broken ssl and dns in exchange 2k3
From: chris (awry.ws_at_gmail.com)
Date: 06/04/04
- Next message: Kirill S. Palagin: "Re: Error getting value for attribute 'legacyExchangeDN' from exmerge"
- Previous message: Kirill S. Palagin: "Re: Creating Groups in Exchange 2003"
- Next in thread: chris: "Re: broken ssl and dns in exchange 2k3"
- Reply: chris: "Re: broken ssl and dns in exchange 2k3"
- Reply: chris: "Re: broken ssl and dns in exchange 2k3"
- Messages sorted by: [ date ] [ thread ]
Date: 4 Jun 2004 01:31:38 -0700
I work in an organization which includes many entities, one of which
is using Exchange 2003. The others use sendmail on linux. The linux
infrastructure was in place first, so our active directory domain is a
subdomain of the original linux domain. So our internal namespace is
basically:
company.org - linux firewall, dns, mail, dhcp, etc.
ad.company.org - single win2k3 SBS server w/ Exchange 2003
So inside of our firewall, the FQDN name of the Exchange server is
servername.ad.company.org. Externally, however, it answers mail on a
couple of domains, but primarily on mail.anothercompany.com (one of
our other entities).
When I installed Exchange 2003, I used some self-signed certs Windows
provided me with. OWA worked fine, but of course accessing
mail.anothercompany.com generated a security alert due to the
mismatched common name (server.ad.company.org) and untrusted CA status
of the cert. A major reason for updating to 2003 was also to leverage
RPC over HTTP, which requires perfect certs all the way around. So I
got a new SSL cert from our linux CA, issued correctly to
mail.anothercompany.com, and signed by the corporate CA.
Installed the new cert on Exchange, and installed the root cert on my
clients, and - voila! - no more security alerts in OWA, and RPC over
HTTP works. Cool!
BUT NO...
Now, I can't manage public folders in Exchange Admin (get the error
mentioned in this kb article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324345), and
Public Folders in OWA are inaccessible (rest of OWA is fine, public
folders appear in Outlook).
The cause of this problem, according to the above MS KB doc, is
apparently that the FQDN of the Exchange Server doesn't match the FQDN
of my new cert. Funny thing is, there doesn't seem to be a way to
actually fix this.
My understanding is that Exchange takes its FQDN from Active
Directory, and I don't think I can easily change my AD domain at this
point (can I?). I can't make my internal FQDN be the same as my
external FQDN, yet this seems to be the only configuration possible if
I want to use valid certificates and RPC over HTTP. I believe
Microsoft even recommends as a best practice that you keep your 2k3
server on an internal ".local" domain for improved security, so I hope
I'm just missing something...
It seems like my only option is to install an ISA server as my RPC/OWA
proxy... Is this for real?! I hope I'm wrong.
- Next message: Kirill S. Palagin: "Re: Error getting value for attribute 'legacyExchangeDN' from exmerge"
- Previous message: Kirill S. Palagin: "Re: Creating Groups in Exchange 2003"
- Next in thread: chris: "Re: broken ssl and dns in exchange 2k3"
- Reply: chris: "Re: broken ssl and dns in exchange 2k3"
- Reply: chris: "Re: broken ssl and dns in exchange 2k3"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
