exchange 2007 ucc certs 1

[snb123]

I purchased a ucc certificate from godaddy for my exchange 2007.

I followed their documentation, however I tested owa internally, getting an certificate error: navigation blocked.

These are the steps I took:

I went to the mmc Select Certificates then intermediate certification imported the gd-iis intermediate file from godaddy.

I then went to the exchange management shell and ran Import-ExchangeCertificate - path of mycert.com.crt file piped to Enable-ExchangeCertificate -Services "SMTP, IIS, POP, IMAP"
I received no errors.

I stopped an started my IIS.

I do not believe my cert is working. What am I missing.

 

[ShackDaddy]

When you check your IIS security page, do you see that the new GoDaddy cert is being used?

Also, when you set up the names for the UCC cert, did you include the internal name of your server? If you didn't, then you'd get these errors. Typically if I'm going to buy a UCC cert, I put the following names on the cert:

mail.domain.com
autodiscover.domain.com
domain.com (optional)
domain.local (optional)
e2007.domain.local
e2007

Assumes that the external host name is "mail" and the internal host name is "e2007".

Dave Shackelford
ThirdTier.net

 

[58sniper]

Dave and I differ on this. I always use split brain DNS internally. So my UC certs ONLY ever include the OWA address and the autodiscover address. Something like

email.domain.com
autodiscover.domain.com

That way, internal domain names and server names aren't exposed.

I adjust the URLs accordingly in Exchange.

A warning about certs, though. If you're going to use Edge Transport servers, you must have the certs installed on both the hub transport and the edge transport BEFORE creating your edgesync. Otherwise, you'll break the sync and have to recreate it.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[ShackDaddy]

Actually, we don't differ on that. I prefer to use the same domain name on the inside and outside too, but so many people are already working with different domain names internally and externally that I usually gear my examples to accomodate that.

So OP, what are you using, same domain, or different?

Dave Shackelford
ThirdTier.net

 

[theravager]

Just update your clients with the newer root certs is a easy way to do it

http://support.microsoft.com/kb/931125

 

[snb123]

Thanks for replies,

i'm using just a the hub transport, inside i'm using server.domain.local and also server name.

I checked my IIS default web site owa and I'm still using the default ssl cert that installed on exchange install. What step did I'm miss.

I plan on using outlook anywhere and activesync and owa. I do have a cisco firewall.

Do I have to install the certs in the root certificate also. The steps from godaddy did not mention this.

thanks again.

 

[ShackDaddy]

Just change the cert on the default web site. When you configure the services to use the specific cert, you aren't actually configuring the IIS default web site to use a certain cert. You'll need to do that manually. If you go into the cert config in IIS, you'll have the option to switch which cert you are using, and you can specify the GoDaddy one.

Don't worry about loading a new root cert package on the clients. That's a goose chase in this case. Your problem is that you aren't using your new cert yet.

Dave Shackelford
ThirdTier.net

 

[snb123]

thank you, it worked now I will try my outlook anywhere from outside the office to see if everything works.

Again thanks,