Exchnage 2010 new SAN certificate hlep needed

i am currently using private CA certificate with my exchange server 2010 (on windows 2008R2) and it is working perfectly alright.
Now I have been requested to use third-party certificate so that users should not get invalid cert message while using OWA etc.
I am good in terms of adding certificates in exchange BUT i need somebody to help me in defining the entries in my new SAN certificate. Here is my setup.

Local Server Name: MSrv01
Local Domain Name: Pack.local

External Domain Name: mail.myexternaldomain.co.uk
Accepted domain names in Exchange server: accepteddomain1.co.uk
Accepted domain names in Exchange server: accepteddomain2.co.uk
Accepted domain names in Exchange server: accepteddomain3.co.uk

i do like to use autodiscover features of outlook, configuring it itself automatically :)
please ask if you require more info.

Thanks for your help.
Faisal
FonlineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kash2nd Line EngineerCommented:
you need to add the following in the Multi SAN Certificate

autodiscover.domains.co.uk
msvr01
msvr01.pack.local
domain1.co.uk
domain2.co.uk
domain3.co.uk
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FonlineAuthor Commented:
1.  ? FYI, You cannot add your local FQDN to the certificate anymore.
so how can i get autodiscover working locally with Pack.local when SSL will refuse the connection?

2. Just need exact domain names i am adding  in my cert. i have went through articles and the are headache. please advise. ask as much as you can ask to get to the answer, i dont mind :)
cheers
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

MAS (MVE)EE Solution GuideCommented:
You have to add below SANs
mail.domain1.com
mail.domain2.com
mail.domain3.com
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

or

If you dont have enough SANs use add below names and redirect all autodiscover.domain2.com and autodiscover.domain3.com to autodiscover.domain1.com

mail.domain1.com
mail.domain2.com
mail.domain3.com
autodiscover.domain1.com


It is explained in the above article and thread
0
FonlineAuthor Commented:
where these domain name are coming from?
mail.domain1.com ?
 mail.domain2.com ?
 mail.domain3.com ?
 autodiscover.domain1.com ?
 autodiscover.domain2.com ?
 autodiscover.domain3.com ?

These domina name are no where i my question!!! Can someone please read & answer my qusetion specifically and not copy past the answers from other posts. i will really appreciate your hlep.
0
MAS (MVE)EE Solution GuideCommented:
mail.domain1.co.uk
mail.domain2.co.uk
mail.domain3.co.uk
autodiscover.domain1.co.uk
autodiscover.domain2.co.uk
autodiscover.domain3.co.uk
 or
redirect the autodiscover.domain2.co.uk and autodiscover.domain2.co.uk to autodiscover.domain1.co.uk

If all domain users accessing mail.myexternaldomain.co.uk then you can ignore mail.domain2.co.uk and mail.domain3.co.uk
0
FonlineAuthor Commented:
so you recommend not adding mail.myexternaldomain.co.uk in my cert?
0
MAS (MVE)EE Solution GuideCommented:
No if you access by mail.myexternaldomain.co.uk you should have that name as well in the certificate
0
FonlineAuthor Commented:
Can someone comeback with complete list of domains i need in SAN cert and not bits and bobs in various replies.

Q. Which  domain names do i need to add in my SAN certificate giving the following setup

1. Local Server Name: MSrv01
2. Local Domain Name: Pack.local

3. External Domain Name: mail.myexternaldomain.co.uk

4. Accepted domain name#1 in exchange server: accepteddomain1.co.uk
5. Accepted domain name#2 in Exchange server: accepteddomain2.co.uk
6. Accepted domain name#3 Exchange server: accepteddomain3.co.uk

7. need autodiscovery features
8. OWA access at mail.externalDomain.co.uk

please answer with full list of domains i should include in my SAN cert.
0
Kash2nd Line EngineerCommented:
SAN Certificate for

mail.myexternaldomain.co.uk
autodiscover.myexternaldomain.co.uk
accepteddomain1.co.uk
accepteddomain2.co.uk
accepteddomain3.co.uk
1
MAS (MVE)EE Solution GuideCommented:
You do not need to add all of your Accepted domains to a UCC/SAN cert. You can have 1 external SMTP address that is used for connecting to your exchange environment i.e. mail.myexternaldomain.co.uk and autodiscover.accepteddomain1.co.uk are the only DNS SAN Names that are required. This is the preferred method.
So if you have users in your Exchange environment using @accepteddomain2.co.uk as their SMTP domain, this will not matter. They just connect to their mailbox using mail.myexternaldomain.co.uk and they will still be able to send/receive email as @accepteddomain2.co.uk

