Recently I’ve been doing a lot of work for clients moving them from older version of Microsoft Exchange – even as far back as Exchange 2003 to Exchange 2013 or to Microsoft Office 365. I frequently recount to my customers that when I started doing IT work, I used to put Exchange email systems in as part of Small Business Server usually under the duress of the management of the company’s – most management were reticent to have email as it was a means for staff to ‘mess about.’
Whether you agree with that sentiment or not, these days any email outage is accompanied by management’s ferocity of attack against the IT department!
One of the things that is worrying me quite a bit is that the SSL certification bodies and the internet security community in general are phasing out the use of intranet names and IP addresses as primary domain names or subject alternative names (SAN’s) in SSL certificates. You’d think because Exchange 2013 is so new, that this little grey area would be very much clear in how to handle it – but it’s not.
In many of the configuration screens of Exchange you have internal and external URL’s. Best practice used to be to have your internal domain name completely unreferenanceable from the internet – remember yourcompany.local anyone? Recently, however your domain names should be along the lines of corp.yourcompany.com, internal.yourcompany.com or ad.yourcompany.com – anything really as long as you own yourcompany.com or similar. The rule of thumb really is you can have anything as long as you own the Top Level Domain (TLD).
This means you can quite rightly go out and purchase a SSL certificate that contains that subject alternative name as well as your external address – i.e. internally your server may be mailserver.internal.yourcompany.com but externally mail.yourcompany.com.
If you’re going to renew any certificate with a .local or IP address on it at the moment, you’ll have to renew for twelve months, anything more will take you across the deadline and you’ll have a lot of reconfiguring to do.
One of the quirks of the later versions of Exchange is of course our friend Autodiscover which will have a good go at working against you when you’re trying to start reconfiguring too.
First and foremost – I do not think you should change your internal domain name simply to sort this problem with Exchange, personally I do think you should begin to plain a domain migration to the format I’ve suggested over a period of time – preferably with an upgrade to the latest version of Windows Server.
To solve your problem initially, you’re going to need to set both the internal and external URL’s in exchange to the same thing. You’re also going to have to set your internal DNS to stop your clients hopping out of the business and coming back in.
If you’re looking for any help in migrating and developing your Microsoft Exchange infrastructure in more detail, then why not give me a call or go social and we can discuss further.
