Exchange Cert Setup Help!


Recommended Posts

As some of you may know, I had one SSL cert being shared amongst a variety of different servers/services, which is a nono.

I have decided to purchase a separate SSL cert from GoDaddy with the wildcard of *.ZZZ.com  and place it on my Exchange Server.

 

I am looking for some input on how I can make the change below without re-configuring the email of all my 200 work stations.

 

We own:

ZZZ.net (GoDaddy)

ZZZ.com (BlueHost)

 

Our network domain:

ZZZ.local

 

Current Exchange Configuration

Internal URL: https://Exchange1.ZZZ.local/owa/

External URL: https://remote.ZZZ.net/owa/

 

With this setup, I am running a GoDaddy SLL cert with the CN=remote.ZZZ.net

After a remote session with my friend SC302 (thanks for your help BTW), we attempted a few things in order to eliminate the security popups for my internal users.

Everything public facing, was working ok, but internally we came up shorthanded with security popups.

 

If I remember correctly, the GoDaddy SSL cert was trying to pass remote.ZZZ.net to my Internal users via the SMTP service. We tried turning off the GoDaddy SSL's SMTP but it just ticked back on after disabling it. We figured that we could just use the Internal Self-Signed SMTP cert to get my internal users working normally. Nope! SMTP service kept re-enabling itself on the GoDaddy SSL cert and the security prompt internally continues to show its ugly face.

 

So this is where I am at right now. I'm planning to purchase a separate SSL cert with the wildcard *.ZZZ.com and reconfigure my Exchange to this.

 

Here are the steps I am taking:

1) Set Forward Lookup Zone in DNS Manager for ZZZ.com

2) Set (A)Record of email.ZZZ.com and point it to the internal IP of my mailserver within this Forward Lookup Zone.

3) Set CName of email.ZZZ.com and point it to the FQDN of my mailserver within this Forward Lookup Zone.

4) Set SRV for _autodiscover within this Forward Lookup Zone. (is it autodiscover or _autodiscover? LOL)

5) Delete  old certs

6) Rekey & install the new cert. Only 1 will cert will be there.

7) Intranet URL = email.ZZZ.com | Internet = email.ZZZ.com

8) Do I need to do all steps 2,3,4 to get this working or can I eliminate one of the steps?

9) BlueHost End - Setting an (A)Record for email.ZZZ.com & pointing it to my businesses public IP is the only change needed to be done on the BlueHost end?

 

10) Once this is all configured properly, will I need to re-create all my end-user profiles on all 200 of my workstations?

 

Please let me know what steps I can eliminate, what steps am I missing, and it would be sweet if you can answer my other questions marked in red :)

 

Thanks so much!

Link to comment
Share on other sites

Just trying to work through the OG hot-mess configurations.

& Hey! You like the challenge + are a great teacher!

Link to comment
Share on other sites

My director is obtaining it. Not sure if he already has it hes doing it later. He wants to do this configuration together on Friday as "bonding time". Our offices are closed, but I guess our schedules are free to work on it. Meh.

He wanted the "action plan" as guide. Hence I wrote the whole wall of text out asking for a line by line dissection :) He's really concerned about the reconfiguration of 200 workstations. I do appreciate you offering your service of doing it for me, but I must decline and get some type of guide worked out :)

Link to comment
Share on other sites

can you share with me what was in my "action" plan that I don't need? Any additional information would be much appreciated!

 

Yeah you are doing a crap ton of stuff with DNS that you shouldn't even have to touch, also take a look at this for basics of changing out the cert - https://support.godaddy.com/help/category/752/ssl-certificates-certificate-renewal-instructions

Link to comment
Share on other sites

but this will require that forward lookup zone you created on my DC earlier no?

so what records will need to be placed in it? Otherwise, why would you have created that lookup zone?

 

 

Won't have to do 200 workstation. Just the one.

