Small Business Susan

SMBKitchen: Getting more confused

Next up is the certs….


http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-EQBEAgAAQACACAEAAQAAAA%7e%7e


(bear with me this is a work in process)


I am right now confused as to how to set the autodiscover values to get this to work nicely.  Bear with me while I work through this process.


http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-EQBEAgAAQACACAEAAQAAAA~~


 



  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.  In my case it’s https://Exchange/ecp
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New Add Icon.
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
  5. Specify a name for this certificate and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

Click Browse and specify an Exchange 2013 server to store the certificate on. The server you select should be the Internet-facing Exchange 2013 Client Access server.



Click Next.For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:


  • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show owa.contoso.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com.
  • If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet) should show internal.contoso.com.

At this point you pick the external url’s from the listing inside of the Cert wizard… so far so good…



(if you’ve been following along, I’ve switched my domain name to sbs2exchange.com so I can actually have a true domain and purchase an actual SSL cert)


But right here is when I once again scratch my head



The autodiscover url value includes both the internal AND the external URL… which in SBS migrated domains includes .local.  SSL cert vendors are phasing out the ability to include .local in the SSL cert request so I’m not sure how this is going to work with cert vendors?


(right about here the one I’m getting stuck on is the autodiscover.domain.com entry that also wants to include autodiscover.internaldomain.local in the SSL cert request)


We know that up at our DNS provider we need to do this:


http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/


Remember we went up to our DNS provider and add a SRV record



And we add this to the SRV section



As an aside If you are going to do this over and over again, I highly recommend automating this for the future


http://jaworskiblog.com/2013/04/13/setting-internal-and-external-urls-in-exchange-2013/ that’s a script to borrow for the future.



I think I need to do Set-ClientAccessServer -Identity NAMEOFMYEXCHANGESERVER-AutoDiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml


in my case it’s Set-ClientAccessServer -Identity EXCHANGE -AutoDiscoverServiceInternalUri https://mail.sbs2essentials.com/autodiscover/autodiscover.xml



and if you run this command to see if it worked right…. Get-AutoDiscoverVirtualDirectory


The result is blank for the 2013 version while showcasing your old Exchange 2007 entry (geeze Microsoft can you make this PowerShell stuff more complicated?)



Instead you need to do Get-ClientAccessServer NAMEOFYOUREXCANGESERVER| fl *InternalUri*


In my case


Get-ClientAccessServer EXCHANGE | fl *InternalUri*



Okay I think that worked…


Okay now let’s go back to where I was and see if what I think should be in the cert IS in the cert request.


Hmm still isn’t.  I think this external value shouldn’t be what it is… but instead should be my other value


And I’m not sure if I can just edit that value or what?



And based on this command


http://exchangeserverpro.com/exchange-2013-test-outlook-web-service/


My autodiscover is failing.


Remember I’m doing two certs in this process  one will be my RWA remote.domain.com the other all my exchange stuff on mail.domain.com


 ..okay so I’m going to post in the partner forum as I’m really confused right now as to what (and how) I should set this autodiscover value to be to get it to work right.


Hang loose and bear with me.



2 comments ↓

  • #   Justin on 02.11.14 at 2:38 am     

    Hey Susan

    I’ve been keeping an eye on your progress. Keep it up.

    Have you thought about a single, but multi-name certificate (SAN/UCC)?

    These days I pretty much do two names really.

    remote.domain.com (or whatever you wish to be the primary)
    autodiscover.domain.com

    Then I configure Exchange to basically what is listed here. Not sure how it will work in 2013 though. http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

    Just means you don’t have to worry about 2 separate certificates and 2 separate expiries/renewals.


  • #   James Feldman on 02.11.14 at 3:43 am     

    Hi Susan,

    I think it’s supposed to be AutoDiscover.mail.sbs2exchange.com

    Hope that helps,

    James.