Monday, 20 July 2015 00:00

Reconfigure Internal URLs with Registered Domain - New 3rd Party SSL Certificates Standards

Written by

As you are aware, by November 2015, the 3rd party SSL providers will stop supporting the internal domain names if you don’t own them publically. For example, if you use domain.local as internal domain, then please be aware that the 3rd party CAs will stop issuing certificates with these internal names with effect from November 2015. In simple words, you can only get SSL certificates for the domains you own publically as each domain names included in the SSL certificate should be validated against the domain ownership.

Ref: https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf

In order or to avoid service break down, you must reconfigure the internal service URLs to be trusted with a publically trusted domain OR you should use an Enterprise CA SSL for the internal service URL.

The later configuration, in my opinion, is bit more complicated because it would lead you to create separate traffic rules for internal and external messaging client. So, I suggest you to create a split DNS internally and reconfigure the Exchange internal URLs with the publically trusted domains so that to ensure smooth transition during this phase out period. Reconfiguring internal URL with publically trusted domain can also help reduce the number of SAN used in your SSL certificate.

This article is specifically focused on the areas where you need to keep an eye on reconfiguring the internal service URLs of Exchange 2010, this can be also used to reconfigure the version Exchange Server 2007 and 2013.

The following services are to be reconfigured to bring them in line with the new SSL standards,

  1. Autodiscover
  2. EWS (Exchange Web Services)
  3. OAB (Offline AddressBook)
  4. OWA and ECP (Exchange Control Panel and Outlook Web Access)
  5. Outlook anywhere
  6. Exchange Active Sync

Before you proceed, please ensure that you have done all pre-requisites for split DNS configuration. Because once you reconfigure the URLs, the traffic will be diverted to publically trusted domain. Not using a split DNS will cause the client to reach external lookup find the services.

Find the commands to reconfigure in order with the above services,

Note: My external domain is exchangedictionary.com, for this exercise. Please replace it with your externally trusted domain. I assume that you already have the external URLs set with externally trusted domain.

Set-ClientAccessServer -Identity EXH1 -AutoDiscoverServiceInternalUri “https://autodiscover.exchangedictionary.com/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "EXH1\EWS (Default Web Site)" -InternalUrl “https://email.exchangedictionary.com/ews/exchange.asmx

Set-OabVirtualDirectory -Identity "EXH1\OAB (Default Web Site)" -InternalUrl "http://email.exchangedictionary.com/OAB"

Set-OwaVirtualDirectory – identity “EXH1\owa (Default Web Site)” –InternalUrl “https://email.exchangedictionary.com/owa”

Set-EcpVirtualDirectory -identity “EXH1\ecp (Default Web Site)” –InternalUrl “https://email.exchangedictionary.com /ecp”

Set-ActiveSyncVirtualDirectory -identity “EXH1\Microsoft-Server-ActiveSync (Default Web Site)” –InternalUrl “https://email.exchangedictionary.com /Microsoft-Server-ActiveSync

Additional Informations:

  • Usually an IIS reset would apply these changes to the infrastructure, however I had to restart few servers (not all) to replicate the changes to clients.
  • You may use fiddler to test the client traffic to ensure there are not host name specific URLs are being requested.

Ref URLs,

https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf

https://www.digicert.com/internal-names.htm

https://www.digicert.com/internal-domain-name-tool.htm

-Praveen

theme by reviewshub