Exchange 2016-2019 SSL administration

Download PDF

Selection of DNS names to be included in an Exchange SAN SSL

 

Exchange uses multiple DNS names that all need to be protected with an SSL certificate. Microsoft therefore suggests using a Subject Alternative Name (SAN) / Unified Communication (UC) compatible SSL certificate. These certificates can protect multiple DNS names simultaneously.

Exchange is designed to use a single SSL certificate containing all the DNS names the server uses both internally and externally.Even though it is possible to get an Exchange to work with a wildcard or single name certificate, it will be at the expense of some functionality and require extra configuration.

When using a wildcard certificate, even if it has been activated on the server, exchange cannot use it for SMTP, POP3 and IMAP as the SAN name isn't present in the certificate, and the server will therefore revert back to the internal certificate automatically.

To get the server to work optimally you need all DNS names used to communicate with the server both from the internet and locally in the certificate. Furthermore you need to add autodiscover.fairssl.dk for every domain a user uses in their outgoing email.

i.e.:

  • The DNS names pointing at the server from the internet. E.g. mail.fairssl.dk
  • The DNS names pointing at the server from the local network. E.g. exch01.fairssl.dk or mail.fairssl.dk
  • autodiscover.fairssl.dk for every domain used by a user for their primary (outgoing) email address

 

The autodiscover address allows the clients to automatically get the configuration for Exchange, making the configuration of clients easier both internally and externally. There needs to be an autodiscover address for every email domain the user uses to send mails from, i.e. their primary email address.

 

It is important to continue to renew the internal exchange certificate as the server will continue to use it, among other things to the internal SMTP, even if an external certificate has been activated on the server.

 

Standard - 1 email domain

 

This is the typical configuration, with a single domain for outgoing email and one DNS name that is used both internally and externally to communicate with the server.

The following addresses should be added to the certificate:

  • mail.fairssl.dk
  • autodiscover.fairssl.dk

 

Because there is only one public domain used in the certificate, a domain validated SSL certificate can be used.

 

Extended - Several email domains or server names

 

For an organisation with multiple outgoing email domains, e.g. ..@fairssl.dk and ..@fairssl.net, you need to add an autodiscover DNS name for each outgoing domain.

Further the server might be reached internally at exch01.fairssl.dk and externally at webmail.fairssl.dk

 

The following addresses needs to be added to the SSL certificate:

 

  • webmail.fairssl.dk
  • exch01.fairssl.dk
  • autodiscover.fairssl.dk
  • autodiscover.fairssl.net

 

Because there are multiple different domains (fairssl.dk and fairssl.net) in the certificate, the SAN certificate has to support this.

 

Change from internal to internet valid server names

 

When the Exchange server is installed, the standard configuration is to use an internal DNS name for internal communication. It is however no longer possible to use internal DNS names in publicly issued SSL certificates. As Exchange can only use one certificate for each service, it's required to use externally valid DNS names in the certificate.

Examples of internal DNS names:

  • server01
  • exch01.fairssl.local
  • srv01.fairssl.lan
  • localhost
  • 192.168.100.10
  • 10.0.0.10

 

It is a requirement that it's possible to reach the Exchange server both internally and externally on one or more DNS names, and that the Exchange server is aware of these names.

 

We suggest one of the following two popular solutions:

 

Split DNS

A DNS name, e.g. webmail.fairssl.dk, will on the internal network give an internal IP address for the Exchange server, while giving the external IP address from the internet.

If you don't want the entire domain as a split DNS zone, we suggest that you create the DNS name as a sub-zone, and thereby contain the split DNS to that name.

 

See Configuration of Split DNS

Afterwards follow the Configuration of internal and external Exchange service URL addresses

 

Two DNS names

Create a DNS name for the internal access and one for the external access. This is common for organisations that has created a sub domain on their public domain, e.g. internal.fairssl.dk

They could then have webmail.fairssl.dk pointing at the external IP address, and exch01.internal.fairssl.dk pointing at the internal address.

