Exchange 2010 Certificate - best practice and issue with .internal domain

I've been looking at Certificates for Exchange 2010.  The server domain is not a FQDN.

The server has a valid 3rd party cert on the main domain (domain.co.uk) which is fine for external people.  However, one client internally is getting cert errors because Outlook is picking up the 3rd party cert which doesn't (and now can't) have the internal server.domain.internal domain.

So, was thinking that I need to put in a self signed cert for server.domain.internal.  But ...
- Not sure how best to do this!  Couldn't do it in EMC, only seemed to allow creating a request that needed to be authorised.  I need an idiots guide!
- Even if I managed to create the self cert would I be able to get it to serve for internal services only?

I have done some googling on this, but I am just going round in circles getting myself more confused.
Any help appreciated.

Thanks
Jo
PowerhousecomputingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

themrrobertCommented:
This looks like the solution to your issue.
https://support.microsoft.com/en-us/kb/940726

You may also consdier changing internal DNS to map the external FQDN to the internal IP address for internal net users.
0
172pilotCommented:
You should be able to import and use the external cert on the internal machine, and just have the internal client use the external name (pointed with DNS to the internal host)..  If you dont have an internal DNS zone for your real domain, and therefore probably dont want to install a dns zone for the whole domain, you can create a "zone" for just the hostname..  In otherwords, on your internal dns, where you would typically have a zone for the whole 'domain.com" you can create a zone for "mailserver.domain.com" and then create your record as an "A" record with no name..  This is a trick I've used sometimes for strange situations like this.

I know you were following what was Microsoft's best practice at the time when the .local was created, but they now recommend using the same name inside and out, and just use 2 separate DNS servers..  As Themrrobert mentions, it might be a good goal to switch to that.  It will be better for you long-term.
0
PowerhousecomputingAuthor Commented:
Thanks both.

Changing the internal domain is not possible at the moment, but yes agree it would be the ideal thing to do.

172pilot thanks for that. I'm not sure what you mean by make the client use the external name?  Outlook is automatically picking up the internal domain?
0
172pilotCommented:
Regarding outlook picking up the internal domain,  it does that based on what the CAS Array FQDN is set to..  If you do a Get-ClientAccessArray you should see for each of your sites a name with a defined FQDN.  That should be the FQDN that your clients are connecting to, right?

If that's making sense, then what I'm meaning is that you can put your EXTERNAL name in that FQDN, but then you'd want to make sure your  internal DNS points that FQDN to the internal CAS array, and then use the certificate you already have..

For example, if your CAS Array is showing up as "mail.contoso.local", which is either a CAS server or load balancer at IP address 1.2.3.4, but externally you use mail.contoso.com for which you DO have a certificate, but the DNS points it to a REAL ip address, you'd change the internal CAS array FQDN to match the mail.contoso.com, install the external certificate on the CAS server(s) and then somehow (depends on your DNS config) make the internal clients resolve the 1.2.3.4 address when they go to "mail.contoso.com".

Does that make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PowerhousecomputingAuthor Commented:
Very helpful and thank you for taking the time to explain further.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.