2

I am going around in circles trying to configure Exchange / The Domain to accept an SSL certificate without showing a security warning when launching outlook. 

**Configuration:**

2012 Domain Controller
2013 Exchange server (one)
Outlook 2010

External FQDN to exchange : exchange.n****e.com
Internal FQDN to exchange : exchangevault.lincoln.n****e.limited

SSL Cert purchased which covers: 
DNS Name=exchange.n****e.com
DNS Name=www.exchange.n****e.com
DNS Name=AutoDiscover.n****e.com
DNS Name=n****e.com

I added the cert to the Trusted Root via GP. I have altered the internal and extneral URL's in 2012 ECP to point to the external FQDN. exchange.n****e.com

My the test outlook client, outlook configures itself without issue. On launch following configuration I get a security warning advising me that the the certificate has an issue.

"the name on the security certificate is invalid or does not match the name of the site"

Indeed it doesn't, internally outlook is referencing the internal FQDN but using the cert of the external FQDN.

I would like to just have the OS trust the cert (it is installed locally on the client via GP), but this security alert appears every time outlook runs. or Use the external FQDN and for internal users I'll redirect to the internal IP of the exchange server, however doing this causes the mail server field to switch to the internal address; which then fails to allow me to open outlook. (Cannot open your default e-mail folders)

how can I operate exchange internally and externally when the FQDN's are different without security warnings?

Damo
  • 405
  • 3
  • 7
  • 17
  • Is the name of the site autodiscover.n****e.com ? Do you have the autodiscover.n****e.com in your internal and external DNS-Zone? did you check which website the certificate outlook complains about was issued for? – lsmooth Dec 03 '13 at 16:42
  • The security alert references "exchangevault.lincoln.n****e.limited" and the cert used is "exchange.n****e.com". I have an auto discover A record on both the internal and external DNS. The internal DNS references the internal IP while the external DNS references the external IP. – Damo Dec 03 '13 at 16:49
  • You don't have the internal fqdn in the certificate. Trusting the certificate is not the problem. The problem is that the certificate was not issued for the site that Outlook is connecting to. – lsmooth Dec 03 '13 at 16:58
  • ah, this is true. GoDaddy wouldn't let me set the internal FQDN as part of the cert. I had no choice but to omit them. – Damo Dec 03 '13 at 17:05
  • So, it seems that when I changed the auto discover URL's via PS (Set-ClientAccessServer -Identity Your_Server_Name -AutodiscoverServiceInternalUri) the change didn't take effect until I recycled the WP. Doing this changed the autodiscover details to use the correct FQDN – Damo Dec 03 '13 at 17:12
  • If your problem is solved you should answer the question yourself. So if someone has the same problem, they will find an answer and not just a question here ;) – lsmooth Dec 03 '13 at 20:14

1 Answers1

1

In this scenario, when changing the external and internal URL's from the ECP; you must restart the IIS worker process for ECP or the Virtual Directory you are changing otherwise the change will not take effect.

Or just do an iisreset from PS

Damo
  • 405
  • 3
  • 7
  • 17