Re: Exchange SSL Connection warning message

From: Jonathan G. Lampe (jonathan@stdnet.com)
Date: 08/14/02


Date: Wed, 14 Aug 2002 11:54:49 -0500
To: "David Adams" <dadams@johncrowley.co.uk>
From: "Jonathan G. Lampe" <jonathan@stdnet.com>

Hi David...

   This message is easy to believe, but it probably has more to do with DNS
than NAT. If I understand this correctly...

- You have a server named "internal.mycomp.com" at address "10.1.1.1"
- You have a valid certificate for "internal.mycomp.com"
- You NAT "10.1.1.1" to "1.2.3.4" for the outside world.
- The outside world EITHER...
   - Connects BY IP ADDRESS to "1.2.3.4"
   - Connects BY HOSTNAME to "external.mycomp.com" (which maps to "1.2.3.4")

So...EITHER...
   - Your clients are complaining because they are connecting to "1.2.3.4"
and the certificate they see is really for "internal.mycomp.com"
   - Your clients are complaining because they are connecting to
"external.mycomp.com" and the certificate they see is really for
"internal.mycomp.com"

To fix this...
   - Make sure your clients are connecting to you BY HOSTNAME, not BY IP
ADDRESS
   - AND, EITHER...
     - Run a "split DNS" so your internal clients can map
"internal.mycomp.com" to "10.1.1.1" while your external clients
map "internal.mycomp.com" to "1.2.3.4"
     - Get a SECOND certificate for "external.mycomp.com" (you may also
have to set up a second web interface, site, etc. to convince your server
to cough up one cert for internal users and one for external users)

Hope this helps,

- Jonathan Lampe (some letters here)
- jonathan@stdnet.com

At 08:14 AM 8/14/2002, you wrote:
>I have set up SSL on my exchange server which is sitting behind a DMZ
>wirewall. Incoming POP3S requests are redirected with a NAT rule to the
>exchange server. Everything is working fine but when i check mail with
>Outlook or Outlook express i get a warning message that states "The server
>that you are connected to is using a security certificate that does not
>match it's internet address" I have searched technet and must be blind or
>something because i cannot find an explanation for what is happening. I
>think it's because i'm using my own enterprise root CA but how do i go
>about telling my workstations that they can trust this certificate? I have
>tried importing the certificate into my trusted certificates store in
>Internet Explorer but that had no effect.
>
>Thanks
>
>
>Dave Adams