SBS 2008 Outlook Anywhere SSL certificate

Greglsh

Senior Member
Joined
Dec 27, 2009
Messages
840
Hi

Please can somebody throw some light on this. I need to setup an SBS 2008 server and setup 5 laptops to run Outlook Anywhere (HTTPS over RPC in SBS 2003). What I have read is that you now have to buy an SSL certificate for this to work?. What we have setup is a dyndns.biz account for the remote guys to get to the dynamic ip eg companyname.dyndns.biz. When you try this the certificate says it does not match bla bla bla. A few people have said to get a godaddy ssl certificate. If this is the route you have to take, what name do you put on the certificate, comapanyname.dyndns.biz, or remote.companyname.co.za, or server.domain.local or server.companyname.co.za. I know this is a lot to ask but I thought maybe somebody has done this and could point me in the right direction.

Many Thanks
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,401
I don't know exactly about RPC over HTTPS, but we recently put in a SSL certificate for Outlook Web Access for my school. Since the server has 2 names, the internal and the external dns alias in our domain, we bought a Unified Communications SSL cert from Comodo. Basically, it is a SSL cert with multiple domain names in a certain field, that will let you connect to the server inside and out. It is also trusted by browsers and mail clients, whereas the self signed cert Exchange creates during install is not.

You may want to use Comodo, I've had a good experience with them. Your cert will need servername.localnetwork for internal access, and companyname.dyndns.biz for the other account. There may be an issue though, since in order to issue the SSL cert, Comodo checks your whois record, and if your company doesn't have a domain, it could cause a problem.

The other thing is that the cert must be generated from within the Exchange Command Shell, which I am sure exists on SBS 2008? The commands needed are not too tough, and there are plenty of examples on the internet.
 

Greglsh

Senior Member
Joined
Dec 27, 2009
Messages
840
Hi Asha'man X

Thanks for the reply. When you say we might have a problem because of the whois check, what do they check, from what I have read so far is we will need a certificate with remote.companyname.co.za and companyname.dyndns.biz. Where I ahve typed the company name this is an actual registered domain. eg if our company name was "labs" we have registered a domain labs.co.za. we would then need labs.dyndns.biz and remote.labs.co.za. Would this work??

Sorry all very confusing at the moment.

Thanks for the help:)
 

TheGuy

Expert Member
Joined
Sep 14, 2009
Messages
2,971
I run Outlook anywhere on our 2003 domain and all you do is to install the Certificate Authority and then generate a self signed certificate. The only difference is I have to install the certificate on all the pc that connects with outlook anywhere but doesn't cost anything. Just google generate sef signed cert sbs 2008.
 

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,401
I run Outlook anywhere on our 2003 domain and all you do is to install the Certificate Authority and then generate a self signed certificate. The only difference is I have to install the certificate on all the pc that connects with outlook anywhere but doesn't cost anything. Just google generate sef signed cert sbs 2008.

Outlook Anywhere won't work with a self signed cert, I came across that when I was doing the research into Exchange 2007. It's one of the security precautions I think.

@Greglsh

If you go with Comodo for example, they will check the whois of "labs.co.za" since it is your public domain. When you get a UC cert from them, you can put 3 names in, to get more costs extra. We put in our public domain name (i.e labs.co.za), the alias for the Exchange server (i.e. remote.labs.co.za) and the internal server name. If I'm reading your post right, then you appear to be going down the right path, you would use the dyndns account instead of the internal server name.

With the whois record, all they are really doing is making sure that the details are up to date and that you really own the domain before they issue a cert. AFAIK, it's far easier to update .co.za domains that .org.za ones for example.
 
Top