Exchange 2007 SSL Administration

Download PDF

Selecting DNS names for an Exchange SAN SSL certificate

 

Exchange uses multiple DNS names that all need to be protected with an SSL certificate. Microsoft therefore suggests using a Subject Alternative Name (SAN) / Unified Communication (UC) compatible SSL certificate. These certificates can protect multiple DNS names simultaneously.

Exchange is designed to use a single SSL certificate containing all the DNS names the server uses both internally and externally.Even though it is possible to get an Exchange to work with a wildcard or single name certificate, it will be at the expense of some functionality and require extra configuration.

When using a wildcard certificate, even if it has been activated on the server, exchange cannot use it for SMTP, POP3 and IMAP as the SAN name isn't present in the certificate, and the server will therefore revert back to the internal certificate automatically.

To get the server to work optimally you need all DNS names used to communicate with the server both from the internet and locally in the certificate. Furthermore you need to add autodiscover.fairssl.dk for every domain a user uses in their outgoing email.

i.e.:

  • The DNS names pointing at the server from the internet. E.g. mail.fairssl.dk
  • The DNS names pointing at the server from the local network. E.g. exch01.fairssl.dk or mail.fairssl.dk
  • autodiscover.fairssl.dk for every domain used by a user for their primary (outgoing) email address

 

The autodiscover address allows the clients to automatically get the configuration for Exchange, making the configuration of clients easier both internally and externally. There needs to be an autodiscover address for every email domain the user uses to send mails from, i.e. their primary email address.

 

It is important to continue to renew the internal exchange certificate as the server will continue to use it, among other things to the internal SMTP, even if an external certificate has been activated on the server.

 

Standard - 1 Email domain

 

This is the typical configuration, with a single domain for outgoing email and one DNS name that is used both internally and externally to communicate with the server.

The following addresses should be added to the certificate:

  • mail.fairssl.dk
  • autodiscover.fairssl.dk

 

Because there is only one public domain used in the certificate, a domain validated SSL certificate can be used.

 

Extended - Multiple Email domains or server names

 

For an organisation with multiple outgoing email domains, e.g. ..@fairssl.dk and ..@fairssl.net, you need to add an autodiscover DNS name for each outgoing domain.

Further the server might be reached internally at exch01.fairssl.dk and externally at webmail.fairssl.dk

 

The following addresses needs to be added to the SSL certificate:

 

  • webmail.fairssl.dk
  • exch01.fairssl.dk
  • autodiscover.fairssl.dk
  • autodiscover.fairssl.net

 

Because there are multiple different domains (fairssl.dk and fairssl.net) in the certificate, the SAN certificate has to support this.

 

Switch from internal to Internet valid server names

 

When the Exchange server is installed, the standard configuration is to use an internal DNS name for internal communication. It is however no longer possible to use internal DNS names in publicly issued SSL certificates. As Exchange can only use one certificate for each service, it's required to use externally valid DNS names in the certificate.

Examples of internal DNS names:

  • server01
  • exch01.fairssl.local
  • srv01.fairssl.lan
  • localhost
  • 192.168.100.10
  • 10.0.0.10

 

It is a requirement that it's possible to reach the Exchange server both internally and externally on one or more DNS names, and that the Exchange server is aware of these names.

 

We suggest one of the following two popular solutions:

 

Split DNS

A DNS name, e.g. webmail.fairssl.dk, will on the internal network give an internal IP address for the Exchange server, while giving the external IP address from the internet.

If you don't want the entire domain as a split DNS zone, we suggest that you create the DNS name as a sub-zone, and thereby contain the split DNS to that name.

 

See Configuration of Split DNS

Afterwards follow the Configuration of internal and external Exchange service URL addresses

 

Two DNS names

Create a DNS name for the internal access and one for the external access. This is common for organisations that has created a sub domain on their public domain, e.g. internal.fairssl.dk

They could then have webmail.fairssl.dk pointing at the external IP address, and exch01.internal.fairssl.dk pointing at the internal address.

 

Afterwards follow the Configuration of internal and external Exchange service URL addresses

 

Configuration of Split DNS

 

  1. Log in to the domain controller with an administrator account.

 

  1. Press windowskey + r and type in the following command to open the DNS manager:

 

dnsmgmt.msc

 

 

  1. Right click Forward Lookup Zone.

Click New Zone.

 

 

  1. Click Next.

Select Primary zone and Store the zone in Active Directory if this option is available.

Click Next.

 

 

  1. Select To all DNS servers running on domain controllers in this forest.

Click Next.

 

 

  1. Type in the DNS name the internal DNS should point at (e.g.: mail.fairssl.dk).

You can also choose to use the domain (e.g..: fairssl.dk), but then you need to make a host for every DNS name (see step 10).

Click Next.

 

 

  1. Select Allow only secure dynamic updates.

Click Next.

Click Finish.

 

 

  1. Right click on the new forward zone and click New Host (A or AAAA).

 

 

  1. Leave Name blank.

Type in the internal IP address for the Exchange server.

If you have made, or is planning to make, a reverse lookup zone, check Create associated pointer (PTR) record otherwise leave it blank.

