cancel
Showing results for 
Search instead for 
Did you mean: 

SAN certificate

K_G
Level 6
Partner Accredited

hi,

after new SAN seltificate authory rules;

we couldnt add local names to SAN 

for example; we couldnt add  company.domain.local.   (we can just add company.domain.com)

so we will have problem on 443 port in external owa.

what is your ideas for this?

thanks...

1 ACCEPTED SOLUTION

Accepted Solutions

K_G
Level 6
Partner Accredited

updating computer entry  to domain.com in sql then adding internal ip of dns alias on host file in evserver solves the problem.

thanks... 

View solution in original post

7 REPLIES 7

K_G
Level 6
Partner Accredited

Also when the old SAN certificates are expired ,they will be causes problem...

Merv
Level 6
Partner
Not sure if this is the right forum for this but yes it does affect EV but also all internal web services using external CA. SSL/security forum: https://www-secure.symantec.com/connect/security/forums/authentication-services And a post about the subject: https://www-secure.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know Googled and found this: Alternatives A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg server01.cabforum.com) or by using a .net domain name (.net = network) like server01.cabforum.net. Until now, the amended legislation applies only for domain validated (DV) SAN certificates. Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.

K_G
Level 6
Partner Accredited

Yes this is certifiacte issue but enterprise vault directly affected from this issue. Also enterprise vault has white paper for 10.03 using ssl certificate. this may be update..

Merv
Level 6
Partner

KG yes come to think of it -  it does have a technote of best practise somewhere regarding Exchange 2013 OMA. 

Enterprise Vault 10.0.3 and later: Requesting and Applying an SSL Certificate

http://www.symantec.com/business/support/index?page=content&id=HOWTO83452

Ideas to work around this? here are a few 

- Well you can use internal certs for your internal server and use a application firewall/proxy/gateway(TMG/f5) to do the link translation to your internal domain.

i.e. https://mail.externaldomain.com/enterprisevault (using ext cert) -> https://evserver.domain.local/enterprisevault (using int cert)

Obviously internally you will have to ensure the internal certs are automatically enrolled via AD GPOs

Split Brain DNS - i.e. you create a DNS record for your external domain internally

i.e. mail.externaldomain.com -> private ip and evserver.externaldomain.com -> private ip

It's a bit tricky but this will allow your external certs to resolve and work internally.

http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html

 

 

K_G
Level 6
Partner Accredited

updating computer entry  to domain.com in sql then adding internal ip of dns alias on host file in evserver solves the problem.

thanks... 

Merv
Level 6
Partner
Yes the dns hack/solution is hostfile ..and you might just change the dns alias too... That may break all shortcuts unless that it is a greenfield implementation http://www.symantec.com/business/support/index?page=content&id=TECH179428 Once you do that all users links will point to ev.domain.com and their systems need a way to resolve to the external name internally too..so you are back to split brain dns.

K_G
Level 6
Partner Accredited

yes, EV may create a new whitepaper for this issue, most of the people will live this problem in future...