+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Enterprise Software Thread, Installed SSL certificate for OWA, but Outlook is trying to use it internally in Technical; We run an Exchange 2010 SP1 server and mostly Outlook 2007 clients, with a few Outlook 2010. When I initially ...
  1. #1

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50

    Installed SSL certificate for OWA, but Outlook is trying to use it internally

    We run an Exchange 2010 SP1 server and mostly Outlook 2007 clients, with a few Outlook 2010. When I initially set it up, I used a self signed cert for everything, this of course meant a warning on OWA and also a warning the first time with Outlook 2010, which I assume would eventually be solved by installing an internal CA.

    However I bought a wildcard SSL certificate to use with OWA and installed it. I set the binding in IIS for port 443 to use the new cert, works fine externally.
    But now internal Outlook clients (even 2007) bring up a prompt saying the server name does not match the certificate - and when you view the certificate it is the one for mail.schoolname.org so no wonder it is complaining.

    I still have the self signed cert on the server, so how do I set it so Outlook uses that rather than the external one? I have read a lot about internal URL paths this afternoon which can apparently produce this error, but when I have checked these settings in the EMC they all seem to reference the internal FQDN so I'm not sure that is the problem here?

  2. #2
    pritchardavid's Avatar
    Join Date
    Sep 2009
    Location
    South Ockendon, Thurrock, United Kingdom
    Posts
    932
    Thank Post
    18
    Thanked 64 Times in 58 Posts
    Rep Power
    26
    Has you brought a wildcard cert for you domain it wouldnt match the internal name of the exchange server

    for example

    My internet address of our exchange is mail.theockendonacademy.com

    Our server is called for example mail or exchange

    Now they certificate you have will only match the outside world address, so anything for *.theockendonacademy.com

    For the internal address i would find *.theockendonacademy.com eithier but the internal domain name is diffrent and that it doesnt you the domain address at the end

    So you need *.theockendonacademy.com (outside) mail (inside)

    This is why I wouldn't get a wildcard for exchange, I would have got a SAN certificate.



    or it could be the case that you need to setup your outlook users to use you outside address instead of the internal address if possible

    I think this is your problem, hope that helps

  3. #3

    Join Date
    Oct 2005
    Posts
    870
    Thank Post
    59
    Thanked 133 Times in 111 Posts
    Rep Power
    77
    <bodgery alert> You could just put add an A record to your internal DNS that points mail.schoolname.org to the internal IP address of your exchange server... </bodgery alert>

    I'd make sure that your exchange server was looking at an external DNS server for name resolution though...

  4. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Thanks, I was thinking that would be the problem. Bought the wildcard cert thinking it would cover this and our sharepoint server Only found out about SAN certs today...oh well, live and learn

    I would imagine that setting the external address to resolve internally just to be able to use the same certificate is probably not a great idea?

  5. #5

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Quote Originally Posted by pantscat View Post
    <bodgery alert> You could just put add an A record to your internal DNS that points mail.schoolname.org to the internal IP address of your exchange server... </bodgery alert>

    I'd make sure that your exchange server was looking at an external DNS server for name resolution though...
    Makes sense, but yes it is a bodge, cautious as it adds a layer of complexity for no reason apart from saving money (and making the most of me buying the wrong cert)

  6. #6

    Join Date
    Oct 2005
    Posts
    870
    Thank Post
    59
    Thanked 133 Times in 111 Posts
    Rep Power
    77
    No - probably not the best idea. A SAN certificate would be a much neater way of doing it.

  7. #7

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,124
    Thank Post
    217
    Thanked 1,353 Times in 826 Posts
    Blog Entries
    4
    Rep Power
    528
    You'll also need to set internal and external names for all these services, mostly in the excahnge sheel: Exchange 2007/2010 Web services and Autodiscover Ultimate Troubleshooting Guide

    And in the EMC set the services attached to each cert by going to 'server configuration' and clicking the servername for the server you want to manage. then clicking the cert and attaching services

    been having this fun with loadbalanced CAS roles recently ;-)

  8. #8

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Would this be ok? QuickSSL® Premium For Only £68.00 - Secure Mobile Devices, Issued Within Minutes, Free GeoTrust® Site Seal (UK)
    Or is there something cheaper? TrustICO were who I ordered the wildcard cert from, bit annoying as that costs about £130 compared to £30 for a single server cert but at least I only purchased for a year!

  9. #9


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 788 Times in 615 Posts
    Rep Power
    226
    Quote Originally Posted by sidewinder View Post
    Would this be ok? QuickSSL® Premium For Only £68.00 - Secure Mobile Devices, Issued Within Minutes, Free GeoTrust® Site Seal (UK)
    Or is there something cheaper? TrustICO were who I ordered the wildcard cert from, bit annoying as that costs about £130 compared to £30 for a single server cert but at least I only purchased for a year!
    Just ensure you've enough SANs (you get 3 with that cert - so realname.fqdn + 3 others)

    Ours is valid for:

    mailserver.internaldomainname.school.region.sch.uk

    With SANs for:

    webmail.school.region.sch.uk
    autodiscover.school.region.sch.uk
    autodiscover.internaldomainname.school.region.sch. uk
    mailserver.school.region.sch.uk

    Autodiscover.* is for Outlook clients

  10. Thanks to pete from:

    sidewinder (31st January 2012)

  11. #10
    pritchardavid's Avatar
    Join Date
    Sep 2009
    Location
    South Ockendon, Thurrock, United Kingdom
    Posts
    932
    Thank Post
    18
    Thanked 64 Times in 58 Posts
    Rep Power
    26
    are you working for a school?

    you can get free san certs from ipsca, like I have done

  12. 2 Thanks to pritchardavid:

    PiqueABoo (30th January 2012), sidewinder (31st January 2012)

  13. #11

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Quote Originally Posted by pete View Post
    Just ensure you've enough SANs (you get 3 with that cert - so realname.fqdn + 3 others)

    Ours is valid for:

    mailserver.internaldomainname.school.region.sch.uk

    With SANs for:

    webmail.school.region.sch.uk
    autodiscover.school.region.sch.uk
    autodiscover.internaldomainname.school.region.sch. uk
    mailserver.school.region.sch.uk

    Autodiscover.* is for Outlook clients
    Our external is mail.schoolname.org and that is the only one we use externally, would 3 not be enough in our case?

  14. #12

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Quote Originally Posted by pritchardavid View Post
    are you working for a school?

    you can get free san certs from ipsca, like I have done
    Yes but we're an independent school, would they still issue one?

  15. #13

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Also I'm assuming from the responses there is no way to continue using a self signed cert for internal Outlook clients and the wildcard cert just for OWA? I have both installed on my exchange server

  16. #14

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    1. Use an Internal CA or a 3rd party cert.
    2. If using a 3rd party cert, configure your internal and external URL to the same namespace.
    3. Easy thing would be to get SAN cert and include the FQDN of your exch server.

  17. #15

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    904
    Thank Post
    287
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    Quote Originally Posted by sidewinder View Post
    Yes but we're an independent school, would they still issue one?
    Don't see why not, give it a go, just apply for one. They manually check the education certs so takes a little longer (a few hours), but if your education, why not.

    Pete



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 26th July 2013, 03:20 PM
  2. Free SSL Certificates for JANET connected schools
    By Dos_Box in forum Wireless Networks
    Replies: 25
    Last Post: 29th April 2013, 04:26 PM
  3. Replies: 2
    Last Post: 25th November 2010, 01:50 PM
  4. SSL Certificates for Exchange 2007
    By jdibsdale in forum Windows
    Replies: 14
    Last Post: 29th May 2009, 07:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •