sfsdtc
asked on
Exchange 2013 Certificate Issue?
I have an Exchange 2007 server that's been running for several years. It has a purchased SSL certificate. I recently installed an Exchange 2013 Server and moved one mailbox to it. It was working fine for that one mailbox for both OWA and Outlook 2010.
I tried exporting the SSL certificate from the 2007 and import into the 2013. That process failed as it shows no name with an Invalid status. This probably failed because I don't recall setting FQDN name on the 2013 server when installing so it probably doesn't match the certificate so I deleted it.
Now when I open Outlook 2010, I get error: "There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server InternalServerNameHere (error code 8)."
If I look at my Outlook Account settings, for servname it has a very long line of letters and numbers with @MyInternetDomainName. It doesn't have the actual internal server name as it did when mailbox was on my 2007 server.
Is there some way of fixing this without restoring from a backup? I can access that mailbox from OWA but not Outlook. Also, it will not let me move that mailbox back to my 2007 Server. Thanks!
I tried exporting the SSL certificate from the 2007 and import into the 2013. That process failed as it shows no name with an Invalid status. This probably failed because I don't recall setting FQDN name on the 2013 server when installing so it probably doesn't match the certificate so I deleted it.
Now when I open Outlook 2010, I get error: "There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server InternalServerNameHere (error code 8)."
If I look at my Outlook Account settings, for servname it has a very long line of letters and numbers with @MyInternetDomainName. It doesn't have the actual internal server name as it did when mailbox was on my 2007 server.
Is there some way of fixing this without restoring from a backup? I can access that mailbox from OWA but not Outlook. Also, it will not let me move that mailbox back to my 2007 Server. Thanks!
ASKER
Thanks, I look into that. Do I need to somehow change my Exchange 2013 server so it also shows mail.domain somewhere? Can I resolve the Outlook 2010 issue without getting another certificate?
You are getting the certificate error because your virtual directories do not match the names on your certificate for Exchange 2013. So you need to configure split dns so that you can use the external name internally.
Outlined in my HowTo.
Will.
Outlined in my HowTo.
Will.
ASKER
If I read that document correctly, I need to have two DNS entries for mail.whatever (one for each server) and two DNS entries for autodiscover.whatever (one for each server) so that both mail.whatever and discover.whatever both point to the two Exchange servers?
No...All you need to do create a new AD Integrated Zone for externaldomain.com.
In that new Zone you create 1 A record for mail.domain.com (pointing to the IP of your CAS server or Load Balancer IP) and 1 cname record for autodiscover.domain.com pointing to mail.domain.com.
You then re-configure your internal virtual directories like the below example...
INTERNAL URL's
before = https://servername.domain.com/owa /oab etc
after = https://mail.domain.com/owa /oab etc
Internal should now be the same at external URL's.
Will.
In that new Zone you create 1 A record for mail.domain.com (pointing to the IP of your CAS server or Load Balancer IP) and 1 cname record for autodiscover.domain.com pointing to mail.domain.com.
You then re-configure your internal virtual directories like the below example...
INTERNAL URL's
before = https://servername.domain.com/owa /oab etc
after = https://mail.domain.com/owa /oab etc
Internal should now be the same at external URL's.
Will.
ASKER
Sorry, didn't read document careful enough. Looks like I should have two DNS entries (one for each server IP) that point to mail.whatever. The Autodiscover is an alias to mail.whatever. If I do this, how does it know which mail.whatever gets associated with the autodiscover alias?
you create ONE mail.domain.com A record and point it to your CAS server. If you only have 1 CAS server then point mail.domain.com to the interal IP of your CAS server. If you have multiple CAS servers in your AD Site then point mail.domain.com = load balancer IP
Create another record CNAME pointing to mail.domain.com.
That's it.
Will.
Create another record CNAME pointing to mail.domain.com.
That's it.
Will.
ASKER
Are there mstakes in the document? On the AutodDiscover one it says Uri instead of Url. Should it be Url instead?
ASKER
I don't have any load balancers. I just have the existing 2007 Exchange server and the new 2013 Exchange server. I want them to coexist while I test the new one before migrating all mailboxes to the 2013 then removing the 2007 one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I tried to do the Set-MapiVirtualDirectory, it came back with prompts for IISAuthenticationMethods[0
Put in the type of authentication you want to use. You are also not absolutely required to use the last cmdlet.
Will.
Will.
ASKER
Should Set-ClientAccessServer -Identity "Servername -AutoDiscoverServiceIntern
It should be Uri
You need to only set this on the Exchange 2013 server. It is not recommended/required to have multiple SCP (service connection points) for autodiscover. So if you have this setup on your Exchange 2007 sever remove this setting after you have configured it on Exchange 2013.
You can also check that is it correct using the following command...
Get-ClientAccessServer -Identity Servername | fl Auto*
Will.
You need to only set this on the Exchange 2013 server. It is not recommended/required to have multiple SCP (service connection points) for autodiscover. So if you have this setup on your Exchange 2007 sever remove this setting after you have configured it on Exchange 2013.
You can also check that is it correct using the following command...
Get-ClientAccessServer -Identity Servername | fl Auto*
Will.
ASKER
Since I might have to uninstall then install my Exchange 2013 Server, how do I remove the autodiscovery from it so that my Exchange 2007 controls that for now?
ASKER
Thanks so much for the help!
All you need to do is have the following on the cert..
mail.domain.com
autodiscover.domain.com
Thats it. From there you would then set your virtual directories to https://mail.domain.com/... for INTERNAL and EXTERNAL.
In order to do this correctly you also need to configure split DNS as well.
I have created a complete HowTo to set this up properly. Check out the links below on my site.
Certificate/Importing Certificate
http://www.wsit.ca/how-tos/exchange-server-2/exchange-2013-certificate-generation-csr-import-enable-exchange-certificate/
Configure Split DNS and Virtual Directories
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/
As for your certificate on Exchange 2007, if it has mail.domain.com and autodiscover.domain.com exporting it and importing it into the Exchange 2013 server should be no issue. Make sure that when you export the cert from Exchange 2007 you export the private key along with all properties.
Will.