none
No internal server names on SAN certificates after 2015 - where are the procedures? RRS feed

Answers

  • In addition to that guide you would also need to change the paths exposed in the Exchange Management Console, like OWA, ActiveSync, ECP etc.

    You would also need to see if you need to implement a split-DNS strategy, and if you need to ensure that the external name is excluded from authenticated proxies (and ideally any proxies) within the environment.

    In particular if you use TMG at the moment, a split DNS strategy will be useful to ensure clients do not unneccessarily have to traverse TMG to access Exchange.

    If you prefer to continue with different internal/external names for HTTPS services, then you could have mail-internal.contoso.com for Internal URLs.

    Finally if you think you will need to use split-DNS and use Active Directory DNS internally for your contoso.local domain, and your ISP for the DNS for your external contoso.com domain and don't want to replicate *every* record, you can create a couple of zones with the FQDN (e.g. mail.contoso.com, autodiscover.contoso.com) and create an A record that using that parent domain. That will mean that requests for other records within contoso.com still use the existing DNS infrastructure, thus avoiding needing to perform a full split DNS and duplicate ongoing management of both internal and external zones.

    Steve


    Steve Goodman
    Check out my Blog for more Exchange info or find me on Twitter

    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:33 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Monday, July 2, 2012 4:23 PM
  • Looking through my IIS:

    Should I change the internalURL for the following virtual directories:

    • Powershell
    • RPC
    • RPCwithCert

    So far I have done these so the internal URL matches the external URL (and the SAN cert which will last beyond 2015)

    • Set-WebServicesVirtualDirectory
    • Set-AutodiscoverVirtualDirectory
    • Set-OabVirtualDirectory
    • Set-ActiveSyncVirtualDirectory
    • Set-WebServicesVirtualDirectory
    • Set-EcpVirtualDirectory
    • Set-OwaVirtualDirectory

    http://forums.msexchange.org/m_1800529476/mpage_1/key_/tm.htm#1800529705
    http://madoxr.blogspot.ch/2012_06_01_archive.html


    CarolChi

    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:33 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Monday, July 2, 2012 5:52 PM
  • Hi,

    We don’t need to configure external URL for all the virtual directory, Except we need to manage Exchange from external.

    In general, we need to configure the following External URL for Outlook Anywhere.

    OWA

    OAB

    WebServices

    ActiveSync

    ECP

    Autodiscover

    As for the others, you can set according to individual demand.

    And as Steve said, the certificate’s SAN just has a couple of FQDN, such as “mail.contoso.com and autodiscover.contoso.com”

    Exchange Autodiscover:

    http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

    Understanding the Autodiscover Service:

    http://technet.microsoft.com/en-us/library/bb124251.aspx

    By the way, do you have a internal certificate ?


    Wendy Liu

    TechNet Community Support




    • Edited by wendy_liu Wednesday, July 4, 2012 8:45 AM
    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:34 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Wednesday, July 4, 2012 8:33 AM

All replies

  • In addition to that guide you would also need to change the paths exposed in the Exchange Management Console, like OWA, ActiveSync, ECP etc.

    You would also need to see if you need to implement a split-DNS strategy, and if you need to ensure that the external name is excluded from authenticated proxies (and ideally any proxies) within the environment.

    In particular if you use TMG at the moment, a split DNS strategy will be useful to ensure clients do not unneccessarily have to traverse TMG to access Exchange.

    If you prefer to continue with different internal/external names for HTTPS services, then you could have mail-internal.contoso.com for Internal URLs.

    Finally if you think you will need to use split-DNS and use Active Directory DNS internally for your contoso.local domain, and your ISP for the DNS for your external contoso.com domain and don't want to replicate *every* record, you can create a couple of zones with the FQDN (e.g. mail.contoso.com, autodiscover.contoso.com) and create an A record that using that parent domain. That will mean that requests for other records within contoso.com still use the existing DNS infrastructure, thus avoiding needing to perform a full split DNS and duplicate ongoing management of both internal and external zones.

    Steve


    Steve Goodman
    Check out my Blog for more Exchange info or find me on Twitter

    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:33 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Monday, July 2, 2012 4:23 PM
  • Looking through my IIS:

    Should I change the internalURL for the following virtual directories:

    • Powershell
    • RPC
    • RPCwithCert

    So far I have done these so the internal URL matches the external URL (and the SAN cert which will last beyond 2015)

    • Set-WebServicesVirtualDirectory
    • Set-AutodiscoverVirtualDirectory
    • Set-OabVirtualDirectory
    • Set-ActiveSyncVirtualDirectory
    • Set-WebServicesVirtualDirectory
    • Set-EcpVirtualDirectory
    • Set-OwaVirtualDirectory

    http://forums.msexchange.org/m_1800529476/mpage_1/key_/tm.htm#1800529705
    http://madoxr.blogspot.ch/2012_06_01_archive.html


    CarolChi

    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:33 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Monday, July 2, 2012 5:52 PM
  • Hi,

    We don’t need to configure external URL for all the virtual directory, Except we need to manage Exchange from external.

    In general, we need to configure the following External URL for Outlook Anywhere.

    OWA

    OAB

    WebServices

    ActiveSync

    ECP

    Autodiscover

    As for the others, you can set according to individual demand.

    And as Steve said, the certificate’s SAN just has a couple of FQDN, such as “mail.contoso.com and autodiscover.contoso.com”

    Exchange Autodiscover:

    http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

    Understanding the Autodiscover Service:

    http://technet.microsoft.com/en-us/library/bb124251.aspx

    By the way, do you have a internal certificate ?


    Wendy Liu

    TechNet Community Support




    • Edited by wendy_liu Wednesday, July 4, 2012 8:45 AM
    • Proposed as answer by Steve GoodmanMVP Wednesday, July 4, 2012 12:34 PM
    • Marked as answer by wendy_liu Tuesday, July 10, 2012 1:19 AM
    Wednesday, July 4, 2012 8:33 AM
  • Thanks

    WhatI had done was to have one certificate for both internal and external. So the certificate had the internal AND external URLs.I know this is not great security practise but it was very simple and worked well.

    I don't want to have to manage two certificates so I am looking to make the internal URLs the same as the external ones. I changed them all as in my post above except three:

    • Powershell
    • RPC
    • RPCwithCert

    My question is do I need to change these three internal URLS and how do I do so?


    CarolChi

    Wednesday, July 4, 2012 8:57 AM
  • Don't worry about those three.

    Steve


    Steve Goodman
    Check out my Blog for more Exchange info or find me on Twitter

    Wednesday, July 4, 2012 12:33 PM