For Autodiscover to work properly you need to have an autodiscover record for every e-mail address domain as mentioned above. Some find it easier to deploy an SRV record for Autodiscover when you have many e-mail domains.
If you are not familiar with redirection and if you have only one common name add below names in certificate.
mail.myexternaldomain.co.uk
autodiscover.accepteddomain1.co.uk
autodiscover.accepteddomain2.co.uk
autodiscover.accepteddomain3.co.uk

 or add below names if you have plan to add one external name for each domain
mail.myexternaldomain1.co.uk
mail.myexternaldomain2.co.uk
mail.myexternaldomain3.co.uk
autodiscover.accepteddomain1.co.uk
autodiscover.accepteddomain2.co.uk
autodiscover.accepteddomain3.co.uk
0
FonlineAuthor Commented:
Hi MAS & Kash
excellent. thanks for your replies.
1. I will like to create DNS redirection for autodiscover to work if you point me to a right article for this
2. my Exchange server has one SMTP address as mail.myexternaldomain.co.uk. This is the only send connector configured under hub transport.
3. What about my local domain? pack.local. i thought autodiscover will works as "autodiscover.pack.local" domain name. please confirm.
0
MAS (MVE)EE Solution GuideCommented:
1. I will like to create DNS redirection for autodiscover to work if you point me to a right article for this
It is explained here
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

2. my Exchange server has one SMTP address as mail.myexternaldomain.co.uk. This is the only send connector configured under hub transport.
I am not clear on this. Are you talking about send connector or accepted domains?

3. What about my local domain? pack.local. i thought autodiscover will works as "autodiscover.pack.local" domain name. please confirm.
No. autodiscover will be "autodiscover.emaildomain.com" which is hard corded in outlook
0
Kash2nd Line EngineerCommented:
1. I will like to create DNS redirection for autodiscover to work if you point me to a right article for this
                      All you need to do is log on to where your NAME SERVERS are. e.g: if you bought the domain from GODADDY, then go to godaddy CPANEL, go to DNS and add the following records:

autodiscover.domain.com >>>>>>> Your Exchange IP address
Create MX record >>>  point to your Exchange IP Address ( probably your broadband IP at office).


2. my Exchange server has one SMTP address as mail.myexternaldomain.co.uk. This is the only send connector configured under hub transport.
   This is where i meant about transport rules.

If you have particular users where you want them to send using new domain, then I would go to Exchange Management Console, and set the default email address as the NEW DOMAIN. This will make user send as new DOMAIN email address.

You don't need to worry about receiving emails, as long as you have MX records setup to your exchange server and the ACCEPTED DOMAIN setup in EMC then the emails should flow.

3. What about my local domain? pack.local. i thought autodiscover will works as "autodiscover.pack.local" domain name. please confirm.
         That should work as it is and the outlook clients internal will pick it up as it is.
0
FonlineAuthor Commented:
Thanks MAS,
just to clear y points;
1.
"I am not clear on this. Are you talking about send connector or accepted domains?"
i am trying to explain you how my exchange server has been  setup. my Exchange server has one SMTP address as mail.myexternaldomain.co.uk. This is the only send connector configured under hub transport. But di do have quite a few accepted domains like i mentiond in my question. ALso, "pack.local" is listed there too
I m now reading your article.

Thanks Kash,

I am hosting this exchange in my primses, do i still need to create this autodiscover DNS entry on my ISP DNS (i buy external domain names from my ISP btw) or on my local dns server pointing it to my local exchange server  ip address?


MAS, thanks for the
0
Kash2nd Line EngineerCommented:
Your external domain if provided/bought through ISP then you should have a DNS cpanel login or ask the ISP to do it for you.

