Hello,

We have Exchange 2010 server with public certificate that includes private server names.  It has mail.domain.com and mail.domain.local.

I cannot create another certificate with private server fqdn.  How should I modify our Exchange?

Right now I have all virtual directories internal fqdns with .local names. 

Public certificate assigned to all services on the Exchange server - IMAP, POP, IIS, SMTP.  If I replace this certificate with another that does not have private server name, I will have an issue.

What should I do?  Anyone knows?

Than

Hi there, why are you trying to replace your public certificate in the first place, is it expired? or are you trying to access the Exchange virtual directories with public name?

If you simply just want to replace the existing certificate, just create a new certificate request from Exchange and submit the request to the certificate authority with the CSR whether the CA is public or private. Once you get the certificate just assign to the Exchange 2010 services. 

Regards,

Surj

My certificate will expire shortly.  I know that when I renew certificate, I will have to drop internal fqdn and stay only with external name.  This will create a problem.  I want to know how to deal with this problem.

Thank you.

First, Create a new certificate request from Exchange 2010 and don't include your internal names.

Then assess where  you are using split brain DNS? if not then create a secondary DNS zone internally (with our public name, i.e. yourcompany.com) and add DNS records for all Exchange related components i.e. Autodiscover, OWA, Mail etc... pointing to your internal Exchange server IP address and then update all the Exchange related virtual directories Internal and External URLs with public name i.e. mail.yourcompany.com. Once you done that you can assign the new certificate.

some help can be found here:

http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

http://www.digicert.com/internal-domain-name-tool.htm

Thank you for the information.  One of the articles that you sent me says that: you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems.

Our organization has VPN users and they have to be able to use Outlook Anywhere when they are connected using VPN.

Is there anything else I could do?

Thank you.

if you update your Exchange Virtual Directories with the public name and ensure that outlook anywhere URL is of a public name as well, you should be fine. 

Basically, all virtual directories and Outlook Anywhere should point to public name.  Is this correct?

Right now we have split DNS and public name points to the public IP address, but the document that you gave me, says that it should point to the private IP address of the mail server.  Should I change it in my DNS?

Thank you.

Basically, all virtual directories and Outlook Anywhere should point to public name.  Is this correct? - Yes

Right now we have split DNS and public name points to the public IP address, but the document that you gave me, says that it should point to the private IP address of the mail server.  Should I change it in my DNS? - Do you have anything in the DMZ like a TMG/Proxy server? if you don't i think you are simply NAT'ing the connection from your firewall to the Exchange server. The simple logic is that if you don't want your client connections to leave the internal network then create internal DNS records that points to Exchange server locally as i mentioned earlier, otherwise your client connections will leave your network hit the external DNS and return to your internal server again which is the longest route and not a best practice.

Thank you for your reply.  What if I have TMG/Proxy server on DMZ, what should I do in this case?

Thank you.

nothing special. You will need to update the certificate in the rules you have published.

Mark this thread as an answer if it helped you.

Cheers,

Surj

Hi Eric,

 

Thanks for your update and confirmation, I am glad to know the issue is resolved.

Just for your reference, here is the detailed steps described in Microsoft articles below:

 

http://technet.microsoft.com/en-us/library/dd351057(v=exchg.141).aspx

http://support.microsoft.com/kb/940726

 

Have a nice day: )

Hello Guys,

I have recently upgraded our exchange 2007 to 2013, I had done all what you have mentioned as the new certificate has no internal names, everything worked just fine, only Active Sync is failed, when I run Test-ActiveSyncConnectivity I get the following message:

===============================================

Scenario                    : Options
ScenarioDescription         : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version.
PerformanceCounterName      : DirectPush Latency
Result                      : Failure
Error                       : [System.Net.WebException]: The underlying connection was closed: Could not establish
                              trust relationship for the SSL/TLS secure channel. Inner error
                              [System.Security.Authentication.AuthenticationException]: The remote certificate is
                              invalid according to the validation procedure.
UserName                    : extest_ce1feefc0b5f4
StartTime                   : 10/5/2013 9:31:13 PM
Latency                     : -00:00:01
EventType                   : Error

=========================================

Any help is highly appreciated.