Avoiding Server Names in SSL Certificates for Exchange Server 2013

Body:

In a discussion about SSL certificates for Exchange 2013 servers the question of whether to include server names in the SSL certificate often comes up.

In this article I’m going to demonstrate how you can deploy an SSL certificate for a simple Exchange 2013 organization without including the server names in the certificate.

exchange-2013-ssl-hostnames-01 

But first let’s be clear – including server names in your SSL certificate is supported. For many small organizations, particularly those with a single server, it is probably going to be less effort to just include the server name in the certificate.

However, that is not best practice.

In addition to using as few certificates as possible, you should also use as few host names as possible. This practice can save money. Many certificate providers charge a fee based on the number of host names you add to your certificate.

The most important step you can take to reduce the number of host names that you must have and, therefore, the complexity of your certificate management, is not to include individual server host names in your certificate’s subject alternative names.

As Rajith points out here this best practice is important for larger organizations to reduce costs, reduce administrative overheads, and because in larger scale environments services are configured with namespaces that resolve to load-balanced IP addresses and so on.

Since that last point would likely also apply to any organization that has two or more Exchange servers this is a topic worth covering in more detail.

Namespaces for Exchange Server 2013

In Microsoft’s words:

The host names you must include in your Exchange certificates are the host names used by client applications to connect to Exchange.

More specifically, it is the host names client uses to make TLS/SSL connections to Exchange services. Those services include:

  • Outlook Anywhere
  • Outlook Web App
  • Exchange Control Panel
  • Exchange ActiveSync
  • Exchange Web Services
  • Offline Address Book
  • AutoDiscover

POP, IMAP and UM also have certificate requirements but can be enabled to use separate SSL certificates, whereas the above services all use the same certificate. So for this article I will ignore POP, IMAP and UM.

Sticking to a simple scenario we will plan to use one namespace for all of the services. So the hostnames/URLs to be configured are:

  • Outlook Anywhere – mail.exchange2013demo.com
  • Outlook Web App – https://mail.exchange2013demo.com/owa
  • Exchange Control Panel – https://mail.exchange2013demo.com/ecp
  • Exchange ActiveSync – https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync
  • Exchange Web Services – https://mail.exchange2013demo.com/EWS/Exchange.asmx
  • Offline Address Book – https://mail.exchange2013demo.com/OAB
  • AutoDiscover – https://mail.exchange2013demo.com/Autodiscover/Autodiscover.xml

Split DNS for Exchange Server 2013

For many organizations the use of  split DNS for your Exchange namespace goes hand in hand with eliminating server names from SSL certificates.

Split DNS allows your internal clients to receive a different answer to their DNS lookups than an external client would receive. In effect you have your Exchange namespace (in this example exchange2013demo.com) hosted on your internal DNS server, with records configured to point to internal IP addresses.

[PS] C:>Resolve-DnsName mail.exchange2013demo.com

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
mail.exchange2013demo.com                      A      3600  Answer     192.168.0.187
mail.exchange2013demo.com                      A      3600  Answer     192.168.0.188

If you’re wondering why mail.exchange2013demo.com has two A records it is because I am using DNS round robin to load balance the name, as demonstrated in this article on Client Access server high availability.

Meanwhile you also have the Exchange namespace hosted on your public DNS servers, with records configured to point to external IP addresses.

C:>nslookup mail.exchange2013demo.com

Non-authoritative answer:
Name:    mail.exchange2013demo.com
Address:  58.7.203.81

Configuring Hostnames and URLs in Exchange Server 2013

Although some of the hostnames and URLs are configurable using the Exchange Admin Center, some others require you to use PowerShell. So for the sake of simplicity I will use PowerShell to configure all of the services.

Remember we are looking at a simple scenario of two servers in a single site as shown in the diagram above, so you will see me piping commands such as Get-OWAVirtualDirectory into other commands to administer multiple objects at the same time.

Note: If you have multiple servers in different sites then you may wish to configure servers individually instead of in bulk, as different sites may have different namespace requirements in your organization.

Configuring Outlook Anywhere

To review the current configuration use Get-OutlookAnywhere.

[PS] C:>Get-OutlookAnywhere | Select Server,ExternalHostname,Internalhostname

Server ExternalHostname InternalHostname
------ ---------------- ----------------
E15MB1                  mail.exchange2013demo.com
E15MB2                  mail.exchange2013demo.com

I’ve already configured the internal host name for Outlook Anywhere in my test lab, but you might see your server’s host names in there instead.

To configure the internal and external host names use Set-OutlookAnywhere.

[PS] C:>Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.exchange2013demo.com -InternalHostname mail.exchange2013demo.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Note that in addition to setting the host names you must also explicitly set the SSL requirement for both internal and external clients (default for internal is False, which is fine, but I am enforcing it in this example), and either a default authentication method or an external authentication method (set to NTLM in this example).

Configuring Outlook Web App

To review the current configuration use Get-OWAVirtualDirectory.