Click Add Host.

 

 

  1. If you have chosen to create a zone for the entire domain you need to do the follow, remember you need to create a host for every DNS name you use (e.g.: www.fairssl.dk, vpn.fairssl.dk, login.fairssl.dk).

Type in the DNS name in name (e.g.: mail).

Type in the internal IP address for the Exchange server.

If you have made, or is planning to make, a reverse lookup zone, check Create associated pointer (PTR) record otherwise leave it blank.

 

 

Configuration of internal and external Exchange service URL addresses

 

Execute the following to change the internal and external DNS name for all exchange services.

 

  1. Log in to the Exchange server with an administrator account.

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Run the following command:

 

Get-ExchangeServer | fl name

 

 

  1. Run the following command:

SERVERNAME is the name you found in step 3, INTERNALURL is the internal DNS name for the Exchange server e.g. exch01.fairssl.dk or mail.fairssl.dk. EXTERNALURL is the external DNS name for the Exchange server without https:// e.g. mail.fairssl.dk. Remember to add "" around servername, internalurl and externalurl:

 

$CASserver = ”SERVERNAVN” ; $internalURL = ”INTERNURL” ; $externalURL = ”EKSTERNURL

 

 

  1. Run the following commands to change the DNS names to the internet valid ones (for full script containing all the commands, see step 6):

 

Get-AutodiscoverVirtualDirectory -Server $CASserver | Set-AutodiscoverVirtualDirectory –InternalUrl ”https://$internalURL/Autodiscover/Autodiscover.xml” -ExternalUrl ”https://$externalURL/Autodiscover/Autodiscover.xml”

 

 

Get-ClientAccessServer -Identity $CASserver | Set-ClientAccessServer –AutoDiscoverServiceInternalUri ”https://$internalURL/Autodiscover/Autodiscover.xml”

 

 

Get-WebservicesVirtualDirectory -Server $CASserver | Set-WebservicesVirtualDirectory –InternalUrl ”https://$internalURL/Ews/Exchange.asmx” -ExternalUrl ”https://$externalURL/Ews/Exchange.asmx”

 

 

Get-OabVirtualDirectory -Server $CASserver | Set-OabVirtualDirectory –InternalUrl ”https://$internalURL/Oab” -ExternalUrl ”https://$externalURL/Oab”

 

 

Get-OwaVirtualDirectory -Server $CASserver | Set-OwaVirtualDirectory –InternalUrl ”https://$internalURL/Owa” -ExternalUrl ”https://$externalURL/Owa”

 

 

Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl ”https://$internalURL/Microsoft-Server-ActiveSync” -ExternalUrl ”https://$externalURL/Microsoft-Server-ActiveSync”

 

 

  1. The following is the above commands collected into a single script for easy copy/paste. If you have followed step 5 there is no reason to use this:

 

Get-AutodiscoverVirtualDirectory -Server $CASserver | Set-AutodiscoverVirtualDirectory –InternalUrl ”https://$internalURL/Autodiscover/Autodiscover.xml” -ExternalUrl ”https://$externalURL/Autodiscover/Autodiscover.xml” ; Get-ClientAccessServer -Identity $CASserver | Set-ClientAccessServer –AutoDiscoverServiceInternalUri ”https://$internalURL/Autodiscover/Autodiscover.xml” ; Get-WebservicesVirtualDirectory -Server $CASserver | Set-WebservicesVirtualDirectory –InternalUrl ”https://$internalURL/Ews/Exchange.asmx” -ExternalUrl ”https://$externalURL/Ews/Exchange.asmx” ; Get-OabVirtualDirectory -Server $CASserver | Set-OabVirtualDirectory –InternalUrl ”https://$internalURL/Oab” -ExternalUrl ”https://$externalURL/Oab” ; Get-OwaVirtualDirectory -Server $CASserver | Set-OwaVirtualDirectory –InternalUrl ”https://$internalURL/Owa” -ExternalUrl ”https://$externalURL/Owa” ; Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl ”https://$internalURL/Microsoft-Server-ActiveSync” -ExternalUrl ”https://$externalURL/Microsoft-Server-ActiveSync”

 

Generating a CSR for certificate order

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command with these parameters:

 

    • SubjectName:
      • Common Name (CN): The primary DNS name. E.g.: mail.fairssl.dk
      • Organization (O): The full valid company name, exactly as it's written in CVR. E.g.: FairSSL A/S
      • Organizational Unit (OU): The department that is to use the certificate. It's important it cannot be confused with a different company. We recommend you leave it blank or write your company name. E.g.: FairSSL A/S
      • Locality (L): City name. E.g.: Oerum Djurs
      • State (S): State of municipality, in Denmark the municipality is used. E.g.: Norddjurs
      • Country (C): ISO-standard two-letter country code, has to be capitalized. E.g.: DK
    • KeySize: The number of bits used for encryption (use 2048).
    • PrivateKeyExportable: Whether the certificate can later be exported to a backup file.

