Exchange 2010 - New rules for SSL certificates. What will happen with the .local ssl?

Hi all,

In a similar scenario as
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27980634.html

I have three Exch2010 servers using mail[1-3].contoso.local as FQDN. They are serving internal and external clients.
Our current SSL cert has several SAN, covering contoso.com and contoso.local, but it's going to expire soon. We have now a new *.contoso.com certificate to cover our external clients + autodiscover, but nothing for local. After setting it up, some internal clients started to receive an SSL warning (of course, they are connecting to contoso.local and the cert is for contoso.com).

1. What could be the impact to the traffic between the three mail[1-3] servers if there is no .local cert available?? (they all know each other as .local)

2. We have a split DNS setting, and we have mail.contoso.com pointing to one of the internal IP of one of our contoso.local. I know  most of our internal clients are pointing to mail.contoso.local for Exchange server. I want to get rid of the mail.contoso.local in outlook users and replace it for mail.contoso.com
2.1 Can this be reconfigured just setting a proper internal autodiscovery?
2.2 Must I go client by client reconfiguring the email account?
2.3 Should I point all InternalURI to contoso.com (they are now pointing to contoso.local)

Thanks!
dwavesysAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
Internal users don't need a commercial cert - you can use the MS CA to issue a cert with whatever elements in it you need, and it will be accepted by internal clients after you push the MS CA root out by group policy. For external users, you may need to have a different IP, but normally fronting it with the microsoft firewall (advised for OWA and activesync over https) means the cert is hosted there instead of the exchange server anyhow.
IvanSystem EngineerCommented:
Hello,

when you switch from .local to some public name, then you should reconfigure URL and URi on exchange for internal zone.
Bellow are commands that work both on Exchange 2010 and 2013. First to check how are they configured, and if some of them are pointing to .local (and they sure are pointing) then switch to public name. You already have DNS configured as I understand, so that public name is pointing to internal server.

Get-WebServicesVirtualDirectory | Select InternalUrl,BasicAuthenticationExternalUrl,Identity | FL
Get-OabVirtualDirectory | Select InternalURL,ExternalURL,Identity | FL
Get-ActiveSyncVirtualDirectory | Select InternalUrl,ExternalUrl,Identity | fl

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml 
Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx 
Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab 

After this Recycle the IIS Application Pools ( MSExchangeAutodiscoverAppPool )

PS: No need to do anything on client side. After this they just need to restart Outlook and no more errors will appear.

Regards,
Ivan.
Simon Butler (Sembee)ConsultantCommented:
The server address being .local is fine - that doesn't cause a problem because it isn't used by the client for HTTPS traffic. Everything else needs to be reconfigured. I have a script on my web site that will do that for you here:

http://semb.ee/hostnames2010

If you have multiple servers then ideally each server should have its own address. You can get away with the same address if they are all in the same AD site, but multiple sites needs their own address.
If you do use the same address across all servers then when troubleshooting, use a hosts file to ensure you know which server you are connecting to.

Of course if you have the same address on all servers for internal traffic, then you are either going to be using round robin DNS or will need to deploy a load balancer.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dwavesysAuthor Commented:
Thank you all!

I will setup the URI/URLs and check the results.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.