[PS] C:>Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

Server      : E15MB1
ExternalUrl : https://mail.exchange2013demo.com/owa
InternalUrl : https://e15mb1.exchange2013demo.com/owa

Server      : E15MB2
ExternalUrl : https://mail.exchange2013demo.com/owa
InternalUrl : https://e15mb2.exchange2013demo.com/owa

To configure the URLs use Set-OWAVirtualDirectory.

[PS] C:>Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/owa -InternalUrl https://mail.exchange2013demo.com/owa

WARNING: You've changed the InternalURL or ExternalURL for the OWA virtual directory. Please make the same change for
the ECP virtual directory in the same website.

WARNING: You've changed the InternalURL or ExternalURL for the OWA virtual directory. Please make the same change for
the ECP virtual directory in the same website.

Configuring the Exchange Control Panel

As you can see when configuring the OWA URLs the ECP URLs must be configured to match. To configure the ECP URLs use the Set-ECPVirtualDirectory cmdlet.

[PS] C:>Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/ecp -InternalUrl https://mail.exchange2013demo.com/ecp

I needed to perform an IISreset on my servers for this one to take effect properly.

Configuring Exchange ActiveSync

To review the existing configuration use Get-ActiveSyncVirtualDirectory.

[PS] C:>Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl

Server      : E15MB1
ExternalUrl :
InternalUrl : https://e15mb1.exchange2013demo.com/Microsoft-Server-ActiveSync

Server      : E15MB2
ExternalUrl :
InternalUrl : https://e15mb2.exchange2013demo.com/Microsoft-Server-ActiveSync

To configure the new URLs use Set-ActiveSyncVirtualDirectory.

[PS] C:>Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync

Configuring Exchange Web Services

To review the existing configuration use Get-WebServicesVirtualDirectory.

[PS] C:>Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

Server      : E15MB1
ExternalUrl : https://mail.exchange2013demo.com/EWS/Exchange.asmx
InternalUrl : https://e15mb1.exchange2013demo.com/EWS/Exchange.asmx

Server      : E15MB2
ExternalUrl : https://mail.exchange2013demo.com/EWS/Exchange.asmx
InternalUrl : https://e15mb2.exchange2013demo.com/EWS/Exchange.asmx

To configure the new URLs use Set-WebServicesVirtualDirectory.

[PS] C:>Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/EWS/Exchange.asmx -InternalUrl https://mail.exchange2013demo.com/EWS/Exchange.asmx

Configuring the Offline Address Book

To review the existing configuration use Get-OABVirtualDirectory.

[PS] C:>Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

Server      : E15MB1
ExternalUrl :
InternalUrl : https://e15mb1.exchange2013demo.com/OAB

Server      : E15MB2
ExternalUrl :
InternalUrl : https://e15mb2.exchange2013demo.com/OAB

To configure the new URLs use Set-OABVirtualDirectory.

[PS] C:>Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/OAB -InternalUrl https://mail.exchange2013demo.com/OAB

Configuring the AutoDiscover SCP

The final configuration is the AutoDiscover service connection point. Unlike the other host names and URLs this is not configured on a virtual directory (don’t be fooled by the URLs shown when you run Get-AutoDiscoverVirtualDirectory).

Instead we need to use Get-ClientAccessServer to see the existing configuration.

[PS] C:>Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI

Name   AutoDiscoverServiceInternalUri
----   ------------------------------
E15MB1 https://e15mb1.exchange2013demo.com/Autodiscover/Autodiscover.xml
E15MB2 https://e15mb2.exchange2013demo.com/Autodiscover/Autodiscover.xml

To configure the new URI use Set-ClientAccessServer.

[PS] C:>Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.exchange2013demo.com/Autodiscover/Autodiscover.xml

Configuring an SSL Certificate

With all of the namespaces configured the next steps are:

  1. Generate a Certificate Request for Exchange 2013 that only includes the minimum required names (in this case mail.exchange2013demo.com and autodiscover.exchange2013demo.com).
  2. Submit the certificate request to your chosen CA to acquire the SSL certificate. I recommend Digicert for their competitive pricing, good support, flexible licensing, and free re-issues if you happen to make an error. Or if you’re using a private CA refer to these steps.
  3. Complete the pending certificate request
  4. Export/import an SSL certificate to multiple Exchange 2013 servers (if you have multiple servers)
  5. Assign the SSL certificate to services in Exchange 2013

Testing the New Configuration

To be confident that the new configuration is working you can run a series of tests.

  1. On a client with no existing Outlook profile launch Outlook and confirm that the profile is configured automatically and without any certificate warnings.
  2. Use the Outlook “Connection Status” dialog to verify that Outlook is connecting only to the namespaces you configured.
  3. Use the “Test E-Mail AutoConfiguration” test in Outlook to verify all services are accessible without error.
  4. Connect to OWA internally and externally and verify there are no certificate warnings.
  5. Within OWA navigate to Options and make a change such as enabling out of office.
  6. Connect to the Exchange Admin Center and verify it works without certificate warnings.
  7. Run external tests using the Remote Connectivity Analyzer website.

Source: http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/

Category: Servers; How to do
Published: 10/10/2013 16:33
]]>