NPS Certificate with Internal Domain

Similar Messages

• How to block incoming mail with internal domain as sender

  Hi all,
  Ironport accept incoming mail to internal domains defined in the RAT without verify the sender domain is the same internal domain.
  To avoid this I have used a message filter to drop those mails. I can't use the bounce command to avoid to be considered a spammer.
  Is there a way to reject those mails with a 5xx error message?
  Thanks in advance.
  Regards,
  Andrea

  Securegroup,
  jloehler is absolutely correct, when I configure appliances (personally I use a 1 listener config) I set the Default Mailflow Policy to Use the Exception Table ("On") and insure that all incoming mail policies (anything with the ACCEPT action) is set to "Use Default" for this parameter. Then I double check to insure that the RELAY policy is set to "Off" because you don't want to reject outbound messages due to the Exception Table.
  Once I've verified that the RELAY is off and Inbound policies are "On" I then populate my exception table with all the internal domains and specify the reject action. Now a quick take away is that the Exception Table only performs the rejection based on the SMTP MAIL FROM not the "From:" header internal to the message itself.
  Now with all that said it never fails that there is some internal group that uses 3rd party marketing which spoofs the internal domains so I usually create a new incoming mail flow policy with the Exception Table turned "Off" and create a Sender Group call DOMAINSPOOFLIST which are IPs and Domain names that I allow to spoof internal e-mail addresses with the new mail policy assigned to it.
  And that's it.
  Sincerely,
  Jay Bivens
  IronPort Systems

• Work folders - certificates with .local domain

  Hello,
  We'd like to deploy Work folders in our domain.local environment.
  Technet states that the certificate name should be the public URL workfolders.domainname and that for every file server a SAN needs to be listed. I was wondering how we need to implement Work folders as you can't add local server names anymore to public certificates.
  For us, the public URL would be workfolders.company.eu and the server name is fileserver.company.local. Anyone already built a setup like this?

  Hi Bram
  Here is what i did.
  in the situation, you have mydomain.local as your domain, but mydomain.com as your normal pubic domain.
  I added workfolders.mydomain.com to my public DNS as an A record and point to the IP of that record to  the gateway of my internet on my local server.
  In my case, my local server would have been server.mydomain.local. I created a new zone in my AD DNS server called workfolders.mydomain.com. in there i create a blank A record with the ip of my local server.
  in my router i portfoward port 443 to my ip of server.mydomain.local.
  In IIS managament of the local server create a certificate request for workfolders.mydomain.com
  obatian an SSL certificate for workfolders.mydomain.com from a place like godaddy.com and install in IIS and bind to port 443. You should only have the IIS core web services installed and NOT the full IIS.
  when you setup workfolders on the clients, choose to enter an address and type https://workfolders.mydomain.com.
  When you are local and you ping workfolders.mydomain.com it should point to the local server because of the A record you created local.
  When you are out of the office, the public domain will then route to your server via your router and find the server.
  This has worked for me and all syncs fine both local and over the internet

• MSExchangeTransport 12014 3rd Party SSL Certificate does not match internal domain name.

  I have a co-existance of Exchange 2003 and Exchange 2010 and after installing a new 3rd party cert I'm getting The following error.   All mail is flowing and OWA is working. 
  Microsoft Exchange could not find a certificate that contains the domain name Exchange.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCHANGE with a FQDN parameter
  of Exchange.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate
  exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
  Our GoDaddy UC SAN cert is not allowed to have .local SAN names, so I have no way of adding it to the cert.   Is it possible for me to install a local CA and generate a self signed cert for the personal store or would it be better to disable
  TLS for the receive connector?  

  Change the name on the Receive Connector (2010) or on the SMTP Virtual Server (2003) to match the name in the new certificate. One of them is sending the "exchange.domain.local" in the 220 banner when it accepts a connection.
  --- Rich Matheisen MCSE&I, Exchange MVP

• How to setup Autodiscovery for .local internal domains with Exchange 2013

  Hi,
  I need to know about how i set autodiscovery in local domain.I have local domain eg
  abc.local and domin which i received the emails externally is  xyz.com.
  I have deployed Exchange2013 recently with same above scenario inbound and outbound mails are working fine using OWA.But outlook clients cannot connect to Exchange server with in the LAN. 
  Please help me out how set auto discovery in local domain and another help i need how i configure the self sign certificate in this scenario.   

