locked
Do we need both external and internal FQDN certificate for our Exchange 2010? RRS feed

  • Question

  •  One of our clients is running Exchange 2010 on Windows 2008. The Outlook 2007 or 2010. Some users (not all) keep getting this message whenever the users open the Outlook: “The name on the security certificate is invalid or does not match the name of the site”. Get-ClientAccessServer | FL looks good.

    I posted this issue on Microsoft Partner forum. One of Microsoft engineer said: "Microsoft recommends that all the internal FQND of the Exchange CAS server need to add into certificate. This will make sure all the internal clients can secure and stable access Exchange server without received certificate warning" and "I suggest you to apply for a new Exchange certificate for mail.mydomain.local".

    We have some clients who are using Windows 2008 SBS with Exchange without any certificate because they don't use OWA. The Internal Outlook always works fine.  We have many clients who  are running Exchange 2007 or 2010 with only Internet FQDN certificate. They don't have this issue.

    Do we really need both external and internal FQDN certificate for  Exchange 2010?


    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com

    Friday, March 30, 2012 12:40 AM

Answers

  • Exchange 2007 and higher uses SSL for more than just OWA. If you haven't been configuring SSL certificates and haven't seen issues, then you have been lucky, possibly because of other things that you are configuring in the domain and possibly not knowing how it all interacts.

    If you are using SBS 2008, then you are using an SSL certificate - as Exchange 2007 has the same issue. It is all about the trust.

    With SBS, if you follow the wizards to setup everything then it will put in the required DNS entries so that a single name SSL certificate for remote.example.com works for both internal and external traffic.
    The wizards in SBS though presume that the external DNS provider supports SRV records, which most do not, so in those cases you have to use a Unified Communications certificate so that you can include autodiscover.example.com. When I go that method I will then include the internal FQDN of the server, plus "Sites".

    http://exchange.sembee.info/2007/install/sbs2008ssl.asp

    With the full product, you don't get the wizards. The internal FQDN is used by default on Exchange for the internal autodiscover process.
    Therefore you either need to use a Unified Communications certificate or you need to configure all of the internal names to use the external name, and run a split DNS system.

    http://exchange.sembee.info/2007/install/singlenamessl.asp

    However using a single name SSL certificate has the same issues as with SBS, it requires the use of SRV records for autodiscover.

    The recommendation you will find therefore is to use a Unified Communications certificate, one of the cheapest sources of those is here: https://certificatesforexchange.com/ with the internal name included as one of the additional names.

    If you are using the Unified Messaging role in Exchange 2007 or higher then you must use a certificate with the server's FQDN included, otherwise Exchange will not use it.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by chicagotech Saturday, March 31, 2012 2:15 AM
    Friday, March 30, 2012 7:52 AM

All replies

  • Exchange 2007 and higher uses SSL for more than just OWA. If you haven't been configuring SSL certificates and haven't seen issues, then you have been lucky, possibly because of other things that you are configuring in the domain and possibly not knowing how it all interacts.

    If you are using SBS 2008, then you are using an SSL certificate - as Exchange 2007 has the same issue. It is all about the trust.

    With SBS, if you follow the wizards to setup everything then it will put in the required DNS entries so that a single name SSL certificate for remote.example.com works for both internal and external traffic.
    The wizards in SBS though presume that the external DNS provider supports SRV records, which most do not, so in those cases you have to use a Unified Communications certificate so that you can include autodiscover.example.com. When I go that method I will then include the internal FQDN of the server, plus "Sites".

    http://exchange.sembee.info/2007/install/sbs2008ssl.asp

    With the full product, you don't get the wizards. The internal FQDN is used by default on Exchange for the internal autodiscover process.
    Therefore you either need to use a Unified Communications certificate or you need to configure all of the internal names to use the external name, and run a split DNS system.

    http://exchange.sembee.info/2007/install/singlenamessl.asp

    However using a single name SSL certificate has the same issues as with SBS, it requires the use of SRV records for autodiscover.

    The recommendation you will find therefore is to use a Unified Communications certificate, one of the cheapest sources of those is here: https://certificatesforexchange.com/ with the internal name included as one of the additional names.

    If you are using the Unified Messaging role in Exchange 2007 or higher then you must use a certificate with the server's FQDN included, otherwise Exchange will not use it.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by chicagotech Saturday, March 31, 2012 2:15 AM
    Friday, March 30, 2012 7:52 AM
  • Thank you.

    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com

    Saturday, March 31, 2012 2:15 AM