0

Recently got an SSL certificate for our external domain and added to exchange, external clients are working fine, internal clients are getting the Security Warning when opening Outlook stating our internal server.domain.local "the name on the security certificate is invalid" and viewing the certificate shows our external domain.

How do I get this resolved? Both internal and external hostnames are set for external url for autodiscover.

John
  • 157
  • 3
  • 10

2 Answers2

0

The certificate seems to be issued to your external domain, I'll call it server.domain.com for now. This doesn't match to server.domain.local, so you get the security warning.

You have a couple of options:

  1. Get a new certificate that contains server.domain.local as an alternative name. This will be valid for external and internal access, but not every CA will allow you to create such a certificate.
  2. Configure your local DNS to resolve server.domain.com for your Exchange server instead of .local. This is most probably the easiest way to fix the problem.
  3. Change your complete internal network to use the .com domain. This is the solution that requires the most work, but it will prevent similar problems in the future with other servers that should be accessible from inside and outside.
  4. Set up a proxy server for your exchange that handles the SSL. You can either place the proxy in the DMZ and have it provide the external certificate, or place it inside and have it provide a certificate by your internal CA, that doesn't really matter.
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • You are advocating a completely fresh domain just to resolve an SSL prompt? You cannot change the name of a domain with Exchange installed, that isn't supported. There is no need to introduce new services or make wholesale changes to the configuration of the domain - Exchange just needs to be configured correctly. – Sembee Jan 04 '17 at 09:21
0

You cannot get an SSL certificate for internal names from any trusted SSL provider. That isn't allowed - hasn't been since November 2014.

"How do I get this resolved? Both internal and external hostnames are set for external url for autodiscover."

How exactly have you done that? If you have changed the URL values on the Autodiscover virtual directory then that isn't the correct way to do it. Put that back to the default. The correct way is to use set-clientacccessserver:

set-clientaccessserver servername -AutodiscoverServiceInternalURI https://host.example.com/Autodiscover/Autodiscover.xml

That will stop the SSL prompts. http://semb.ee/hostnames2013 has the full details of what you need to change.

Sembee
  • 2,884
  • 1
  • 8
  • 11
  • Woo! That's what I ran but I expected it to happen automatically. I checked again hours later and it is now working properly! Is there something I could have done to make this change instant? – John Jan 05 '17 at 00:51
  • The information is published to the domain automatically by Exchange. I don't believe there is any way to force it to publish. Although I have never had to wait hours for it to work - a few minutes at most. If you had to wait for it to work that would suggest an issue with replication within your domain. – Sembee Jan 05 '17 at 07:58