Exchange SSL and .local issue Vipre Email Security

[scottatwittenberg]

I am trying to get Vipre Email Security working on an Exchange 2010 server.
[Let it be noted that their support has been very unhelpful in resolving this matter]

So here is the issue I am having:
http://support.threattracksecurity....ors-causing-spam-to-be-delivered-to-the-inbox

I run a test: test-outlookwebservices -identity:[email protected] | fl
And everything comes back as a success except one thing:

The certificate for the URL https://exchange.domain.local/autodiscover/autodiscover.xml is incorrect. For
SSL to work, the certificate needs to have a subject of exchange.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.

As you all know, you can no longer add a .local subject alternate to an SSL certificate.

I have changed all of the internal URLs to point to the external address, such as in the example below:
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

I have added an autodiscover srv record into internal DNS:
https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

What am I missing here? How can I make it simply stop searching for exchange.domain.local ?

 

[Easius]

I ran across similar issues when buying a long-term cert a year and a half ago and I made a note of what I did to resolve my .local/certificate issues in case I came across it again - this is what was in my notes for what resolved my issue. Unsure if it helps your situation.

Set-ClientAccessServer -Identity server.domain.local -AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “server.domain.local\EWS (Default Web Site)” -InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “server.domain.local\oab (Default Web Site)” -InternalUrl https://mail.domain.com/oab

get-owaVirtualDirectory | fl name,internalURL,externalURL (To confirm the settings applied correctly)

Replace server.domain.local with FQDN of CAS server – put in external access link in place of https://mail.domain.com/

Go into DNS server
Create forward lookup zone for domain (Example: domain.com ), create new host (A) record that resolves subdomain (Example: mail.domain.com) to LAN IP of CAS server. (Example: mail to 10.0.0.1)

 

[Tee]

Create Key
Export Key
buy Cert
Import Key
Generate Private and Public Cert
Install Cert
Create forwarding DNS zone internally
Create A record under new zone that points to internal server for mail.domain.com
Don't add your local domain to a cert it's not needed if you setup DNS properly inside and out

 

[scottatwittenberg]

Create Key
Export Key
buy Cert
Import Key
Generate Private and Public Cert
Install Cert
Create forwarding DNS zone internally
Create A record under new zone that points to internal server for mail.domain.com
Don't add your local domain to a cert it's not needed if you setup DNS properly inside and out

I think I have done all of this. I would word it differently:

Generate CSR
Buy Certificate
Install Certificate
Assign exchange services to new cert
Create internal DNS zone for externaldomain.com
Create A record for mail.externaldomain.com pointing to the internal address of the mailserver
Create SRV autodiscover record on internal DNS that points to mail.externaldomain.com

I even took the default internal cert for exchangeserver.domain.local and added to trusted root certificates on the server.


You said one thing about "generate public and private cert". what do you mean by private cert?

 

[Benzino]

Easius has the correct solution.
EDIT:
From here.

Set-ClientAccessServer -Identity "CAS-01" -AutoDiscoverServiceInternalUri "https://cas01.contoso.com/autodiscover/autodiscover.xml" -AutoDiscoverSiteScope "Mail"

There is an autodiscover SCP buried in Active Directory that is still going to point to .local until you run the above command.