This article discusses how to deal with the fact that you can no longer get a 3rd party SSL Certificate for an internal domain.
The issue is that 3rd party Certs will not allow non-verifiable Certs after Oct 2016. Essentially, that means that you should now configure your Exchange environment (2007/2010/2013) to not depend on Certs for internal names.
The solution is too simple. Just configure your DNS server to implement a "Split-DNS-Horizon".
Note that this also works perfectly for auto-configuring your Outlook clients, regardless of whether they are connected internally or externally.
For this example, lets assume that your internal domain is domain.local, and that your email domain is domain.com
The easiest and simplest trick is to configure an entry in your internal DNS servers, to point autodiscover.domain.com to the internal IP address of your CAS server.
The best way to do this is to create a new DNS Zone with the name "autodiscover.domain.com", and then create an unnamed entry ("@") pointing to your internal CAS server(s).
This way, it does not interfere with all of your existing DNS records for the "domain.com" zone, such as www, etc.
So now, with this configuration, all that you need for a 3rd party SSL Cert is the "domain.com" name.
Additional Reference:
The issue is that 3rd party Certs will not allow non-verifiable Certs after Oct 2016. Essentially, that means that you should now configure your Exchange environment (2007/2010/2013) to not depend on Certs for internal names.
The solution is too simple. Just configure your DNS server to implement a "Split-DNS-Horizon".
Note that this also works perfectly for auto-configuring your Outlook clients, regardless of whether they are connected internally or externally.
For this example, lets assume that your internal domain is domain.local, and that your email domain is domain.com
The easiest and simplest trick is to configure an entry in your internal DNS servers, to point autodiscover.domain.com to the internal IP address of your CAS server.
The best way to do this is to create a new DNS Zone with the name "autodiscover.domain.com", and then create an unnamed entry ("@") pointing to your internal CAS server(s).
This way, it does not interfere with all of your existing DNS records for the "domain.com" zone, such as www, etc.
So now, with this configuration, all that you need for a 3rd party SSL Cert is the "domain.com" name.
Additional Reference:
- Internal DNS and Exchange Autodiscoverhttp://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
Comments
Post a Comment