| Have your Exchange server installed, maintained or upgraded by Sembee. Exchange 2000, 2003, 2003 SBS, 2007 More Information (UK only) |
Exchange - Login Scripts
Net Admin - Outlook
Windows Mobile - Windows
Exchange and a
Dynamic IP Address
Global Mailbox Folder
Permissions from Server
Internal Email Address
for External People
Options when a Staff Member
Leaves
Prerequisites for Exchange
System Tools
| ||||||||||||
Author: Simon Butler, Exchange MVP, MCSE
Last Page Review: 02/02/2010
Exchange 2007 relies heavily on web services, and to secure those services, uses SSL certificates. By default, when you install Exchange 2007 it generates an SSL certificate for you. However that certificate will generate prompts outside of the network, when used with OWA etc.
Therefore to ensure that you do not get any certificate prompts, you need to change the SSL certificate for a commercial trusted SSL certificate.
Ideally, you should be deploying a SAN (Subject Alterative Name) or UC (Unified Communications) certificate. These will contain the additional names that you need to use with Exchange 2007, including the server's real internal name, the name for OWA and autodiscover.example.com. The process to deploy the preferred certificate type can be found on the author's blog: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
However for various reasons, including the cost or investment in an existing SSL certificate, you may not wish to purchase an additional certificate.
Therefore using a single name certificate is an attractive option, particularly when you can get a new certificate from sources such as GoDaddy (https://CertificatesForExchange.com) for US$30/year.
However until a change introduced by Microsoft with Outlook 2007 SP1, using a single name certificate involved multiple certificates and multiple sites. The author wrote a blog posting on this method (http://blog.sembee.co.uk/archive/2007/01/21/34.aspx). With the introduction of Windows 2008, and Microsoft stating that Outlook Anywhere outside of the Default Web Site is not a supported configuration, this method became redundant.
However configuring Exchange to use a single name certificate can be complicated, and this guide will show you what you need to do.
Unified Messaging
If you are using Unified Messaging then you cannot use this process for the UM role. UM requires that the server's real name is located in the SAN certificate. With a single name certificate you will find that you are unable to enable the certificate for the UM role. Therefore you will have to change the certificate to a UC/SAN type certificate with the required names in it.
Requirements
- Exchange 2007 SP1
- Outlook 2007 SP1 - This is a HARD requirement, as the settings used were introduced in the Service Pack.
- SRV record support at your external DNS host - again this is a HARD requirement and you should not start on these changes unless you can set these types of records.
If you do not have SRV support at your external DNS host then you should not make these changes. It does rely on the SRV records to work correctly.
You have two options.- Transfer to another domain name service provider that supports SRV records, such as GoDaddy https://CertificatesForExchange.com .
- Purchase a SAN certificate, which contains the additional names required.
- Commercial SSL certificate
If you need to purchase a single name SSL certificate then you can do so from https://CertificatesForExchange.com however if you already have a regular SSL certificate - perhaps from an Exchange 2003 deployment, then that certificate can be used - that is who this article is aimed at.
Initial Configuration - for Internal Operation
The first thing to do is get it working internally. There are a number of reasons for this, the main one being that the entire environment is under your control and can be checked thoroughly as you go along.
- Setup Split DNS
You need to setup a split DNS system so that your external name on the certificate resolves internally to the internal IP address of the Exchange server.
For example, if your certificate was issued to mail.example.net and your Exchange server was on 192.168.11.2 then you would need to ensure that mail.example.net resolves internally to 192.168.11.2. To ensure that DNS works correctly for the zone, you may have to put in additional entries - for example "www" to allow www.example.net to resolve. Refer to our split DNS instructions here: Split DNS.
- Autodiscover DNS settings.
You need to make some additional settings in the internal DNS zone.- Remove any existing entries for autodiscover from the DNS zone.
- Second, in the DNS zone, right click on the Zone and choose "Other New Records". Choose "Service Location (SRV)"
Fig 1: Select Resource Record Type - Remove the field that comes up by default (_finger) and replace with _autodiscover. For the protocol choose _tcp (which should be the default). Leave priority and weight as the default (0) and set the port as 443.
Finally set the host as mail.example.net
Fig 2: New Resource Record Do not think that you can use another port. As with Outlook Anywhere, it is hard coded to use port 443. Using another port does not enhance your network security, as you do not get security by obscurity.
- Certificate Settings in Exchange 2007.
You need to ensure that your external certificate is imported in to Exchange correctly, so that it is used for all services.
This section will impact on the users and could also impact on email delivery, therefore it should be done out of hours.
If you haven't already, get your certificate from your preferred supplier and import it in to IIS. Ensure that it works using OWA without any prompts for certificate errors.
If you are going to use Windows Mobile devices for Exchange ActiveSync then test against those as well, using the Windows Mobile emulator.
