Announcement

Collapse
No announcement yet.

Exchange 2007 and Outlook 2007 using SSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2007 and Outlook 2007 using SSL

    I'm in the midst of migrating from Exchange 2003 to Exchange 2007. Everything was working until I discovered today that Outlook 07 uses an SSL path to talk to Exchange 07.

    The reason that's a problem is this:

    Externally I contact my Exchange 07 box (via ISA) as "mail.nei-ky.com" for Outlook Web Access and iPhone/Smartphone Exchange Active Sync. Internally I refer to this machine as "shale.nei.local".

    With Exchange 2003, this wasn't a problem. But now it is. You see I purchased a GoDaddy EV SSL cert for the external communication and got that path working first. I have that certificate installed on the ISA box and the Exchange server's IIS default web site. This path is working fine.

    When I moved my mailbox to the Exchange 07 server today and fired up Outlook for the first time afterwards, the problem smacked me in the face - Outlook established an SSL connection to the Exchange 07 machine and screamed about the common name being different that the DNS name.

    For me this isn't a major problem, because I can simply say "go away" and Outlook goes on and works. But my users will not tolerate that for long.

    So, good people, what can I do now?

    I didn't know about UCC certs until today and I'm not sure that I can convert to one now. Is that really my only salvation? Can I get by with another cert for the internal stuff (Outlook to Exchange and ISA to Exchange)?

    Anyone have another, easy/quicker, solution?
    --

    ScatterBrain

    "I reject your reality and substitute my own!"
    -- The Mythbusters

  • #2
    Re: Exchange 2007 and Outlook 2007 using SSL

    create an appropriately named certificate and bind it to the internal server instead of the godaddy one.. if that makes sense ?

    we're about to do something similar.

    internal: uses exchange.company.LAN. this certificate is bound to the secure site on the exchange client access server

    external: uses exchange.company.com. This certificate is bound to the secure listener on the ISA server. the ISA srever then talks _in clear text_ to the exchange server. I'm sure someone could tell me that this is a bad idea and why.. but for us, it works ok..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Exchange 2007 and Outlook 2007 using SSL

      Exchange is designed to be used with a SAN/UC certificate, not a standard SSL certificate. The UC certificate then contains the various names that Exchange and Outlook will use - that includes the server's real name, FQDN, autodisocver.example.com and your preferred common name.

      While it is possible to use a single name SSL certificate, Exchange has to be reconfigured. You will also need a split DNS system so that the external name on the certificate resolves internally.

      On Exchange 2003 SSL was really only used for OWA and RPC over HTTPS, and worked with standard certificates. Exchange 2007 uses SSL throughout the product, you cannot avoid it, but to ensure everything works internally and externally it uses multiple names.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Exchange 2007 and Outlook 2007 using SSL

        Originally posted by Sembee View Post
        Exchange 2007 uses SSL throughout the product, you cannot avoid it, but to ensure everything works internally and externally it uses multiple names.

        Simon.

        This is what I've discovered. I actually purchased a UC certificate from GoDaddy this morning and have everything working now.

        Thanks for the help guys.
        --

        ScatterBrain

        "I reject your reality and substitute my own!"
        -- The Mythbusters

        Comment

        Working...
        X