Exchange 2007 SSL cert, issues with domain

Question

We have inherited a configuration that we cannot back out of. Here is what we have:

internal domain is contoso.com. we do not own contoso.com and the current owner will not sell.

the internal name of the mail server is exchange2007.contoso.com

email domain is contosointernational.com

OWA access is through another shortened domain ctsi.com, ie. exchange.csti.com/owa

We want to purchase a commercial cert that will allow activesync to work, secure owa access, and still allow email to work internally. How can we make this work?

Thanks.

UPDATE:

we bought a single name cert (mail.ctsi.com), created an internal zone for ctsi, created an A record for mail.ctsi.com to point to our exchange server, and then udpated the connection point for autodiscover, the internal url for ews, oab, and UM Web service to mail.ctsi.com (per KB940726), and our issue is resolved.

Answer 1

You can buy contosointernational.com certificate and csti.com certificate which is SAN (Have several names in it) or only one. Technically it doesn't matter. What you will end up doing is to create an INTERNAL DNS zone for any domain/s you wish to implement in your external certificate and simply indicate that the internal names of the resources such as mail.csti.com or mail.contosointernational.com using the INTERNAL IPs. However, in order to make sure you'll be able to resolve the actual external names of the server, which say host your www.contosointernational.com you would need to add and IP to that INTERNAL zone pointing to the external IP. As well, you'll be required to alter, using powershell or Exchange Console, the OWA, Client Access server and couple other settings to allow your outlook to connect properly to the exchange. I have done it dozen of times. It works 100%. Just make sure that the A record for the INTERNAL/EXTERNAL mail server is exists in yuor INTERNAL ZONE.

Which exact services you need to configure is easily visible in every guide on the internet explaining how to implement SSL certificate on to 2007/2010 Exchange environment.

Answer 2

contoso.com is Microsoft's example domain for their test questions. If at all possible, it might be prudent to first migrate off of that domain on to something more unique.

Answer 3

Because the domain is owned elsewhere you can't put that as a domain in the certificate. There's nothing you can do about that.

You may be able to have users use an internally generated certificate when inside the network, and an external one for the domain you own outside.

As most will suggest, I would recommend starting a long term project to change the domain name. It can be done, I inherited an ugly situation similar to that, and it took a long time, but we finally did it.

Answer 4

You likely want to use a SAN certificate. With 2010 you can generate a cert request file using the EMC although i believe this is not an available function in Exchange 2007.

You can however use the EMS for Exchange 2007 to generate a certificate request file.

https://www.digicert.com/easy-csr/exchange2007.htm allows you to plug in the information for your configuration to generate a shell command that you can paste into the EMS.

Answer 5

Brian is correct. You will have to run with 2 Certs.

The internal cert should be signed by your internal Certificate Authority for your AD domain. The external cert will use your mail domain. Yes, this means you will have to run TWO separate websites for the OWA/ActiveSync.

You should also make it a priority to migrate to a new domain name. Check out What Is Domain Rename?. I haven't tried it myself, but it looks reasonable. It will take a lot of work to make sure everything works correctly.

Edit: Actually... I think you could just do with one cert if you add your external domain as the Internal URL. That may work. Look at the OWA properties for your server in the Client Access section of the Server Configuration.