Get them to add records:

1. autodiscover.newdomani.com ... IP
2. MX  ---- external IP address of your exchange server
1
MAS (MVE)EE Solution GuideCommented:
0
FonlineAuthor Commented:
Hi MAS,
on your comment dated 2015-08-27 at 09:41, you have said
"You do not need to add all of your Accepted domains to a UCC/SAN cert. You can have 1 external SMTP address that is used for connecting to your exchange environment i.e. mail.myexternaldomain.co.uk and autodiscover.accepteddomain1.co.uk are the only DNS SAN Names that are required. This is the preferred method. "

do you really mean autodiscover.accepteddomain1.co.uk or did you mean autodiscover.myextrnaldomain.co.uk ?

Hi Kash,
just to confirm,you want to me to add audodisconver.externaldomain.co.uk in ISP DNS in order to get them varified by Certifiate authorities?
btw i have configured a zone in my interal DNS with my externaldomain.com with mail and autodiscover entries; (known as Split DNS entries by microsoft documentation)

Thanks
0
MAS (MVE)EE Solution GuideCommented:
-->do you really mean autodiscover.accepteddomain1.co.uk or did you mean autodiscover.myextrnaldomain.co.uk ?
It is "autodiscover.youremaildomain.com" it can be any of your email domains and rest email domains you have to redirect using the link provided above.
0
FonlineAuthor Commented:
MAS,
Your very last link was excellent, it did teach me what exactly i need to do to set this up but i have just realized that because of 2nd Public IP requirement i may not be able to setup autodiscover Re-Direction. So, I have concluded following domain names in my first public cert. please confirm if i am wrong  here.

mail.myExternalDomain.co.uk
autodiscover.myExternalDomain.co.uk

autodiscover.accepteddomain1.co.uk
autodiscover.accepteddomain2.co.uk
autodiscover.accepteddomain3.co.uk

btw Kash has well spoted these soon after my question :)

Also, should i create autodiscover alias entry for my every public domain (above ones) so that they get varified when CA checks it before issue me this certificate?

i think i am getting there now :)
0
FonlineAuthor Commented:
Note: for OWA, my all users uses mail.myexternaldomain.co.uk link
0
FonlineAuthor Commented:
Here are the autodiscover configuration of my only  CAS

Name                                 : MSSrv01
Fqdn                                 : MSSrv01.Pack.local
OutlookAnywhereEnabled               : False
AutoDiscoverServiceCN                : MSSrv01
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       :https: //autodiscover.myexternaldomain.co.uk/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=MSSrv01,CN=Servers,CN=Exchange Administrative Group F YDIBOHF23SPDLT),CN=Admin istrative Groups, CN=LLG, CN=MicrosoftExchange, CN=Services, CN=Configuration, DC=Pack, DC=local
Identity                             : MSSrv01
Guid                                 : 54b67c52-19b2-406e-2f915cf7c664
ObjectCategory                       : Pack.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 20/07/2015 14:43:38
WhenCreated                          : 12/08/2010 15:16:47
WhenChangedUTC                       : 20/07/2015 13:43:38
WhenCreatedUTC                       : 12/08/2010 14:16:47
OrganizationId                       :
OriginatingServer                    : DC1.Pack.local

 i have a relavent question but not relavent with certificate.
All these above setting arepointing to autodiscover.myexternaldomain.co.uk, so  then how my outlook users with myAccepteddomain1.co.uk or myAccepteddomain2.co.uk etc are reaching to my CAS server currently? very odd one
0
MAS (MVE)EE Solution GuideCommented:
-->All these above setting are pointing to autodiscover.myexternaldomain.co.uk, so  then how my outlook users with myAccepteddomain1.co.uk or myAccepteddomain2.co.uk etc are reaching to my CAS server currently? very odd one

All domain's domains emails reaching to your server through MX records.
Do you have MX created for myAccepteddomain1.co.uk, myAccepteddomain2.co.uk etc domains in external DNS server?
0
FonlineAuthor Commented:
1. In exchange server I have smarhost configured as symantec security lab server address
2. All of domains in external DNS has mx record pointing to some messagelab.server (clluster-server.messagelabs.com)
3. mail.mExternaldomain.co.uk exist in external DNS for this domain; as A record pointing to my Exchagne server Public IP address
4. All other domains myAccepteddomain1.co.uk, 2. co.uk and 3.co.uk do not have any mail A record.
0
MAS (MVE)EE Solution GuideCommented:
You should have MX record for all domains which points to the external address of your exchange server to receive emails.
0
FonlineAuthor Commented:
well but it is working without any issues from ages. MX recrods for all 4 domains are pointing to xxx.messagelab.com which means they do exist.