 

Afterwards follow the Configuration of internal and external Exchange service URL addresses

 

Configuration of Split DNS

 

  1. Log in to the domain controller with an administrator account.

 

  1. Press windowskey + r and type in the following command to open the DNS manage:

 

dnsmgmt.msc

 

 

  1. Right click Forward Lookup Zone.

Click New Zone.

 

 

  1. Click Next.

Select Primary zone and Store the zone in Active Directory if this option is available.

Click Next.

 

 

  1. Select To all DNS servers running on domain controllers in this forest.

Click Next.

 

 

  1. Type in the DNS name the internal DNS should point at (e.g.: mail.fairssl.dk).

You can also choose to use the domain (e.g..: fairssl.dk), but then you need to make a host for every DNS name (see step 10).

Click Next.

 

 

  1. Select Allow only secure dynamic updates.

Click Next.

Click Finish.

 

 

  1. Right click on the new forward zone and click New Host (A or AAAA).

 

 

  1. Leave Name blank.

Type in the internal IP address for the Exchange server.

If you have made, or is planning to make, a reverse lookup zone, check Create associated pointer (PTR) record otherwise leave it blank.

Click Add Host.

 

 

  1. If you have chosen to create a zone for the entire domain you need to do the follow, remember you need to create a host for every DNS name you use (e.g.: www.fairssl.dk, vpn.fairssl.dk, login.fairssl.dk).

Type in the DNS name in name (e.g.: mail).

Type in the internal IP address for the Exchange server.

If you have made, or is planning to make, a reverse lookup zone, check Create associated pointer (PTR) record otherwise leave it blank.

 

 

Configuration of internal and external Exchange service URL addresses

 

  1. Login to the Exchange server with an administrator account.

 

  1. Right click Exchange Management Shell.

Click Run as Administrator.

 

 

  1. Run the following command:

 

Get-ExchangeServer | fl name

 

 

  1. Run the following command:

SERVERNAME is the name you found in step 3, INTERNALURL is the internal DNS name for the Exchange server e.g. exch01.fairssl.dk or mail.fairssl.dk. EXTERNALURL is the external DNS name for the Exchange server without https:// e.g. mail.fairssl.dk. Remember to add "" around servername, internalurl and externalurl:

 

$CASserver = ”SERVERNAME” ; $internalURL = ”INTERNALURL” ; $externalURL = ”EXTERNALURL

 

 

  1. Run the following commands to change the DNS names to the internet valid ones (for full script containing all the commands, see step 6):

 

Get-AutodiscoverVirtualDirectory -Server $CASserver | Set-AutodiscoverVirtualDirectory –InternalUrl ”https://$internalURL/Autodiscover/Autodiscover.xml” -ExternalUrl ”https://$externalURL/Autodiscover/Autodiscover.xml”

 

 

Get-ClientAccessService -Identity $CASserver | Set-ClientAccessService –AutodiscoverServiceInternalUri ”https://$internalURL/Autodiscover/Autodiscover.xml”

 

 

Get-WebservicesVirtualDirectory -Server $CASserver | Set-WebservicesVirtualDirectory –InternalUrl ”https://$internalURL/Ews/Exchange.asmx” -ExternalUrl ”https://$externalURL/Ews/Exchange.asmx”

 

 

Get-OabVirtualDirectory -Server $CASserver | Set-OabVirtualDirectory –InternalUrl ”https://$internalURL/Oab” -ExternalUrl ”https://$externalURL/Oab”

 

 

Get-OwaVirtualDirectory -Server $CASserver | Set-OwaVirtualDirectory –InternalUrl ”https://$internalURL/Owa” -ExternalUrl ”https://$externalURL/Owa”

 

 

Get-EcpVirtualDirectory -Server $CASserver | Set-EcpVirtualDirectory –InternalUrl ”https://$internalURL/Ecp” -ExternalUrl ”https://$externalURL/Ecp”

 

 

Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl ”https://$internalURL/Microsoft-Server-ActiveSync” -ExternalUrl ”https://$externalURL/Microsoft-Server-ActiveSync”

 

 

  1. The following is the above commands collected into a single script for easy copy/paste. If you have followed step 5 there is no reason to use this:

 