Follow the instructions
https://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010

Link to comment
Share on other sites

They dont know your network.  so don't include any part of dns.  just worry about the cert here. your dns is fine the way you have outlined.  you have an internal .local address.  You cannot get a ssl cert from godaddy for .local.  You can get one for .com, to utilize the .com you will have to have your internal ip resolve for the .com address by adding in a forward zone for the .com and putting in the hosts there.  This way your internal and external users will use the godaddy cert.

 

Sometimes you do have to do extra work to make things operate properly, this is one of those times.

Link to comment
Share on other sites

so all I need is to create 1 single (A)Record for "email" pointing at my Exchange internal IP under the ZZZ.com Forward Lookup Zone in DNS Manager.

I can skip the autodiscover, cname, & svr record?

And I also need to make an A(record) for "email" on BlueHost still to point @ my public IP for external users right?

Link to comment
Share on other sites

Now I am confused, because you just said set this up in your internal DNS. Did you mean in my Forward Lookup Zone of ZZZ.com?

 

According to this snipped of a Microsoft article, it said "external DNS"

 

How to use the new DNS SRV lookup method to locate the Exchange 2007 Autodiscover service

To use the new DNS SRV lookup method in order to locate the Exchange 2007 Autodiscover service, follow these steps.

Note You must create the Autodiscover SRV record in the external DNS zone that matches the right side of your user's SMTP addresses. For example, if a user's primary SMTP address is user@contoso.com, the record must be created in the contoso.com external DNS zone. If you have multiple primary SMTP address domains in your organization, you must create an Autodiscover SRV record in each zone.

  1. In your external DNS zone, remove any HOST (A) or CNAME records for the Autodiscover service.
  2. Use the following parameters to create a new SRV record:
    Service: _autodiscover
    Protocol: _tcp
    Port Number: 443
    Host: mail.contoso.com
Link to comment
Share on other sites

You need to set up both...like I started to when I remoted in. Stick with one problem at a time. Take care of your cert and external dns. We will come back to internal dns later. Follow the godaddy docs for cert. You will need to change those ttls today on your external dns host, get them as low as can be.

Link to comment
Share on other sites

right but i do not know what type of record entries i am supposed to be creating in "external bluehost dns?".

i'm reading cname in one place, remove arecords+cname and replace with svr in another.

i've been trying to get a clarification on this for the last 5 posts or so lol

Link to comment
Share on other sites

I don't know what is so difficult about this.   bluehost or blueridge or blue whatever hosting your external dns may not support srv records (not all dns providers do).

 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

 

bluewhatver needs the following assuming your external address is 1.2.3.4:

xxx.com

mail (A) 1.2.3.4

webmail (A) 1.2.3.4

autodiscover (A) 1.2.3.4

(MX) mail.xxx.com

 

If your dns provider supports SRV records you can remove the autodisover A record and make a SRV record for autodiscover. 

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------

your internal dns server needs the following assuming that your internal mail server is at 192.168.1.25:

 

Forward zone

xxx.com

mail (A) 192.168.1.25

webmail (A) 192.168.1.25

_autodiscover (SRV) 192.168.1.25

 

 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

 

I don't know why it is so confusing to you when it is this simple...

 

You may need to add more the the forward zone for other entries on your internal dns, but this is only for exchange to get up and running properly.  The internal is done due to him having domain.local as his internal dns and the cert not having domain.local as one of the domains listed (can't happen, godaddy and other ssl cert providers are no longer allowing companies to register .local in their certs, if they did there would be no reason for the forward in the local AD DNS servers).

Link to comment
Share on other sites

There you go! That is what I was looking for!

 

I almost had an autodiscover (A), autodiscover (CName), autodiscover (SVR) all listed under the same external zone.

With your post you cleared it up that I should only have the autodiscover (A) in BlueWhaleBrige Zone

 

Anyway, I am made excited. All of the entries are in place. All to do now is to remove the old cert and import the new :) :) :)

 

Thanks again. :)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.