Exchange 2007 and domani .local

Hi, I am using Microsoft Exchange 2007 on Windows Server 2008 Standard.
All my clients (bascially Outlook) use exchange.domani.local (192.168.100.15) to access.
My SSL certificated is going to expire and I can't renew it with "exchange.domain.local" common name.
I need to reconfigure Exchange to use exchange.domain.it" instead..
I can manage DNS issue with split dns .. What else should I do?
Thank you very much
Regards
Armitage318Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LesterClaytonCommented:
Essentially you're going to have to convert Exchange 2007 to use internet Domain names, so that you can obtain certificates.  Usually, people will use split-brain DNS and have internal names (like mail.contoso.com) point to 192.168.100.15, and externally, it would point to your external IP address.

A good guide on changing the directories in Exchange is available here: https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

Now, you can get 1 certificate - "mail.yourdomain.com" for both the internal IP and external IP.
0
diperspCommented:
Run the below powershell -

get-OwaVirtualDirectory | fl *url*
get-EcpVirtualDirectory | fl *url*
get-ActiveSyncVirtualDirectory | fl *url*
get-OabVirtualDirectory | fl *url*
get-ClientAccessServer | fl *uri*
get-WebServicesVirtualDirectory | fl *url*
get-OABVirtualDirectory | fl *url*


This PS command is just giving us information and not making any changes to your system.

Send us the output and then I'll give you a PS command to make changes to the necessary domains that are still pointing to .local.  

Get exchange.domain.it setup internally at this point.  And instead of setting up a zone called domain.it, setup a zone called exchange.domain.it and then setup a single A record within that zone that points @ to your Exchange server.

This way you don't have to make changes to that internal domain every time you make a change externally to www.domain.it, for example.
0
Armitage318Author Commented:
[PS] C:\Windows\system32>get-owavirtualdirectory | fl *url*


Url         :
InternalUrl :
ExternalUrl :

Url         :
InternalUrl :
ExternalUrl :

Url         :
InternalUrl :
ExternalUrl :

Url         :
InternalUrl :
ExternalUrl :

Url         : {}
InternalUrl : https://exchange.domain.it/owa
ExternalUrl : https://exchange.domain.it/owa



[PS] C:\Windows\system32>



[PS] C:\Windows\system32>get-activesyncvirtualdirectory | fl *url*


MobileClientCertificateAuthorityURL :
InternalUrl                         : https://exchange.domain.it/Microsoft-Server
                                      -ActiveSync
ExternalUrl                         : https://exchange.domain.it/Microsoft-Server
                                      -ActiveSync



[PS] C:\Windows\system32>get-oabvirtualdirectory | fl *url*


InternalUrl : http://exchange.domain.it/OAB
ExternalUrl : https://exchange.domain.it/OAB

[PS] C:\Windows\system32>get-clientaccessserver | fl *url*


(no output at all)


[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url*


InternalNLBBypassUrl : https://exchange.domain.local/ews/exchange.asmx
InternalUrl          : https://exchange.domain.local/EWS/Exchange.asmx



[PS] C:\Windows\system32>get-ecpvirtualdirectory | fl *url*
Termine 'get-ecpvirtualdirectory' non riconosciuto come nome di cmdlet,  (command not recognized)
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

diperspCommented:
Sorry, I misread and some of the commands I sent you are for Exchange 2010.   I don't have the exact commands for 2007, I'll have to dig a bit.

Start by going through the Exchange management GUI and change all of the internal URLs to the external URLs.  This is going to be under server config -> client access.  Go through each tab and set the internal to the external info.
0
Armitage318Author Commented:
Hi dipersp,
I changed all my external / internal URL, they are OK.
On my client I still receive errors about incorrect common name (SSL).
It seems that my client is still looking for "exchange.domain.local".
I also changed "autodiscover.domain.it" to resolve internal IP.
What do you think about these steps (according to 2007 of course)?

https://secure.tkfast.com/faqs_view.php?id=242

Thank you
0
diperspCommented:
Those commands should do it, but without an Exchange 2007 box in front of me, I can't give you a 100%.  Those definitely look right though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
The first thing that is required before you start making all of these chagnes to your VD's is you need to get your new cert and install/Enable it on all of the CAS servers in your domain.

I have created Two HowTo's for this Configure Split DNS and Virtual Directories and also how to properly enable your Exchange certificate.

Please follow the articles below and you should not have any issues.

Configure Certificate and Enable Certificate
http://www.wsit.ca/how-tos/exchange-server-2/exchange-2013-certificate-generation-csr-import-enable-exchange-certificate/

Configure Split DNS and Virtual Directories
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/

Will.
1
diperspCommented:
Why the need to get a certificate first?  He already has a cert, and it has to be covering the external domain already.  Why not work all that out, then purchase the cert?   In my eyes, you can purchase it first, or work out the Exchange piece first.  Either way should be just fine.
0
Jody WhitlockSystem AdministratorCommented:
Honestly for any internal systems, I would create an Enterprise CA on your domain controller and have the servers auto-enroll that way so you would have .local SSL Certificates available to your internal clients and have your traffic secured.  
When you create the Enterprise CA, it get's published in AD and added to domain members automagically.

The split domain is also a great idea when using a .local and a public DNS namespace.  If you are not hosting the public DNS namespace, ie .com, then just host the internal namespace and add the hosting server(s) IP as forwarders in your internal DNS servers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.