 

$CSR = New-ExchangeCertificate -GenerateRequest -SubjectName "CN=mail.fairssl.dk, O=FairSSL A/S, OU=FairSSL A/S, L=Oerum Djurs, S=Norddjurs, C=DK" -KeySize 2048 -PrivateKeyExportable $true

 

 

  1. You can either copy the generated text and paste it directly in the order, or you can execute the following command to save it to a file:
    • Path: The path to where you want to save the CSR file

 

Set-Content -Path "c:\mail.fairssl.dk.csr" -value $CSR

 

 

  1. Open the CSR file in notepad:

 

notepad c:\mail.fairssl.dk.csr

 

  1. Copy the entire text including all dashes before and after and paste it into the order.

Here is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Import of Intermediate Certificate

 

The following illustrates how to import an Intermediate Certificate on a Microsoft Windows based machine, and thereby also on an Exchange server. The Intermediate Certificate needs to be installed on the Exchange server to ensure that clients can verify Intermediate Certificate Authorities (CA) in the certificate.

 

Note that Windows will sometimes install the Intermediate Certificate automatically when the server certificate is being installed, however there is no problem installing it multiple times, you will just get a warning that it's already installed.

 

  1. Log in to the Exchange Server with an administrator account.

Copy the Intermediate Certificate text from the email with your new certificate and paste it into a text editor (e.g. Notepad). Save the file on the Desktop as intermediate.cer

 

  1. Press windowskey + r

Write mmc.exe

Click OK

 

 

  1. Click File

Click Add/Remove Snap-in

 

 

  1. Select Certificates

Click Add

 

 

  1. Select Computer account

Click Next

 

 

  1. Select Local computer

Click Finish

Click OK

 

 

  1. Expand Certificates (Local Computer) and Intermediate Certificate Authorities

Right click on Certificates

Select All Tasks

Click Import

 

 

  1. Click Browse and select the file you saved on the Desktop

Click Next

 

 

  1. Select Automatically select the certificate store based on the type of certificate

Click Next

Click Finish

 

 

Import and activation from certificate backup file (.PFX/PKCS12)

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command:

 

    • Path: The path to the PFX file.
    • Services The services you wish to activate the certificate for.

 

Import-ExchangeCertificate –Path c:\mail.fairssl.dk.pfx –Password:(Get-Credential).password | Enable-ExchangeCertificate –Services “IIS,POP,IMAP,SMTP,None”

 

Add UM to the services if Unified Messaging is installed.

If you try activating for services that isn't installed the command will fail, so only select the services you want the certificate activated for.

 

This command will first import the certificate, and then activate the selected services.

If the file is protected with a password you will get a password prompt (see step 4)

Finally you will be asked if you want to overwrite the default SMTP certificate, answer y to this.

 

 

  1. You will be shown a prompt for user name and password. The user name is not actually use, but you still have to write something.

Write none in the user name, and the password used to protect the file in password.

 

 

We recommend that you test the installation at: https://www.fairssl.net/en/ssltest

 

Import a certificate backup file (.PFX/PCKS12)

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command:

 

    • Path: The path to the PFX file.

 

Import-ExchangeCertificate –Path c:\mail.fairssl.dk.pfx –Password:(Get-Credential).password

 

 

  1. You will be shown a prompt for user name and password. The user name is not actually use, but you still have to write something.

Write none in the user name, and the password used to protect the file in password.

 

 

List all certificates installed on the Exchange Server

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command:

 

Get-ExchangeCertificate

 

All certificates installed on the Exchange server will be listed with their Thumbprint, Services and Subject

 

 

You can execute the following command to get more information about the certificates:

 

Get-ExchangeCertificate | fl

 

 

Activate certificate for specific services

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command:

 

    • Thumbprint: The certificate's ID. (Can be found using the command: Get-ExchangeCertificate).
    • Services The services you wish to activate the certificate for.

 

Enable-ExchangeCertificate -Thumbprint -Services "IIS, POP, IMAP, SMTP, None"

 

Add UM to the services if Unified MEssaging is installed.

If you try activating for services that isn't installed the command will fail, so only select the services you want the certificate activated for.

You will be asked if you want to overwrite the default SMTP certificate, answer y to this.

 

 

We recommend that you test the installation at: https://www.fairssl.net/en/ssltest

 

Export certificate to backup file (.PFX/PKCS12)

 

  1. Press windowskey and write exch to search for the Exchange Management Shell.

Right click Exchange Management Shell and select Run as administrator.

 

 

  1. Execute the following command:

 

    • Thumbprint: The certificate's ID. (Can be found using the command: Get-ExchangeCertificate).

 

$file = Export-ExchangeCertificate -Thumbprint -BinaryEncoded:$true -Password (Get-Credential).password

 

 

  1. You will be shown a prompt for user name and password.

The user name is not actually use, but you still have to write something.

Write none in the user name, and the password used to protect the file in password.

Click OK.

 

 

  1. Execute the following command to save the certificate to a file:

 

    • Path: The path to where you want to save the PFX file

 

Set-Content -Path "c:\mail.fairssl.dk.pfx" -Value $file.FileData -Encoding Byte