Hello experts

Ive been asked to get involved with a clients exchange server in a bit of an unusual setup. The client has outlook web access from outside the network on ssl from a static ip. Their domain name and mail are actually hosted by an external provider and their exchange server downloads the mail via pop only which works effectively for them and they have no interest in changing. My issue is that im trying to setup email on devices like win7 phones or iphones across the ssl port using activesync and getting certificate errors. I can install the certificate manually but the self signed one was issued during the installation of the server (SBS 2003) and has the companys actual domain name in the certificate which is controlled by an external hosting company. So when accessing via https://x.x.x.x/exchange evern when I install the certificate its unrecognised due to the ip over the domain name being used. My question is how can I update or change the self issued certificate so it includes the fixed IP the client uses from the outside ? Any help is greatly appreciated

asked 07/30/2011 09:01

Porka's gravatar image

Porka ♦♦

3 Answers:
Short answer: certificates don't support IP addresses and the server was set up incorrectly. The proper way to set up the scenario you desire (SBS or otherwise) is to pick a new servername.

So, for example, the company's domain name is "" can point to an external server. can point to an external server. An MX record can exist that points to so that mail gets delivered to the hosted server. Exchange will pop mail from that server. All of this works well, and is your current setup.

Now, all you need to do is create a new A record with your hosted DNS...let's call it (for SBS, the default is actually, but I digress.)  You can set up the A record so points to the external IP address of the ISP where SBS sits. Since the MX record is still using and that is unchanged, this doesn't break mail flow *at all.*

Then you can issues a self-signed cert that will work as expected. Or, even better, for about the cost of a pint of good beer in most cities, you can purchase an inexpensive SSL cert and install it on the SBS server. Then you don't even have to import the self-signed cert into any devices, computers or anything else, and no warnings pop up for users. The cost of the cert will pay for itself after about 2 to 3 phones or computers.

cgaliher's gravatar image


Thanks for quick response cliff, so if I were to organise a new A record that was say and pointed it to the static ip for the webserver at the office we are using now, with the certificate being recreated how do I tell it the server is also known as and not its internal server and domain name ?
Porka's gravatar image


If you ripen the "configure email and internet connection wizard" (CEICW) it allows you to specify the name on the certificate.
cgaliher's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 07/30/2011 09:01

Seen: 295 times

Last updated: 08/06/2011 03:12