While you can use EMS for the changes, we recommend (and the instructions will use) the open Source tool PowerGui (http://www.powergui.org/) as this will make things much easier for you, as certificates work in EMS requires the use of the thumb print which is just a pain to work with.
After installing PowerGui, open it up and expand Exchange 2007 and then Certificates. You will probably see two certificates - the self generated certificate that was created during the installation and the certificate that you have imported through IIS.
Right click on the new certificate and choose Actions, then Enable. In the next window, leave everything as it is, but find "Services". Select SMTP and then choose Ok. You will get a prompt about overwriting the certificate. Choose Yes.
Repeat for the other services.
- URL Adjustment
After setting the certificate in Exchange, you need to adjust the URLs to match. These are in a number of places.
- Client Receive Connector
Adjust the CLIENT Receive Connector in Server configuration, Hub Transport. Change the FQDN to match your external certificate. To use the example above - mail.example.net . DO NOT Change the Default Receive Connector.
Fig 3: Client Receive Connector Properties - Client Access URLs
Next thing to change is the client access URLs. These are what autodiscover gives to the clients, and also what is sent to the client web browser when access is made through the wrong server.
On servers where you have a single server holding all of the roles, set both the internal and external name to the external SSL certificate name - so replace host.domain.local with mail.example.net. Do take care to leave the rest of the URL as shown.
Fig 4: Properties of the OWA Virtual Directory 
Fig 5: Properties of the Microsoft Server ActiveSync Virtual Directory 
Fig 6: Properties of the OAB Virtual Directory
If you look at POP3 and IMAP in the Client Access area, you should find that the certificate has already been set to your external certificate name - courtesy of the settings above that you changed in PowerGui.
Fig 7: IMAP 4 Properties (Identical to POP3 Properties)
- Autodiscover URL
If you are using a single server, then the following commands can be used:
However if you are using multiple servers, then you need to set the commands as follows:
Replace "CAS-Server" with the real name of the server that holds the CAS role.
- Web Services URL
As with Autodiscover, if you are using a single server then the following commands can be used:
However if you are using multiple servers, then you need to set the commands as follows:
Replace "CAS-Server" with the real name of the server that holds the CAS role.
- Outlook Anywhere URL.
Right click on the Client Access Server and choose Properties. Click on the tab Outlook Anywhere and adjust the URL to match the external name on the SSL certificate.
- Client Receive Connector
- Cycle the Exchange Services
After making the changes, cycle the Exchange services to ensure that the changes are live.
Script for the Above
Using the power of PowerShell, the above changes can be easily scripted.
Copy the text below in to a new notepad document and modify the two lines at the top - remember to leave the " in place. Then it as a file name ending in ps1 - for example URLs.ps1 on the Exchange server itself.
Then use PowerShell to run it. The best way is to CD to the directory and then use tab - and PowerShell will recognise the script.
Testing
To test the configuration, use Outlook 2007 on a workstation.
Start Outlook 2007 and wait for it to connect.
Then hold down CTRL and right click on the Outlook icon in the system tray next to your clock. Choose "Test Email AutoConfiguration…" Then select the option to test the configuration.
Should you have everything configured correctly, then all of the URLs should appear as your external certificate name and you do not get any certificate prompts.
MSSTD URL
If the URL for Outlook Anywhere under MSSTD is not correct, then you may have to set that manually.
To do that, use the following command in EMS:
External Configuration
For this method to work externally, you need to make the following changes
- Open port 443 on the firewall.
This is the only port that is required for Exchange web based services. You do not need to open any other ports - certainly not 80 or anything in the 6xxx range that you may have read elsewhere.
For Exchange to operate fully it only requires two, at most three ports to be open - 443 (https), 25 (SMTP), 587 (legacy TLS/SSL port).
You only need to open port 110 (POP3) and 143 (IMAP) if you are supporting those protocols. - Add SRV DNS records to the external DNS configuration.
You should have already confirmed that this is a supported configuration from your domain name management service. If it is not, then you will be unable to use this method until you transfer to a domain name management service that does.
References
Elsewhere on this site
Split DNS: http://www.amset.info/netadmin/split-dns.asp
Author's Blog
Deploying a Unified Communications Certificate: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
Unified Messaging Requires the Server Name in the SSL Certificate: http://blog.sembee.co.uk/archive/2008/06/02/79.aspx
Third Party Sites
Certificate Supplier: https://CertificatesForExchange.com
PowerGui: http://www.powergui.org/
Microsoft Knowledgebase
Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"
http://support.microsoft.com/kb/940726
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881
Requires Outlook 2007 SP1 or higher or this roll up: http://support.microsoft.com/kb/939184/ (June 27th 2007)
Sponsored Links
02/02/2010
Back to the Top
Contact Us - Director's Blog
Exchange Index - Home Page
Exchange - Login Scripts - Network Admin - Outlook - Windows Mobile - Windows
© Sembee Ltd. 1998 - 2010. All rights reserved. Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.