Problem SBS2008 and SSL Certificates

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Issue:

I bought a Verisign SSL (30 day free trial) with a single name. I put it into the wizard and confirmed that all Web Applications worked fine via SSL, as did outlook anywhere (via autodiscover and manually). All is well so far.

Problem was that internal users connecting to exchange via servername.domain.local then got a certificate error every time they started outlook.

The work around for that was to use EMS to change the internal URLs to the External. This removed the certificate error but then internal users got the Password prompt on starting outlook just like Outlook Anywhere users do.

My question is this:

The certificate wizard created the request and therefore only included the external address, to my knowledge I would have to create a SAN certificate with both Internal and External addresses but if I did this, I wouldn't be able to use the wizard to import it and as any users of SBS 2008 know, it's always best to try and use the wizards.

So what do I need to do? use the wizard, generate the request, send to Verisign (for example) and ask them to create a SAN certificate with the internal name as well? or am I being completely stupid and missing something.

Either way, it is completely unacceptable for a certificate error or a password prompt for internal users.

Also, has any one noticed that when you do import using the wizard, it adds the 443 binding to the Default Web Site which means it cannot start because Web Applications is using the ports? is this an oversight by Microsoft or are you supposed to install any internal web sites into the Web Applications section?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The wonders off SBS mate.

Use EMS to create the SAN certificate and you will be golden, the easy way is to use Digi Cert URL hear https://www.digicert.com/easy-csr/exchange2007.htm

 

It all depends on the certificate vendor as well, ours for instance allows us to manually add SANs during the certificate creation process. With SBS2008 and ergo Exchange 2007 you'll want the common name for external access, default is remote.externaldomainname and for the SANs we use the following additional four: Internal and External Autodiscover records, Internal DNS FQDN of server and to fill the fourth the netbios name for legacy stuff.

As an example, say our external domain is shadow.com, our internal domain is shadow.local and our server is called SBS, you'd want

CN: remote.shadow.com (if you are using the default)
SAN: autodiscover.shadow.com
SAN: autodiscover.shadow.local
SAN: sbs.shadow.local
SAN: sbs