Re: Exchange SSL Connection warning message

From: Jonathan G. Lampe (jonathan@stdnet.com)
Date: 08/14/02


Date: Wed, 14 Aug 2002 11:54:49 -0500
To: "David Adams" <dadams@johncrowley.co.uk>
From: "Jonathan G. Lampe" <jonathan@stdnet.com>

Hi David...

   This message is easy to believe, but it probably has more to do with DNS
than NAT. If I understand this correctly...

- You have a server named "internal.mycomp.com" at address "10.1.1.1"
- You have a valid certificate for "internal.mycomp.com"
- You NAT "10.1.1.1" to "1.2.3.4" for the outside world.
- The outside world EITHER...
   - Connects BY IP ADDRESS to "1.2.3.4"
   - Connects BY HOSTNAME to "external.mycomp.com" (which maps to "1.2.3.4")

So...EITHER...
   - Your clients are complaining because they are connecting to "1.2.3.4"
and the certificate they see is really for "internal.mycomp.com"
   - Your clients are complaining because they are connecting to
"external.mycomp.com" and the certificate they see is really for
"internal.mycomp.com"

To fix this...
   - Make sure your clients are connecting to you BY HOSTNAME, not BY IP
ADDRESS
   - AND, EITHER...
     - Run a "split DNS" so your internal clients can map
"internal.mycomp.com" to "10.1.1.1" while your external clients
map "internal.mycomp.com" to "1.2.3.4"
     - Get a SECOND certificate for "external.mycomp.com" (you may also
have to set up a second web interface, site, etc. to convince your server
to cough up one cert for internal users and one for external users)

Hope this helps,

- Jonathan Lampe (some letters here)
- jonathan@stdnet.com

At 08:14 AM 8/14/2002, you wrote:
>I have set up SSL on my exchange server which is sitting behind a DMZ
>wirewall. Incoming POP3S requests are redirected with a NAT rule to the
>exchange server. Everything is working fine but when i check mail with
>Outlook or Outlook express i get a warning message that states "The server
>that you are connected to is using a security certificate that does not
>match it's internet address" I have searched technet and must be blind or
>something because i cannot find an explanation for what is happening. I
>think it's because i'm using my own enterprise root CA but how do i go
>about telling my workstations that they can trust this certificate? I have
>tried importing the certificate into my trusted certificates store in
>Internet Explorer but that had no effect.
>
>Thanks
>
>
>Dave Adams



Relevant Pages

  • Re: Trying to get RPC over HTTP for Outlook working
    ... the certificate was issued to is *.some.domain. ... I have a similar situation, my domain is company.local, server ... Enable the Exchange server as an RPC/HTTPS backend server. ... testing from the internet. ...
    (microsoft.public.outlook.installation)
  • RE: Smartphones can not connect to server
    ... I'm assuming you're trying to use Exchange 2003 Activesync with your Windows ... Exchange server, its probably not an issue with ISA Server. ... access it outside the office via a GPRS internet connection. ... My mobile device has the self issued root certificate for my CA installed ...
    (microsoft.public.isa)
  • Re: Exchange SSL Connection warning message
    ... >I have set up SSL on my exchange server which is sitting behind a DMZ ... >that you are connected to is using a security certificate that does not ... >Internet Explorer but that had no effect. ... host record that resolves the FQDN to the external address in your mx ...
    (Focus-Microsoft)
  • Re: Trying to get RPC over HTTP for Outlook working
    ... A wildcard certificate shows that the name the ... I have a similar situation, my domain is company.local, server name is ... Enable the Exchange server as an RPC/HTTPS backend server. ... from the internet. ...
    (microsoft.public.outlook.installation)
  • Re: Lost in a sea of information (SSL Configuration)
    ... Run Microsoft Exchange Server Best Practices Analyzer Today ... > to configure SSL on my Exchange Server in order for users to access OWA ... > using https, but apparently I'm not doing something right. ... > fields for the certificate creation. ...
    (microsoft.public.exchange2000.admin)