For OWA access, my remote staff uses mail.myExternaldomain.co.uk from outside.

As you know, curretly i am using self signed certificate which i have generated from my DC, this has following SAN entries at the moment. and it is working without any issue. This can help us in listing cert entries for our public cert.

DNS Name=mssrv01.Pack.local
DNS Name=mail.myExteraldomain.co.uk
DNS Name=autodiscover.Pack.local
DNS Name=autodiscover.myExteraldomain.co.uk
DNS Name=autodiscover.myAccepteddomain1.co.uk
DNS Name=autodiscover.myAccepteddomain2.co.uk
DNS Name=autodiscover.myAccepteddomain3.co.uk
DNS Name=Pack.local

If you want me to take some enteries out from this cert and test again, i will certainly try for you.

I have tried to use another cert (self-signed) with following domain names only but this produces sercurity warning on outlook users screen while connecting interally within Pack.local domain.

DNS Name=mail.myExternaldomain.co.uk
DNS Name=autodiscover.myExternaldomain.co.uk
DNS Name=autodiscover.myAccepteddomain1.co.uk
DNS Name=autodiscover.myAccepteddomain2.co.uk
DNS Name=autodiscover.myAccepteddomain3.co.uk

I want this interal sercurity certificate errors to disappear first,  then i will be sure tat my certificate will certainly work externally because it has mail.myExternaldomain.co.uk whichis the only domain we use from outside.
0
MAS (MVE)EE Solution GuideCommented:
Please post a screenshot of the error
0
FonlineAuthor Commented:
ok. i am waiting for best time to switch my cert and produce this error for your view. i will try tonight.
0
FonlineAuthor Commented:
Hi MAS,
No security/certificate erros now, yahooo!!! i had to restart exchange server or its IIS part of it after making the changes in Web Services.

So far i have manged to use a private certificate but it has no local domain names in it anymore!! This means it will be very straightforward for me to get the public certificate now. correct?

In this drive, i have come across with very intresting facts which you would love to know! i did some experiments :)

OVERALL WHAT I DID?
After changing the internal and external urls for WEB,OWA, OAB, ECP, Auto-Discover, Outlook-Anywhere, and ActiveSync, i have setup the "Split DNS" on my interal DNS as discribed in one of your link above.

INTRESTING FACTS
i have found that i dont need to include all my accepted domains in cert! I dont need to configure split DNS for these domains either!

I have 6 accepted domains, out of which we only use 3-4 domains and  rest are just there. When i had created my private cert other day, i did not include them in my certificate and also did not create their local Split DNS entry! when i finished testing my cert and found that my cert is absolutely working without any local domain entries, i thought lets try and test one of my accepted domain which i have not included in my cert.  So on Exchange server i have changed my email address to that accepted domain and open a new laptop up which had no outlook configured on it. Fired up outlook and guess what! it has configured itself with my new eamil address/domain. This has proved that split DNS and autodiscovery entry for accpted domain name is not required.

MY Certificate Entries:
mail.myExternalDomain.co.uk
autodiscover.myExternalDomain.co.uk
autodiscover.myAcceptedDomain1.co.uk
autodiscover.myAcceptedDomain2.uk
autodiscover.myAcceptedDomain3.co.uk

WHAT STILL NEEDS DOING?
I still need to create autodiscover A record for each domain on my Public DNS so that when i apply for public certificate, public CS should be able to confirm it. As explained by Kash
0
MAS (MVE)EE Solution GuideCommented:
-->autodiscover.myExternalDomain.co.uk  
if your emaildomain is not myexternaldomain.com no need this name in certificate. Outlook will search for autodiscover.accepteddomains.com only. i.e. if your email address fonline@contoso.com outlook will search for autodiscover.contoso.com.

