Using Private Domain SSL and Public Domain SSL - Exchange 2010

Hi EE peeps!

So, now that we're no longer allowed to get our private domains SSL certified by GoDaddy, I have run into a problem.

My new certificate with GD secures:
mail.domain.com
autodiscover.domain.com

My internal CA secures:
exchange.domain.local

Users are getting errors saying:
The name on the security certificate is invalid or does not match the name of the site.
Error message
This is because users are getting the GD cert since that is the cert bound with IIS and SMTP, but the Outlook profile is configured for exchange.domain.local. I am afraid to give IIS and SMTP to the exchange.domain.local cert because that would give errors to external users, mobile devices, etc., right?

How do I certify internal and external users? Am I asking the right question(s)?

Should I just change the internal names to the external?
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
In order to have both internal and external names the same you need to configure Split DNS on your internal DNS servers (DC's). At that point you then need to configure your Exchange Virtual Directories as well and set them up so that Internal and External are using the same FQDN.

I Have created a HowTo that illustrates all of the steps.

http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul WagnerFriend To Robots and RocksAuthor Commented:
My internal DNS is already pointing to the internal IP of Exchange. (ie- owa and autodiscover points to internal IP of Exchange.)

What are the impacts to users by doing this? They will have to rebuild their Outlook profile?

Good article, btw.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Did you create a new Forward Lookup Zone which matches mydomain.com? You need to have this in place and then point mail.mydomain.com and autodiscover.mydomain.com to your internal IP address of your CAS server.

Will.
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
Yes, that is already happening. From the intranet, when I ping mail and autodiscover, it goes to the internal IP of Exchange.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.