SSL Certificates on SBS 2008 can be very frustrating. This is due to some design decisions made by Microsoft.
A version of this article originally appeared on our director's blog.
The major issue is that Microsoft presumes that your external DNS provider supports SRV records - which many don't. This is to save the SBS owners money, so they can use a single name certificate, but unless you want to change your external DNS provider then you have to use the multiple name method.
SRV records are one of the methods that Outlook 2007 and higher can use for autodiscover. Autodiscover is also connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work as it should
However, as SBS 2008 is designed to be managed with the wizards and there are a lot of other changes to the Exchange and IIS configuration, doing a standard Exchange 2007 type SSL certificate installation will almost certainly break things and mean they don't work correctly. Therefore you have to work with the wizard so everything goes in place as it should.
Preparation Work
To ensure that you work with the common configuration for SBS 2008, some DNS entries need to be made on the internet facing DNS services (usually your domain name registrar).
Specifically these are
- remote.example.com
- autodiscover.example.com
where example.com is your domain after the @ in your email address and the domain entered in to SBS during setup.
These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name. More Information on using Exchange with a dynamic IP address is here.
While you can use another host name instead of remote.example.com, everything in SBS seems to be orientated towards that name. Using the preferred name will ensure that everything matches, particularly if you are reading other technical articles from Microsoft. As that name will be the common name on the SSL certiifcate, use it for the MX records for the domain, and get the ISP to setup the reverse DNS (aka PTR) record to match.
Certificate Request Generation and Response Installation
To generate the request, follow the main Exchange 2007 multiple SSL certificate guide.
However, add the name "Sites" to the list of domains that you include. That makes the full list:
- remote.example.com
- autodiscover.example.com
- server.domain.local
(the server's internal FQDN) - server
(the server's NETBIOS name) - sites
When you get the response back from your provider, continue to follow guide up to the point about installing the response. DO NOT use the enable-exchangecertificate command.
By using the Exchange Management Shell to do the certificate request you do not put the current self generated certificate at risk, because the request and response doesn't touch it. The certificate is only changed later on in the process. Therefore there is no chance of existing users being interrupted.
Activating the Certificate
Now this is where things are different to Exchange 2007 full product installation.
In the SBS Management Console, start the SSL certificate wizard. Select the option to use an existing certificate. Your new multiple name (UC) certificate with the additional names should be listed. Select it and then complete the wizard. SBS will install the certificate in to the web sites correctly for you.
You should then be able to browse to https ://remote.example.com/remote and use the full feature set.
You can verify the certificate is installed correctly by using the Fix my Network wizard, which shouldn't touch the certificate installation - or by running the SBS Best Practises tool. The link to the current version can be found on the Exchange Resources site at http://exbpa.com/
You can also test it with a test account on the Microsoft test site at https://testexchangeconnectivity.com/
Exchange 2007 Home Page - Site Home Page
Last Page Update: 15/09/2011
| More Content from Sembee Ltd. | ||
| Resources on exchange.sembee.info | Other Sites | Sembee Ltd. |
| Microsoft Exchange 2003 | Command Prompt Getting Started Guide | Microsoft Exchange Consultancy |
| Microsoft Exchange 2007 | Login Scripts | Director's Blog |
| Microsoft Exchange 2010 | MS Exchange Resources | |
| Microsoft Outlook | Knowledge Base search | |
| Exchange Networking Tasks | Recovery of MS Office content from Temp Files | |
| Amazon Store | Troubleshoot the Automatic Updates Client | |
| UK ISP Status Pages | ||
| © Sembee Ltd. 1998 - 2011. | ||
| Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned within and is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.
Sembee Ltd. is registered in England and Wales at 33 Scrivens Mead, Thatcham, Berkshire, RG19 4FQ. | ||