Clicky

Hello experts

Ive been asked to get involved with a clients exchange server in a bit of an unusual setup. The client has outlook web access from outside the network on ssl from a static ip. Their domain name and mail are actually hosted by an external provider and their exchange server downloads the mail via pop only which works effectively for them and they have no interest in changing. My issue is that im trying to setup email on devices like win7 phones or iphones across the ssl port using activesync and getting certificate errors. I can install the certificate manually but the self signed one was issued during the installation of the server (SBS 2003) and has the companys actual domain name in the certificate which is controlled by an external hosting company. So when accessing via https://x.x.x.x/exchange evern when I install the certificate its unrecognised due to the ip over the domain name being used. My question is how can I update or change the self issued certificate so it includes the fixed IP the client uses from the outside ? Any help is greatly appreciated

asked 07/30/2011 09:01

Porka's gravatar image

Porka ♦♦


3 Answers:
Short answer: certificates don't support IP addresses and the server was set up incorrectly. The proper way to set up the scenario you desire (SBS or otherwise) is to pick a new servername.

So, for example, the company's domain name is "mydomain.com."  www.mydomain.com can point to an external server. mail.mydomain.com can point to an external server. An MX record can exist that points to mail.mydomain.com so that mail gets delivered to the hosted server. Exchange will pop mail from that server. All of this works well, and is your current setup.

Now, all you need to do is create a new A record with your hosted DNS...let's call it office.mydomain.com (for SBS, the default is actually remote.mydomain.com, but I digress.)  You can set up the A record so office.mydomain.com points to the external IP address of the ISP where SBS sits. Since the MX record is still using mail.mydomain.com and that is unchanged, this doesn't break mail flow *at all.*

Then you can issues a self-signed cert that will work as expected. Or, even better, for about the cost of a pint of good beer in most cities, you can purchase an inexpensive SSL cert and install it on the SBS server. Then you don't even have to import the self-signed cert into any devices, computers or anything else, and no warnings pop up for users. The cost of the cert will pay for itself after about 2 to 3 phones or computers.

-Cliff
link
cgaliher's gravatar image

cgaliher

Thanks for quick response cliff, so if I were to organise a new A record that was say webmail.mycompany.com and pointed it to the static ip for the webserver at the office we are using now, with the certificate being recreated how do I tell it the server is also known as webmail.mycompany.com and not its internal server and domain name ?
link
Porka's gravatar image

Porka

If you ripen the "configure email and internet connection wizard" (CEICW) it allows you to specify the name on the certificate.
link
cgaliher's gravatar image

cgaliher

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×6
×2
×1

Asked: 07/30/2011 09:01

Seen: 279 times

Last updated: 08/06/2011 03:12