Exchange Internal Certificate error

Ajoy Rajan
Ajoy Rajan used Ask the Experts™
on
Hi Guys,

We are having a small issue, where internally on the network, when we open outlook, it gives a certificate error. We select yes and all works, but it is annoying.

All the internal URL' s are correct and working. Can someone help to resolve the certificate error?

Regards,

Ajoy
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
RantCanSr. Systems Administrator

Commented:
Your SAN certificate does not match where your mail comes from. You are signing, for example:

yourdomain.com (for exchange) with a self-signed certificate (for mailserver01.domain.local).

Install a signing certificate for your mail domain (yourdomain.com) on your exchange server and assign services to it, (SMTP, CAS, etc.)
Ajoy RajanManaged Service Consultant

Author

Commented:
We have our domain.com certificate installed and working fine externally. Internally, also it has been assigned the required services.

Please find the attachment for ref.
Capture.JPG
RantCanSr. Systems Administrator

Commented:
Set up an internal DNS zone to match the name of your server: Mail.yourdomain.com and set the A record to the internal IP of your mail server. This creates a split brain DNS and should solve the internal resolution issue.
Ajoy RajanManaged Service Consultant

Author

Commented:
Hi RantCan,

We cannot have the domain.com.au setup internally, as the people who work on the website, get affected. Their access to our website stops internally and they need to work on this. Is it possible to use a different certificate internally and mail.domain.com.au certificate externally?

Regards,

Ajoy
Sr. Systems Administrator
Commented:
You would set up a DNS zone, not for the domain root of domain.com.au, but rather a zone for only mail.domain.com.au on only your internal servers. Your external DNS is still authoritative domain.com.au, but internal clients will first resolve mail.domain.com.au to your internal DNS. If your internal dns domain is domain.local as the root, this domain can host a zone that is the same as an external domain, but as long as the A record for that domain points externally, everyone will be able to find it.  This is a pretty clear explanation of split-brain (split horizon) DNS. You are using windows DNS internally, yes?

http://windowsitpro.com/networking/split-brain-dns

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial