Hello Ladies and Gantleman,

first of all, i whish you a nice evening.

To my problem:

the following server setup is running:

1 x server with Active directory and a ".local" domain-name
1 x server with exchange 2013 with all exchange roles

ive done the setup and all is working, only the active sync isnt working from the internet/outside from outlook with rpc over https.

the main problem is:

the exchange proxy is configured to the .local domain inside and outside.

if i change the domain name to our .at domain, i get an certificate error in outlook.

my opinion is that i have to add de fqdn domain name to the exchange certificate.

ok, i went to de /ecp site under "certificates" i added a new certificate for OWA/activesync and added all domains with "owa.domain.local, owa.domain.at....".

after a iisreset i cant login to the ecp anymore!?

is anybody so kind and can give me a detailed description how i can add my fqdn domain to the certificate so that the following is possible:

access from the lan with "exchange.domain.local" and when im outside the lan with "exchange.domain.at".

i only want to receive mails in outlook over rpc with http (activesync) without the outlook proxy certificate error!?

im afraid of destroying my exchange one more time!

thank you very much!

best regards

michael

Hi,

You will need to get a certificate that has multiple Subject Alternative Names (SANs) that covers your internal domain name and your external domain name.

Follow this guide for creating the Certificate Signing Request (CSR), http://technet.microsoft.com/en-us/library/bb125165(v=exchg.150).aspx you will need to include exchange.domain.local, exchange.domain.at, and any other domain names that you may be using for Exchange such as autodiscover.domain.at, etc. The process should automatically add your configured domains if you select the right services you want the certificate for, but verify that they're all listed before having it signed.

You will then need to get the CSR signed by your Certificate Authority.  If you are using a third-party CA you will need a certificate product that supports Subject Alternative Names (SAN) certificates, if in doubt, speak to your third-party CA provider.

Thank you for your reply.

Is it possible to use an self-signed certificate with all my domains (.local, .at...) to get the services running?

simply said, i need external access only for outlook anywhere (some notebook users are outside our lan).

Thank you.

Thank you for your reply.

Is it possible to use an self-signed certificate with all my domains (.local, .at...) to get the services running?

simply said, i need external access only for outlook anywhere (some notebook users are outside our lan).

Thank you.

Hi,

Yes you can use self-signed certificates, and yes you can create a self-signed SAN certificate. The process for performing this depends on what OS you're using.

The issue you have with self-signed certificates however is trust. To avoid certificate errors, you will need to distribute the public certificate to workstations.

Thanks for the reply.

We Use Windows Server 2012 Standard Edition on both Servers.

1 Server with Active Directory
1 Server with Exchange 2013

On the AD Server there is the certification service already running.

Would you please be so kind and give me a description on how i can create a self signed certificate for our .local and the .at domain!?

Thanks for the reply.

We Use Windows Server 2012 Standard Edition on both Servers.

1 Server with Active Directory
1 Server with Exchange 2013

On the AD Server there is the certification service already running.

Would you please be so kind and give me a description on how i can create a self signed certificate for our .local and the .at domain!?

Hi,

When you say on the AD server, the certification service is already running? Is a certificate authority? You can use that to sign your exchange certificate which would remove trust issues from computers that have the CA's certificate in their trusted publishers.