DIFFERENT EXTERNAL/INTERNAL NAMES AND SSL CERTS

[norstarboston]

I guess this is a common problem but I am not sure how to handle it. Here is my setup:

Single Exchange 2007 Server running on Windows server 2003 64.
External name: mail.domain.com (I applied a Verisign Cert with this name to IIS)

Internal Name: mail2.domain.com (no cert with this name)

OWA/ActiveSync (windows mobile 5) all work great externally but my internal outlook 2007 clients receive a security alert that they need to click through. What is the best way to handle it? Do the godaddy.com wildcard certs work? I'd hate to pay for it and then have things not work on the external side. (I have heard rumors about windows mobile 5 not liking wildcart certs). Can anyone help? I'd rather not go adding additional IP's to my server and messing with IIS directories if I can.

Thanks

 

[ShackDaddy]

Get a GoDaddy UCC/SAN cert and include both the internal and external server names in it. That would be best since it could cover the FQDNs and non-FQDNS, plus your AutoDiscover name, etc.

Or...create a new A-record in your internal DNS that maps mail.domain.com to the internal IP, and point your Outlook clients at THAT for the server and configure the server to use that for both the external AND the internal FQDN.

Dave Shackelford
Shackelford Consulting

 

[cajuntank]

Any issue with SAN certs and Windows Mobile 5 ?

 

[ShackDaddy]

Not that I've heard of, but when you order the cert, I'd request that the primary CN be the one you'd use for EAS.

Dave Shackelford
Shackelford Consulting

 

[casnev]

your question makes me wonder if this error I am seeing in my event log is related to the question you pose (I also receive the security alert pop-up).

This is the error:

Microsoft Exchange couldn't find a certificate that contains the domain name

http://www.mydomain.com

in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of

http://www.mydomain.com.

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

[Zelandakh]

You don't need a SAN cert if your internal and external names match and you don't have an ISA.

If you have an ISA but different names you can use a normal cert.

If you are happy with the security pop up, just make a self cert on your internal CA and publish that to the Internet.

 

[ShackDaddy]

Casnev, your error indicates that you are using a self-signed cert on the external SMTP connector, and that one of the consequences of that (beside the basic cert error you get with OWA) is that a couple of types of TLS scenarios won't be available to you because TLS won't be backed up by a public trusted root cert.

Like Zel said, if you could engineer your internal and external server FQDNs to be the same, you could buy a single cert. Since certs are so cheap these days, it's worth having one for any production environment. Even the "pricey" SAN/UCC certs are about $60 at GoDaddy, although I prefer to use DigiCert for my SAN/UCC certs.

Dave Shackelford
Shackelford Consulting

 

[Zelandakh]

$60? I was quoted $400 for a SAN cert by Comodo in September!!!

Yikes.

 

[casnev]

thanks for the pointers...I have a cert renewal due next month...guess we will re-look at how we are setup.

Happy New Year!

casnev

 

[ShackDaddy]

Yeah, GoDaddy's trying to destroy the competition... Players like Comodo and Digicert don't even want to know what GoDaddy's prices are, since competing at those levels is unsustainable, but the service I've had at Digicert has been terrific, while GoDaddy's isn't bad, but it's impersonal and always with your potential as a target for additional products in mind.

Dave Shackelford
Shackelford Consulting

 

[Zelandakh]

I'll let the bean counters know here though - thanks for the info.

 

[norstarboston]

Hmm.. So I still am not clear. Will the godaddy wildcard cert work? Will my windows mobile 5 devices scream at it? This needs to be seamless.

 

[Zelandakh]

The wildcard will be fine.

 

[norstarboston]

Thank You. I'll give it a go.

 

[norstarboston]

well...IT DIDN'T WORK! I bought the wildcard cert today and the windows mobile devices don't work with it. Ohh well.... only cost $160 with coupon code....

 

[ShackDaddy]

I have never used wildcard certs with WM5 devices, only single name certs and SAN certs.

That being said, was there an intermediate cert that you failed to load on your server? That would explain the failure.

Dave Shackelford
Shackelford Consulting

 

[norstarboston]

Intermediate cert loaded.

 

[ShackDaddy]

Zel are you SURE that wildcards are supported? I know they are supported on Exchange 2007, but the issue here is not the server version, but the WM version. I thought that they didn't work for EAS on WM5.

Dave Shackelford
Shackelford Consulting

 

[Zelandakh]

I thought they worked on WM5 but WM6 you had to load them manually onto the device first?

If I've got that the wrong way round then I'll gradly apologise. I would say you can load the cert onto the device but in fact I'm hesitant about saying anything now.

 

[norstarboston]

Ok ok. I have tried it and determined that Windows Mobile won't use the wildcard cert. BUT. Godaddy also offers a Multiple Domain (UCC) cert. I only need to secure 2 names (mail.mydomain.com & mail2.mydomain.com). Perhaps this will do it ? Does anyone know for sure? Please let me know. Anyone have this setup with windows mobile? I want to put this issues to bed. Thanks!