locked
Certificate issues.. we do not own the domain that our internal domain is named. RRS feed

  • Question

  • Internal Domain: somedomain.ca  (some other organization owns this domain...)

    External Domain: external.ca

    We are currently using Exchange 2003 and using ActiveSync/Webmail and Outlook 2010.  We currently have a certificate for mail.external.ca

    I have been avised that since we do not own our internal domain name, we will run into issues because we wont be able to get a certificate for somedomain.ca and we wil get warnings within Outlook.

    Is there any work around for this or are we possible doing something wrong in the setup where this shouldnt be an issue to begin with?

    Monday, April 8, 2013 8:50 PM

Answers

  • Internal Domain: somedomain.ca  (some other organization owns this domain...)

    External Domain: external.ca

    We are currently using Exchange 2003 and using ActiveSync/Webmail and Outlook 2010.  We currently have a certificate for mail.external.ca

    I have been avised that since we do not own our internal domain name, we will run into issues because we wont be able to get a certificate for somedomain.ca and we wil get warnings within Outlook.

    Is there any work around for this or are we possible doing something wrong in the setup where this shouldnt be an issue to begin with?

    Unless you use Transport Layer Security for SMTP communication, I don't think you will encounter certificate issue. This is because Outlook 2010 in Exchange 2003 system does not use Web-services.

    Are you trying to deploy a Exchange 2003 environment or do you encounter a specific error with certificate?

    I'd suggest you upgrade to Exchange 2010 or higher version. Please note that Exchange 2003 is out of support.

    Refer to:http://support.microsoft.com/lifecycle/search/?alpha=Exchange+Server


    Fiona Liao
    TechNet Community Support

    • Proposed as answer by Fiona_Liao Wednesday, April 10, 2013 6:22 AM
    • Marked as answer by Fiona_Liao Tuesday, April 16, 2013 7:58 AM
    Wednesday, April 10, 2013 6:21 AM

All replies

  • You can describe your problem in detail with the certificates?
    • Proposed as answer by Belashov Evgeniy Tuesday, April 9, 2013 5:16 AM
    • Unproposed as answer by Fiona_Liao Wednesday, April 10, 2013 6:16 AM
    Tuesday, April 9, 2013 5:15 AM
  • Sorry I guess my explanation wasn't very good.

    Our internal domain name is an external name. (i.e. internal.ca instead of internal.local) and we do not own the domain internal.ca, we inherited this wonderful setup from a previous admin.

    Same issue as: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/fe2e259c-b025-4a61-878c-47cb55e384fb  Which I guess also answers me question.

    So if we cant get a certificate for out internal domain our only option will be to setup an internal CA and have to micro manage mobile devices or change our internal domain name?

    Tuesday, April 9, 2013 10:07 AM
  • Look at Sembee's post in the link you provided.

    You do own the external domain name at least, correct?

    This will take some planning but I think you can resolve this:

    1. Change all the URLs used in by Exchange so they use the external domain name that you do own (right?).

    --- so for OWA:

    webmail.externaldomainname.ca

    Users would enter:

    https://webmail.externaldomainname.ca/owa

    2. Change the default email address policy to the domain name that you do use. I don't think you want to use email addresses with a domain name that belongs to someone else.

    3. You can even change the "UPN" in Active Directory Domains and Trusts so users can use that domain as the default domain to login.

    4. Of course, you will want to adjust DNS where needed.

    Externally, you could have never used the other domain name, since it would be pointing to the other organization.

    *

    I had setup a practice domain once with a domain name that was not necessarily someone else's but that I could not use or did not want to use on the (public) Internet and proceeded as above so I could use another domain name even though the internal Active Directory domain name was something else.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, April 9, 2013 10:42 AM
  • Internal Domain: somedomain.ca  (some other organization owns this domain...)

    External Domain: external.ca

    We are currently using Exchange 2003 and using ActiveSync/Webmail and Outlook 2010.  We currently have a certificate for mail.external.ca

    I have been avised that since we do not own our internal domain name, we will run into issues because we wont be able to get a certificate for somedomain.ca and we wil get warnings within Outlook.

    Is there any work around for this or are we possible doing something wrong in the setup where this shouldnt be an issue to begin with?

    Unless you use Transport Layer Security for SMTP communication, I don't think you will encounter certificate issue. This is because Outlook 2010 in Exchange 2003 system does not use Web-services.

    Are you trying to deploy a Exchange 2003 environment or do you encounter a specific error with certificate?

    I'd suggest you upgrade to Exchange 2010 or higher version. Please note that Exchange 2003 is out of support.

    Refer to:http://support.microsoft.com/lifecycle/search/?alpha=Exchange+Server


    Fiona Liao
    TechNet Community Support

    • Proposed as answer by Fiona_Liao Wednesday, April 10, 2013 6:22 AM
    • Marked as answer by Fiona_Liao Tuesday, April 16, 2013 7:58 AM
    Wednesday, April 10, 2013 6:21 AM
  • Thanks for the explanation.  We are currently using 2003 and are going to 2010, then 2013.

    I think I understand now, funny thing is when we were new to 2007 and wanted to make our life easier we would actually change all the web services to use the external domain name for both internal and external, then created a DNS forwarder for our external domain.


    I will be doing some testing tomorrow and will mark answers if it works
    Wednesday, April 10, 2013 9:58 AM
  • For internal access, we may change the internal DNS and pointting the external URL to CAS server's internal IP address.

    Fiona Liao
    TechNet Community Support

    Tuesday, April 16, 2013 8:00 AM