SSL Certificate and Dyndns

[Greglsh]

Hi

I have a client who is running SBS 2008 which has exchange 2007. He wants to be able to run Outlook Anywhere. What I have found out (Could be wrong here), is that I need a 3rd party SSL certificate. They are running dynamic adsl account so no fixed IP, will this setup work or how do I go about getting the SSL to work with dyndns account which they already have, eg ******.dyndns.biz.

Any help would be appreciated.

 

[DrJohnZoidberg]

1. Buy a domain name, any one.
2. Create a CNAME record on the new domain and point it to the DynDNS host name.
3. Get yourself an SSL cert for the new domain.

You can get a free SSL cert from startssl.com.

That would be my recommendation with what you have.

 

[Greglsh]

Hi DrJohn

Thanks for the quick reply, a bit new to this so I hope you dont mind me asking you a few questions.

1) When you say buy a doamin name, do you mean another one besides their domain they have already for emails
which is vi***uip.co.za
2) Where do you create this CNAME record, is this done on the server itself or by the dns guys who do the domain registrations?

Sorry might be some dumb questions

 

[DrJohnZoidberg]

Hi DrJohn

Thanks for the quick reply, a bit new to this so I hope you dont mind me asking you a few questions.

1) When you say buy a doamin name, do you mean another one besides their domain they have already for emails
which is vi***uip.co.za
2) Where do you create this CNAME record, is this done on the server itself or by the dns guys who do the domain registrations?

Sorry id some dumb questions

Ah okay, then they can just use their existing domain name. You can usually create DNS records through the control panel of the hosting provider or whatever company the domain was purchased through.

I would create a CNAME record like exchange.thedomain.co.za that points to their ddns host.

Then create a SSL cert for exchange.thedomain.co.za.

I've done this for our Exchange OWA access, for the life of me cannot remember how I actually set it up in Exchange though. I believe it was through IIS, I'm more of an Apache guy so always have to Google this stuff when I need to work with MS stuff.

 

[Greglsh]

Okay DrJohn

Thanks I will definitely give this a bash. For the SSL certificate does it just have to have exchange.thedomain.co.za or must it have autodiscover.thedomain.co.za plus others. I have been reading and they say it should have a few names when it comes to exchange .

 

[DrJohnZoidberg]

Okay DrJohn

Thanks I will definitely give this a bash. For the SSL certificate does it just have to have exchange.thedomain.co.za or must it have autodiscover.thedomain.co.za plus others. I have been reading and they say it should have a few names when it comes to exchange .

I'm not that clued up with Exchange stuff (I normally just hold thumbs that it doesn't crash)

There are some very seasoned guru's on here, when you have questions I'm sure somebody will be around to help.

 

[Greglsh]

Cool, thanks for the help

 

[kianm]

Okay DrJohn

Thanks I will definitely give this a bash. For the SSL certificate does it just have to have exchange.thedomain.co.za or must it have autodiscover.thedomain.co.za plus others. I have been reading and they say it should have a few names when it comes to exchange .

They type of SSL certificate you need for this is called a UCC (Unified Communications Certificate). Yes you will need a couple of names in the SAN (Subject Alternative Name) of the certificate. On the main name (Subject) of the certificate you'd put in eg: exchange.domain.co.za / mail.domain.co.za and for the SAN you then add the autodiscover.domain.co.za , ExchangeServerInternalName.domain.local (this is the internal name for your mail server).

You need to create a CSR (Certificate Signing Request) from within the exchange control panel which you will then hand over to the certification authority and they will use it to generate your cert. You might also want to create a record on your internal DNS server pointing to the exchange.domain.co.za / domain.dyndns.biz and point it to the local IP of the exchange server so that when the users are at the office those DNS queries are resolved internally.

 

[Greglsh]

Hi Kianm

Thank you very much for your info, I think that was what I was looking for with regards to the SSL certificate, so if I follow DrJohn and your advice all should be fine. What do people suggest a 2 year or 3 year SSL certificate?

 

[Greglsh]

Sorry just another question, where should I go for the best price and UCC SSL certificate, I see most of them only offer 3 names then you have to pay extra to add more. From the above I will need 3 names is that correct exchange.domain.co.za , autodiscover.domain.co.za , exchangeserverinternalname.domain.local. So the standard UCC SSL certificate will surfice. I looked at UC Certificates, and GETUCC which is the best/cheapest (sometimes cheap is not the way to go). Thanks again

 

[kianm]

Sorry just another question, where should I go for the best price and UCC SSL certificate, I see most of them only offer 3 names then you have to pay extra to add more. From the above I will need 3 names is that correct exchange.domain.co.za , autodiscover.domain.co.za , exchangeserverinternalname.domain.local. So the standard UCC SSL certificate will surfice. I looked at UC Certificates, and GETUCC which is the best/cheapest (sometimes cheap is not the way to go). Thanks again

Choosing between a 2 or 3 year certificate is based on your personal preference. I personally go for the shorter renewal cycle ( 1 year) because if there are any infrastructural changes that require changes to the certificate I can implement those changes during the renewal period ( eg: the other time I had to add a DAG for redundancy and needed to protect /add some new names to the cert) . So basically if you think your exchange environment is going to be static for a while you can go for the longer cycles. This does not mean thought that you can not make changes to the certificate before it expires you can make changes to the domain names anytime ( see this ), but I just find it less cumbersome to do it during the renewal cycle.

Source: I get my certificates from GoDaddy and I have managed to put in about 6 SANs in one certificate on the standard pricing. They will need to verify that you own the domain you are trying to protect so I'm not sure how that would work with a DynDns domain as I've only worked with the usual purchased domains / static IPs scenario

 

[nkawit]

So the standard UCC SSL certificate will surfice. I looked at UC Certificates, and GETUCC which is the best/cheapest (sometimes cheap is not the way to go). Thanks again

CA's have a very strict auditing processes, but in terms of cheapness it also depends on which reseller you choose.

We advertise our SSL certs here through one of our hosting brands at insane prices ($4.09 p/yr for a normal Comodo PositiveSSL cert).
http://www.webhostingtalk.com/showthread.php?t=1431437