Enterprise Software Thread, Installed SSL certificate for OWA, but Outlook is trying to use it internally in Technical; We run an Exchange 2010 SP1 server and mostly Outlook 2007 clients, with a few Outlook 2010. When I initially ...
30th January 2012, 04:45 PM #1
Installed SSL certificate for OWA, but Outlook is trying to use it internally
We run an Exchange 2010 SP1 server and mostly Outlook 2007 clients, with a few Outlook 2010. When I initially set it up, I used a self signed cert for everything, this of course meant a warning on OWA and also a warning the first time with Outlook 2010, which I assume would eventually be solved by installing an internal CA.
However I bought a wildcard SSL certificate to use with OWA and installed it. I set the binding in IIS for port 443 to use the new cert, works fine externally.
But now internal Outlook clients (even 2007) bring up a prompt saying the server name does not match the certificate - and when you view the certificate it is the one for mail.schoolname.org so no wonder it is complaining.
I still have the self signed cert on the server, so how do I set it so Outlook uses that rather than the external one? I have read a lot about internal URL paths this afternoon which can apparently produce this error, but when I have checked these settings in the EMC they all seem to reference the internal FQDN so I'm not sure that is the problem here?
30th January 2012, 05:14 PM #2
Has you brought a wildcard cert for you domain it wouldnt match the internal name of the exchange server
My internet address of our exchange is mail.theockendonacademy.com
Our server is called for example mail or exchange
Now they certificate you have will only match the outside world address, so anything for *.theockendonacademy.com
For the internal address i would find *.theockendonacademy.com eithier but the internal domain name is diffrent and that it doesnt you the domain address at the end
So you need *.theockendonacademy.com (outside) mail (inside)
This is why I wouldn't get a wildcard for exchange, I would have got a SAN certificate.
or it could be the case that you need to setup your outlook users to use you outside address instead of the internal address if possible
I think this is your problem, hope that helps
30th January 2012, 05:23 PM #3
<bodgery alert> You could just put add an A record to your internal DNS that points mail.schoolname.org to the internal IP address of your exchange server... </bodgery alert>
I'd make sure that your exchange server was looking at an external DNS server for name resolution though...
30th January 2012, 05:23 PM #4
Thanks, I was thinking that would be the problem. Bought the wildcard cert thinking it would cover this and our sharepoint server Only found out about SAN certs today...oh well, live and learn
I would imagine that setting the external address to resolve internally just to be able to use the same certificate is probably not a great idea?
30th January 2012, 05:25 PM #5
Makes sense, but yes it is a bodge, cautious as it adds a layer of complexity for no reason apart from saving money (and making the most of me buying the wrong cert)
Originally Posted by pantscat
30th January 2012, 05:25 PM #6
No - probably not the best idea. A SAN certificate would be a much neater way of doing it.
30th January 2012, 05:27 PM #7
You'll also need to set internal and external names for all these services, mostly in the excahnge sheel: Exchange 2007/2010 Web services and Autodiscover Ultimate Troubleshooting Guide
And in the EMC set the services attached to each cert by going to 'server configuration' and clicking the servername for the server you want to manage. then clicking the cert and attaching services
been having this fun with loadbalanced CAS roles recently ;-)
30th January 2012, 05:29 PM #8
Would this be ok? QuickSSL® Premium For Only £68.00 - Secure Mobile Devices, Issued Within Minutes, Free GeoTrust® Site Seal (UK)
Or is there something cheaper? TrustICO were who I ordered the wildcard cert from, bit annoying as that costs about £130 compared to £30 for a single server cert but at least I only purchased for a year!
30th January 2012, 06:23 PM #9
Just ensure you've enough SANs (you get 3 with that cert - so realname.fqdn + 3 others)
Originally Posted by sidewinder
Ours is valid for:
With SANs for:
Autodiscover.* is for Outlook clients
Thanks to pete from:
sidewinder (31st January 2012)
30th January 2012, 08:21 PM #10
are you working for a school?
you can get free san certs from ipsca, like I have done
2 Thanks to pritchardavid:
PiqueABoo (30th January 2012), sidewinder (31st January 2012)
31st January 2012, 10:17 AM #11
Our external is mail.schoolname.org and that is the only one we use externally, would 3 not be enough in our case?
Originally Posted by pete
31st January 2012, 10:17 AM #12
Yes but we're an independent school, would they still issue one?
Originally Posted by pritchardavid
31st January 2012, 10:18 AM #13
Also I'm assuming from the responses there is no way to continue using a self signed cert for internal Outlook clients and the wildcard cert just for OWA? I have both installed on my exchange server
3rd February 2012, 02:25 AM #14
1. Use an Internal CA or a 3rd party cert.
2. If using a 3rd party cert, configure your internal and external URL to the same namespace.
3. Easy thing would be to get SAN cert and include the FQDN of your exch server.
3rd February 2012, 09:19 AM #15
Don't see why not, give it a go, just apply for one. They manually check the education certs so takes a little longer (a few hours), but if your education, why not.
Originally Posted by sidewinder
By gtg93 in forum Windows
Last Post: 26th July 2013, 03:20 PM
By Dos_Box in forum Wireless Networks
Last Post: 29th April 2013, 04:26 PM
By brianflhome in forum Web Development
Last Post: 25th November 2010, 01:50 PM
By jdibsdale in forum Windows
Last Post: 29th May 2009, 07:40 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)