Exchange 2007 default SSL replacement -security warning
Outlook 2007 users getting the security warning "the name of the security certificate is invalid or does not match the name site".We have an Exchange 2007 CAS server (MSS01), where the new certificate is located and another Exchange 2007 with the the other roles are installed. We do not have an UM server at this moment.Our internal domain name (internal.com) is different from our external domain name (external.com), so the current information on the CAS server is https://mss01.internal.com and the FQDN of the new certificate is mail.external.com.We were trying to follow microsoft kb 940726, but it only deals with the case where the internal and external domain names are the same. Also, We only have a regular certificate, we do not have a SAN certificate.My question is, what are the correct commands to modify the URLs for the Exchange 2007 components since my internal and external domain names are different??Do I need to modify allofthese objects: The Service Connection Point object for the Autodiscover service The InternalUrl attribute of Exchange 2007 Web Service (EWS) The InternalUrl attribute of the Offline Address Book Web service The InternalUrl attribute of the Exchange unified messaging (UM) Web service Does it matter which Exchange server do we execute these command on?Your advice is greatly appriciated.
November 12th, 2009 2:54am

Have you seen below? Exchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspx Exchange 2007 lessons learned - generating a certificate with a 3rd party CA http://msexchangeteam.com/archive/2007/02/19/435472.aspxVinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
November 12th, 2009 1:30pm

Hello Vinod,Thank you for the information. Both articles do not cover the modification of the objects to stop the warning security messages. Edmundog9
November 12th, 2009 7:11pm

Basically you should follow the recommendations in KB 940726:http://support.microsoft.com/kb/940726 You got one important point wrong. The KB does not deal only with cases "where the internal and external domain names are the same." And of course it addresses the issue: "We only have a regular certificate, we do not have a SAN certificate." The crucial point is (as it says in the KB): "In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server." (Agree, this could have been expressed clearer.) Your outside access is mail.external.com, and that's also the Subject Name of your certificate.Accessing this FQDN will give no security warning of the type "the name of the security certificate is invalid or does not match the name site". What you should do next, is creating an entry for mail.external.com on your internal DNS referring to the internal IP address of your CAS server. Externally the IP address for mail.external.com will for instance be 148.72.61.17, internally it might be 10.0.0.17. All your referrals to the Exchange web services internally and externally should be to mail.external.com. This setup is quite common in smaller business scenarios. It is referred to as split-brain DNS. It is alsothe way Small Business Server (with Exchange 2007) is configured by default. The beauty of this design is:* You don't need an expensive SAN / UC certificate.* Take an iPhone. From the outside it will access mail.external.com (referring to an external public IP address), on the inside the iPhone will access mail.external.com (referring to an internal private IP address). The same holds true for Mac OS X Snow Leopard Mail and Microsoft Entourage for Mac. One possible draw-back: You might have heard of that the Autodiscover service should be configured with autodiscover.external.com in order to work from the Internet. However, this is not necessary either. You can use an SRV record for this instead. Then Autodiscover will use this URI: https://mail.external.com/autodiscover/autodiscover.xml(Works with Outlook 2007, Mac Mail, Entourage, but not Windows Mobile and the iPhone; these mobile devices have to use Autodiscover on the inside)Ant it works with your certificate. DNS SetupCreate a forward lookup zoneCall it mail.external.com and click through the wizardRight-click on it, Select New HostLeave host name blanktype in the IP address for your Exchange 2007 CAS server (MSS01) The basic commands:Internal AutodiscoverSet-ClientAccessServer -Identity MSS01.internal.com -AutodiscoverServiceInternalUri https://mail.external.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "MSS01\EWS (Default Web Site)" -InternalUrl https://mail.external.com/ews/exchange.asmx Offline Address Book distribution.Set-OABVirtualDirectory -Identity "MSS01\oab (Default Web Site)" -InternalUrl https://mailexternal.com/oab InternalUrl attribute of the UM Web service (which you don't use)Set-UMVirtualDirectory -Identity "MSS01\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.external.com/unifiedmessaging/service.asmx http://support.microsoft.com/kb/940726 Excellent article here: Autodiscover, DNS, Certificates, and what you need to knowhttp://www.shudnow.net/?s=Set-ClientAccessServer A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover servicehttp://support.microsoft.com/kb/940881 You cannot suppress the Autodiscover redirect warning in Outlook 2007http://support.microsoft.com/kb/956528 Just for the record: I've implemented this solution several times. It just works. MCTS: Messaging | MCSE: S+M | Small Business Specialist
Free Windows Admin Tool Kit Click here and download it now
November 14th, 2009 12:05am

hello,1. go to the Exchange Managment console , under servers go to the cas server.go to owa directory then write down your internal & external Domain.2. remve your exchange certificate by the exchange managment shell.3. then restart your IIS.check that u have autodiscover record in ur DNS pointing to the CAS server.4. use the below CMD to create new exchange certficate. New-ExchangeCertificate -GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true -path c:\cert_myserver.txtNote: add in your CMD your internal & external name. & put the Cas serevers names & its names FQDN.5. then use your Local CA to generate the Certificate.6. import this Certificate on the CAS server using exchange shell then enable it on (IIS)now reset IIS then test
February 24th, 2010 1:08pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics