Powerhousecomputing
asked on
Exchange 2010 Certificate - best practice and issue with .internal domain
I've been looking at Certificates for Exchange 2010. The server domain is not a FQDN.
The server has a valid 3rd party cert on the main domain (domain.co.uk) which is fine for external people. However, one client internally is getting cert errors because Outlook is picking up the 3rd party cert which doesn't (and now can't) have the internal server.domain.internal domain.
So, was thinking that I need to put in a self signed cert for server.domain.internal. But ...
- Not sure how best to do this! Couldn't do it in EMC, only seemed to allow creating a request that needed to be authorised. I need an idiots guide!
- Even if I managed to create the self cert would I be able to get it to serve for internal services only?
I have done some googling on this, but I am just going round in circles getting myself more confused.
Any help appreciated.
Thanks
Jo
The server has a valid 3rd party cert on the main domain (domain.co.uk) which is fine for external people. However, one client internally is getting cert errors because Outlook is picking up the 3rd party cert which doesn't (and now can't) have the internal server.domain.internal domain.
So, was thinking that I need to put in a self signed cert for server.domain.internal. But ...
- Not sure how best to do this! Couldn't do it in EMC, only seemed to allow creating a request that needed to be authorised. I need an idiots guide!
- Even if I managed to create the self cert would I be able to get it to serve for internal services only?
I have done some googling on this, but I am just going round in circles getting myself more confused.
Any help appreciated.
Thanks
Jo
You should be able to import and use the external cert on the internal machine, and just have the internal client use the external name (pointed with DNS to the internal host).. If you dont have an internal DNS zone for your real domain, and therefore probably dont want to install a dns zone for the whole domain, you can create a "zone" for just the hostname.. In otherwords, on your internal dns, where you would typically have a zone for the whole 'domain.com" you can create a zone for "mailserver.domain.com" and then create your record as an "A" record with no name.. This is a trick I've used sometimes for strange situations like this.
I know you were following what was Microsoft's best practice at the time when the .local was created, but they now recommend using the same name inside and out, and just use 2 separate DNS servers.. As Themrrobert mentions, it might be a good goal to switch to that. It will be better for you long-term.
I know you were following what was Microsoft's best practice at the time when the .local was created, but they now recommend using the same name inside and out, and just use 2 separate DNS servers.. As Themrrobert mentions, it might be a good goal to switch to that. It will be better for you long-term.
ASKER
Thanks both.
Changing the internal domain is not possible at the moment, but yes agree it would be the ideal thing to do.
172pilot thanks for that. I'm not sure what you mean by make the client use the external name? Outlook is automatically picking up the internal domain?
Changing the internal domain is not possible at the moment, but yes agree it would be the ideal thing to do.
172pilot thanks for that. I'm not sure what you mean by make the client use the external name? Outlook is automatically picking up the internal domain?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very helpful and thank you for taking the time to explain further.
https://support.microsoft.com/en-us/kb/940726
You may also consdier changing internal DNS to map the external FQDN to the internal IP address for internal net users.