Wildcard SSL Renewal
We currently have a Comodo wildcard premium ssl certificate due for expiry soon, I have been quotes upwards of £300 per year and was wondering where the best place to obtain a new cert from.
We will be migrating to exchange 2010 soon so do i require a different kind of cert as our internal domain is different to the external.
We use Go Daddy for our wildcard cert, we also have a separate certificate for Exchange with Subject Alternative Names.
However as of 2014/5 you will not be able to reference internal domains as a SAN, not sure what can be done after that time!
I use Comodo too and never had any issues , I purchase mine from here . Buy Wildcard Certificate | Comodo Premium Wildcard SSL Certificates I've only needed the basic one at £99 a year.
You will need to add your wildcard to your exchange server so external people can access it via https , you can also add internal self published certificate if you wish internal users to connect over https. What I do is have copy of DNS internally pointing internally to exchange server ie mail.domain.com goes to internal IP that way you can setup outlook to work internally and externally with the server with mail.domain.com
We (EduGeek) literally just bought a AlphaSSL wildcard cert from Cheap, low cost AlphaSSL SSL Certificates issued within 15 minutes who are a UK based reseller.
AlphaSSL certs have some of the best compatibility as they issue from a really really old authority.
We got a 5 year one from 123-reg for £300. It has an exportable key as well.
They all come with this inherently though dont they?
Originally Posted by FN-GM
123-reg is a company we use very very regularly here and I have never had an issue with them so they are certainly good.
What company does 123-reg resell?
Alpha i think.
Originally Posted by ZeroHour
Not sure if they do, just can confirm that that one does.
Originally Posted by grant_girdwood
OT: I've been wondering about that.... anyone got an ideas / references for how to deal with this in Exchange 2010? Does it still present a problem in Ex2013?
I did it in both Exchange 2010 and 2013 by using the internal name and external name as the same. Then used this powershell to make outlook play nice.
Originally Posted by psydii
@psydii This powershell script will make changing the URLS easy.
# Author: Scott Jaworski
# Website: jaworskiblog.com
# Version: 1.0
# Description: This script sets internal and external URL's on the specified Exchange 2013 Client Access Server
# then displays the results of all the urls that have been set.
# How to Use: Copy the text file to a location on the Exchange server. Change the .txt extension to .ps1,
# Open Exchange Management Shell, Browse to the location of the script in EMS, Run .\Set-Exchange2013Vdirs
$ExServer = Read-Host "Please enter the Exchange 2013 Server Name you'd like to set Vdirs "
$InternalName = Read-Host "Input the internal domain name eg.. IntMail.domain.com "
$ExternalName = Read-Host "Input the external domain name eg. ExtMail.domain.com "
Write-Host "Configuring Directories for $ExServer.." -Foregroundcolor Green
Get-WebservicesVirtualDirectory -Server $ExServer | Set-WebservicesVirtualDirectory -InternalURL https://$InternalName/EWS/Exchange.asmx -ExternalURL https://$externalName/EWS/Exchange.asmx
Get-OwaVirtualDirectory -Server $ExServer | Set-OwaVirtualDirectory -InternalURL https://$InternalName/owa -ExternalURL https://$ExternalName/owa
Get-ecpVirtualDirectory -Server $ExServer | Set-ecpVirtualDirectory -InternalURL https://$InternalName/ecp -ExternalURL https://$ExternalName/ecp
Get-ActiveSyncVirtualDirectory -Server $ExServer | Set-ActiveSyncVirtualDirectory -InternalURL https://$InternalName/Microsoft-Server-ActiveSync -ExternalURL https://$ExternalName/Microsoft-Server-ActiveSync
Get-OABVirtualDirectory -Server $ExServer | Set-OABVirtualDirectory -InternalUrl https://$InternalName/OAB -ExternalURL https://$ExternalName/OAB
Set-ClientAccessServer $ExServer -AutodiscoverServiceInternalUri https://$internalName/Autodiscover/Autodiscover.xml
Set-OutlookAnywhere -Identity "$ExServer\Rpc (Default Web Site)" -InternalHostname $internalName -ExternalHostName $ExternalName -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True
Write-Host "Vdirs have been set to the following.." -Foregroundcolor Green
Write-Host "$ExServer EWS"
Get-WebservicesVirtualDirectory -Server $ExServer |Fl internalURL,ExternalURL
Write-Host "$ExServer OWA"
Get-OWAVirtualDirectory -Server $ExServer | Fl internalUrl,ExternalURL
Write-Host "$ExServer ECP"
Get-ECPVirtualDirectory -Server $ExServer | Fl InternalURL,ExternalURL
Write-Host "$ExServer ActiveSync"
Get-ActiveSyncVirtualDirectory -Server $ExServer | Fl InternalURL,ExternalURL
Write-Host "$ExServer OAB"
Get-OABVirtualDirectory -Server $ExServer | Fl InternalURL,ExternalURL
Write-Host "$ExServer Internal Autodiscover URL"
Get-ClientAccessServer $ExServer | Fl AutodiscoverServiceInternalUri
Write-Host "$Exserver Outlook Anywhere Settings"
Get-OutlookAnywhere -Identity "$ExServer\rpc (Default Web Site)" |fl internalhostname,internalclientauthenticationmethod,internalclientsrequiressl,externalhostname,externalclientauthenticationmethod,externalclientsrequiressl
Write-Host "The Powershell URL have not been set as part of this script. Set it if you choose" -ForegroundColor Yellow
@FN-GM Thanks, so your internal clients now use the public fqdn to access their CAS? If so, does this mean that you internally report an internal IP address for the fqdn, or do your clients have to send the request out through your edge firewall and back in again to access it?
@psydii I have a zone in the DNS for my external domain name. I then have the record in that zone that points to the internal IP of the CAS. The traffic stays internal and doesn't go to the edge firewall and back in again.
Ok. Do you find that clients have any issues as they transition between being inside and outside your networks (e.g. wifi laptops or BYOD phones/tablets)?
Originally Posted by FN-GM
No issues at all.
Originally Posted by psydii