Get-AutodiscoverVirtualDirectory -Server $CASserver | Set-AutodiscoverVirtualDirectory –InternalUrl ”https://$internalURL/Autodiscover/Autodiscover.xml” -ExternalUrl ”https://$externalURL/Autodiscover/Autodiscover.xml” ; Get-ClientAccessService -Identity $CASserver | Set-ClientAccessService –AutodiscoverServiceInternalUri ”https://$internalURL/Autodiscover/Autodiscover.xml” ; Get-WebservicesVirtualDirectory -Server $CASserver | Set-WebservicesVirtualDirectory –InternalUrl ”https://$internalURL/Ews/Exchange.asmx” -ExternalUrl ”https://$externalURL/Ews/Exchange.asmx” ; Get-OabVirtualDirectory -Server $CASserver | Set-OabVirtualDirectory –InternalUrl ”https://$internalURL/Oab” -ExternalUrl ”https://$externalURL/Oab” ; Get-OwaVirtualDirectory -Server $CASserver | Set-OwaVirtualDirectory –InternalUrl ”https://$internalURL/Owa” -ExternalUrl ”https://$externalURL/Owa” ; Get-EcpVirtualDirectory -Server $CASserver | Set-EcpVirtualDirectory –InternalUrl ”https://$internalURL/Ecp” -ExternalUrl ”https://$externalURL/Ecp” ; Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl ”https://$internalURL/Microsoft-Server-ActiveSync” -ExternalUrl ”https://$externalURL/Microsoft-Server-ActiveSync”

 

Generating CSR for certificate order

 

  1. Login to the Exchange server with an administrator account.

 

  1. Press windows-key.

Type Exchange ad to search.

Start Exchange Administrative Center.

 

 

  1. Type in your administrator user name and password.

Click sign in.

 

 

  1. Click servers on the left.

Click certificates in the top right corner.

Select the server where you want to create the CSR if there are multiple servers.

Click the + icon in the middle.

 

 

  1. Select Create a request for a certificate from a certificate authority.

Click Next.

 

 

  1. Create a friendly name for the certificate so you can remember what it is for, e.g. the DNS name.

Click Next.

 

 

  1. Make sure the Request a wildcard is blank.

Click Next.

 

 

  1. Click Browse and select the server.

Click Next.

 

 

  1. Here you can change which DNS names different services are accessed from both internally and externally.

You should change it if any of them  are called .local or similar, follow Configuration of internal and external Exchange service URL addresses to change them. There is no problem in waiting until you are done creating the CSR before you change them.

Click Next.

 

 

  1. Remove the DNS names you don't use, and add any you do.

Click Next.

 

 

  1. Fill out the organisation details:

 

    • Organization name (O): The full organisation name, exactly as presented in CVR. e.g.: FairSSL A/S
    • Department name (OU): The department that is to use the certificate. May not be possible to conflate with a different organisation. We suggest that it is left blank, or use the organisation name. e.g.: FairSSL A/S
    • City/Locality (L): City name. e.g.: Ørum Djurs
    • State/Province (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
    • Country/Region name (C): The country where the organisation is residing. e.g.: Denmark

 

Click Next.

 

 

  1. Type in the network path where you want to save the CSR file. The below example will save at c:\www.fairssl.dk.csr on the Exchange server.

Click Finish.

 

 

  1. Open the CSR file with a text editor (e.g. notepad) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Import of intermediate certificate (Intermediate Certificate Authority)

 

The following illustrates how to import an Intermediate Certificate on a Microsoft Windows based machine, and thereby also on an Exchange server. The Intermediate Certificate needs to be installed on the Exchange server to ensure that clients can verify Intermediate Certificate Authorities (CA) in the certificate.

 

Note that Windows will sometimes install the Intermediate Certificate automatically when the server certificate is being installed, however there is no problem installing it multiple times, you will just get a warning that it's already installed.

 

If you are installing the certificate via a .PFX/PKCS12 file you don't need to install the intermediate certificate, as this is automatically installed via the .PFX file

 

  1. Log in to the Exchange Server with an administrator account.

Copy the Intermediate Certificate text from the email with your new certificate and paste it into a text editor (e.g. Notepad). Save the file on the Desktop as intermediate.cer

 

  1. Press windowskey + r

Write mmc.exe

Click OK

 

 

  1. Click File and then Add/Remove snap-in.

 

 

  1. Select Certificates.

Click Add.