You need to create the same autodiscover.accepteddomain.com in your external DNS servers as well.
You can configure CNAME  also to redirect.
0
FonlineAuthor Commented:
what i have learnt is complete different!
For internal users ( like members of Active directory which are connecting from inside network), you need only one autodiscover record. This autodiscover record should be linked with the domain name that you have used in your internal and external name of WEB,OWA, OAB, ECP, Auto-Discover, Outlook-Anywhere, and ActiveSync. i.e "autodiscover.myExternalDomainName.co.uk". So, I dont need any autodiscover record for any accepted damains. Remember this is only if your users are connecting from inside.

For outside users, scanario is very differnt. As you said, outook will attempt to connect with AD, since no access to AD from outside! so it will try on autodiscover record of your email address. i.e. if your email address is abc@myAcceptedDomain1.co.uk, then outlook will try at autodiscover.myAcceptedDomain1.co.uk
0
MAS (MVE)EE Solution GuideCommented:
Outook will attempt to connect with AD, since no access to AD from outside! so it will try on autodiscover record of your email address. i.e. if your email address is abc@myAcceptedDomain1.co.uk, then outlook will try at autodiscover.myAcceptedDomain1.co.uk

This is correct.
0
FonlineAuthor Commented:
yes, but if one does not have users who uses outlook from outside via Outlook anywere then he dont need autodiscover.myAccestedDomain1.co.uk and instead he would be good to go with only autodiscover.myExternalDomain.co.uk. I dont use Outlookanywhere, instead we have VPN users and for those I again dont need any autodiscover entries for all accepted domains. just one autodiscovery entry is doing the job well.

just got public cert and its all working.

myExternalDomain.co.uk
autodiscover.myExternalDomain.co.uk
mail.myExternalDomain.co.uk
0
MAS (MVE)EE Solution GuideCommented:
Did you create CNAME for all the other accepted domains which redirects to mail.myExternalDomain.co.uk?
If not please create it
0
FonlineAuthor Commented:
No i didn't. On DNS, i did the followings only and its all working charmfuly

 
1a.  On internal DNS, created splitDNS entry for myExternalDomain.co.uk so that my internal users get this resovled into my local exchange server's IP i.e. 10.0.0.100

2a. Also added autodiscover A record in it; so that outlook could resolve autodiscover.myExternalDomain.co.uk into my local exchange server's IP i.e. 10.0.0.100

3a. Also Added mail A recod mail.myExternalDomain.co.uk. This address I have  used every where in CAS server; interal and exteral URLs for owa, oab, ecp, activeSync, webServices, Autodiscover and OutlookAnywhere etc

4a. On Public DNS, I have created autodiscover A record for my myExternalDomain.co.uk domain name and pointed it to my Exchange server public IP address. In process of my certificate varification, CA will check and varify this entry because autodiscover.myExternalDomain.co.uk is included in my new cert.

Honestly speaking, you dont need anything with your accepted domain names (1,2,3)  as long as your users are not connecting from outside via internet/Outlookanywhere

BUT If your users do connect from outside then you need to do followings

1b. On Public DNS, create autodiscover A record for each AcceptedDomain.co.uk
2b. Add all these autodiscover entries into your Cert

If you have users which are connecting from inside but are Non-Domain users, (like those using your Local DNS but no DC account), for such yours you have to

3b. Create Split DNS entry for each AcceptedDomain.co.uk in your local DNS

If your users are connectes via VPN dial and not via Outlookanywere etc, then you just treet them as internal users. only follow steps 1, 2 and 3.

so, This was the whole story :)
The only CNAME entry i did is for www for myExternalDomain.co.uk during Split DNS setup. So that when internal users go to ie and type www.myExtrnalDomain.co.uk, it should go to public http://myExternalDomain.co.uk instead of local server :)
0
FonlineAuthor Commented:
correc domain names
0
FonlineAuthor Commented:
Thanks MAS and Kash  for your input. I reaced to the solution after discussion on this forum. Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.