RE: [Exchange] Fwd: Internal / external certs

[Michael B. Smith]

Elan does a pretty good job of covering the topic, although I don’t necessarily 
agree with all of his comments about what is a best practice, or not.

http://www.shudnow.net/?s=autodiscoverinternaluri

In short, if Exchange 2007 or 2010 (does not apply to 2013), and the SCP points 
to an internal host, then Exchange and Outlook will use a self-signed 
certificate.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Candee
Sent: Monday, June 22, 2015 1:50 PM
To: excha...@lists.myitforum.com
Subject: Re: [Exchange] Fwd: Internal / external certs

Thank you.
I thought I was the only one who's head was going to asplode.


On Mon, Jun 22, 2015 at 1:43 PM, Doug Barrett 
<dbarr...@pompstire.com<mailto:dbarr...@pompstire.com>> wrote:
This is interesting.  Please clarify, so if the internal Exchange hostname 
(Exchange 2010) is referenced as mail.domain.local, and we install a 3rd party 
cert on the server for the external hostname 
extmail.domain.com<http://extmail.domain.com>, again assuming both names are 
pointing to the same server, Outlook would know this and not have issues?   Or 
am I reading that incorrectly?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael B. Smith
Sent: Monday, June 22, 2015 12:18 PM
To: excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>
Subject: RE: [Exchange] Fwd: Internal / external certs

Whoa. Hold on.

Outlook “knows” when it is connecting to an internal address via an external 
address. For internal addresses, Outlook will use a self-signed cert. It’s only 
external connections that need a third-party cert.

That being said, I prefer split-brain DNS.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Steve Ens
Sent: Monday, June 22, 2015 1:11 PM
To: Micheal Espinola Jr
Subject: RE: [Exchange] Fwd: Internal / external certs


Plus one.
On Jun 22, 2015 11:40 AM, "Richard Stovall (RDI)" 
<richard.stov...@researchdata.com<mailto:richard.stov...@researchdata.com>> 
wrote:
Split brain DNS, as much as Ben hates it, may be your answer here.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Candee
Sent: Monday, June 22, 2015 12:21 PM
To: excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>
Subject: [Exchange] Fwd: Internal / external certs

Hi everyone.
I am updating our Exchange certificates, and we can no longer use our internal 
.local.
There are no plans to change our AD; so I'm trying to find the best way to do 
this.

If I just point our internal EWS, etc, to the external URL, is that going to 
work?
I found a few posts that say yes; but a few that say that Outlook Anywhere will 
stop working.

Anyone have any experience with this one?
Hints?

Thanks!!
Candee