Highlighted

SAN certificate

hi,

after new SAN seltificate authory rules;

we couldnt add local names to SAN 

for example; we couldnt add  company.domain.local.   (we can just add company.domain.com)

so we will have problem on 443 port in external owa.

what is your ideas for this?

thanks...

1 Solution

Accepted Solutions
Highlighted
Accepted Solution!

updating computer entry  to

updating computer entry  to domain.com in sql then adding internal ip of dns alias on host file in evserver solves the problem.

thanks... 

View solution in original post

7 Replies
Highlighted

Also when the old SAN

Also when the old SAN certificates are expired ,they will be causes problem...

Highlighted

Not sure if this is the right

Not sure if this is the right forum for this but yes it does affect EV but also all internal web services using external CA. SSL/security forum: https://www-secure.symantec.com/connect/security/forums/authentication-services And a post about the subject: https://www-secure.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know Googled and found this: Alternatives A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg server01.cabforum.com) or by using a .net domain name (.net = network) like server01.cabforum.net. Until now, the amended legislation applies only for domain validated (DV) SAN certificates. Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.
Highlighted

Yes this is certifiacte issue

Yes this is certifiacte issue but enterprise vault directly affected from this issue. Also enterprise vault has white paper for 10.03 using ssl certificate. this may be update..

Highlighted

KG yes come to think of it -

KG yes come to think of it -  it does have a technote of best practise somewhere regarding Exchange 2013 OMA. 

Enterprise Vault 10.0.3 and later: Requesting and Applying an SSL Certificate

http://www.symantec.com/business/support/index?page=content&id=HOWTO83452

Ideas to work around this? here are a few 

- Well you can use internal certs for your internal server and use a application firewall/proxy/gateway(TMG/f5) to do the link translation to your internal domain.

i.e. https://mail.externaldomain.com/enterprisevault (using ext cert) -> https://evserver.domain.local/enterprisevault (using int cert)

Obviously internally you will have to ensure the internal certs are automatically enrolled via AD GPOs

Split Brain DNS - i.e. you create a DNS record for your external domain internally

i.e. mail.externaldomain.com -> private ip and evserver.externaldomain.com -> private ip

It's a bit tricky but this will allow your external certs to resolve and work internally.

http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

 

 

Highlighted
Accepted Solution!

updating computer entry  to

updating computer entry  to domain.com in sql then adding internal ip of dns alias on host file in evserver solves the problem.

thanks... 

View solution in original post

Highlighted

Yes the dns hack/solution is

Yes the dns hack/solution is hostfile ..and you might just change the dns alias too... That may break all shortcuts unless that it is a greenfield implementation http://www.symantec.com/business/support/index?page=content&id=TECH179428 Once you do that all users links will point to ev.domain.com and their systems need a way to resolve to the external name internally too..so you are back to split brain dns.
Highlighted

yes, EV may create a new

yes, EV may create a new whitepaper for this issue, most of the people will live this problem in future...