 

 

  1. Select Computer account.

Click Next.

 

 

  1. Select Local computer.

Click Finish.

Click OK.

 

 

  1. Expand Certificates (Local Computer) and Intermediate Certificate Authorities.

Right click Certificates.

Select All Tasks.

Click Import.

 

 

  1. Click Browse and select the file you saved on the desktop.

Click Next.

 

 

  1. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

 

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates

 

Installation of certificate from CSR

 

It is important to install the certificate on the server where the CSR (Certificate Signing Request) was created as that is where the the private key is.

The private key was created as part of the CSR creation process, and it is necessary to complete this installation process to tie the certificate and private key together.

 

  1. Save the certificate as a file somewhere where you can get it from the server via a network path.

     e.g. \\EX2016\c$\mail.fairssl.dk.cer

 

  1. Press windows-key.

Type Exchange ad to search.

Start Exchange Administrative Center.

 

 

  1. Type in your administrator user name and password.

Click sign in.

 

 

  1. Click servers on the left

Click certificates in the top right corner.

 

 

  1. Select the server where you wish to install the certificate if there are multiple servers.

Click on the friendly name you made when you created the CSR, it will show pending request in status.

Click complete on the right.

 

 

  1. Type in the network path to where you saved the certificate file.

You need to use a network path, even if there is local access to the file

Click OK.

 

 

  1. The certificate will now be installed on the Exchange server, and the certificate status will change from Pending Request to Valid in the overview.

 

We recommend that you test the installation with our server tester at: https://www.fairssl.net/en/ssltest

 

Import of certificate from backup file (.PFX/PCKS12)

 

  1. Log in to the Exchange server with an administrator account.

 

  1. Press windows-key.

Type Exchange ad to search.

Start Exchange Administrative Center.

 

 

  1. Type in your administrator user name and password.

Click sign in.

 

 

  1. Click servers on the left

Click certificates in the top right corner.

 

 

  1. Select the server where you wish to install the certificate if there are multiple servers.

Click the three dots under the server name.

Click Import Exchange Certificate.

 

 

  1. Type in the network path to the .PFX file.

You need to use a network path, even if there is local access to the file.

If the file is protected with a password you enter that now. If you have used CSR-service you have gotten the password in an SMS.

 

 

  1. Click the + icon.

Select the server you want to import the certificate to.

Click Finish.

 

 

Activate the certificate for selected services

 

  1. Log in to the Exchange server with an administrator account.

 

  1. Press windows-key.

Type Exchange ad to search.

Start Exchange Administrative Center.

 

 

  1. Type in your administrator user name and password.

Click sign in.

 

 

  1. Click servers on the left

Click certificates in the top right corner.

 

 

  1. Select the server where the certificate is installed if there are multiple servers.
  2. Select the certificate you want to activate services for.

Click the icon.

 

 

  1. Click Services on the left.

Select the services you want to activate for the certificate.

Click Save.

 

 

  1. If you have selected SMTP a prompt will appear asking if you want to overwrite the current SMTP certificate.

Click Yes.

 

 

We recommend that you test the installation with our server tester at: https://www.fairssl.net/en/ssltest

 

Export certificate to backup file (.PFX/PKCS12)

 

  1. Log in to the Exchange server with an administrator account.

 

  1. Press windows-key.

Type Exchange ad to search.

Start Exchange Administrative Center.

 

 

  1. Type in your administrator user name and password.

Click sign in.

 

 

  1. Click servers on the left

Click certificates in the top right corner.

 

 

  1. Select the server where you wish to export the certificate from if there are multiple servers.

Select the certificate you want to export.

Click the three dots under the server name.

Click Export Exchange certificate.

 

 

  1. Type in the network path where you want to save the .PFX file.

You need to use a network path, even if there is local access to the folder you wish to save it in.

Type in a password to protect the file, you will need this password when you import it on a different server, so make sure you can remember it.

Click OK.