect because the certificate will fail trust checks.

Simon.

Author

Commented:
Hi,

Im still getting errors on some machines about the cert not containing the .local bit on internal machines.

I changed all the relevant internal to the external

Thanks

Author

Commented:
Ive checked on the client account settings and it is still showing the exchange server address as .local one.
Most Valuable Expert 2014
Commented:
The Exchange server address will always be the internal real name of the server - that is fine. You cannot change that and it is not the cause of your prompts.

You need to check that all of the URLs are configured correctly, which includes the ones that you cannot see in the console.
I would also do an Autodiscover test in the Outlook client and verify that the information being returned to the client is correct.

Simon.