  You cannot use a self signed cert for RPC/HTTP connections (which is how the Outlook client is connecting exchange2013). Please check this http://social.technet.microsoft.com/Forums/exchange/en-US/aed4ede9-57c3-44c3-90b4-bdfb3a7f017d/exchange-2013-self-signed-certs-and-outlook-client-access?forum=exchangesvrgeneral 
  But you can use a certificate from an internal CA which you can install in your network issue a certificate for exchange. Please check this it will help you manage internal certificates for a PC and for a domain.  http://technet.microsoft.com/en-us/library/cc754841.aspx
  You dont need to configure autodiscover for internal domain added clients. If you have clients on the network which are not members of the domain, using Exchange, this could be Windows, MACs or mobile devices, then you should ensure that autodiscover.example.com
  resolves internally to the Exchange server via a split DNS system. http://exchange.sembee.mobi/network/split-dns.asp
  Please configure your external and internal URLs as well
  http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
  I recommend to buy a 3rd party certificate as it may create issue for external clients e.g.Outlook anywhere
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Server 2012 - Can't access external website from internal domain with same name. Tried everything.

  Hello All.
  I have read loads of forums and tried numerous fixes and configurations, but nothing seems to work and I am extremely frustrated at this point.
  I have a client where I setup Server 2012 Standard with Exchange 2013. After reading best practice documentation for DNS naming and reasons not to use ".LOCAL" I opted to use ".com.na" in which case the Internal Domain Name and Internet
  Website now has the same name.
  When attempting to open the extarnal website eg. "www.company.com.na" from a client PC within the internal "company.com.na" Domain, I keep getting error "403 - Forbidden: Access is denied. You do not have permission to view this
  directory or page using the credentials that you supplied."
  I should also mention, the website is hosted by an ISP and not locally.
  I added a "www" Host record in the Forward Lookup Zone, I have added the url and ip address to the Hosts file on a client pc (Windows 7) and even tried setting up Split-Brains DNS. Nothing seems to work.
  Running a Tracert takes me to the correct public ip address of the website, but I keep getting this 403 error.
  I am so sick and tired of this issue that iI am at the point of backing up the Exchange and re-rolling the entire server with the ".local" DNS domain name. I have a mirror setup in a VMWare environment and simply using "rendom" to rename
  the domain seems to cause new issues with Exchange connectivity.
  Any pointers and help will be greatly appreciated.
  Thanks in advance.
  Hentie Loots

  I opted to use ".com.na" in which case the Internal Domain Name and Internet Website
  now has the same name.
  This ends up with a split-DNS stup for internal and external resolution which requires extra administration tasks and attention from the administrators.
  When attempting to open the extarnal website eg. "www.company.com.na" from a client PC within the internal "company.com.na" Domain, I keep getting error "403 - Forbidden: Access is denied. You do not have permission to view
  this directory or page using the credentials that you supplied."
  I should also mention, the website is hosted by an ISP and not locally.
  I added a "www" Host record in the Forward Lookup Zone, I have added the url and ip address to the Hosts file on a client pc (Windows 7) and even tried setting up Split-Brains DNS. Nothing seems to work.
  Running a Tracert takes me to the correct public ip address of the website, but I keep getting this 403 error.
  This means that you are able to reach the Website but it is responding with the access denied error message. That should be checked on the middleware level so if this is IIS running then I would recommend asking them in IIS forum: http://forums.iis.net/
  If this is a Website that is completely managed by your ISP then I would recommend checking with them.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Cant Launch Firefox from Mac with UTF8 International Domain name

  From a Mac running OSX 10.7, I Launch Firefox with a UTF-8 string containing an international domain name:
  I try to launch http://www.vihtilä.fi and Firefox responds: Can’t connect to http://www.vihtil\xc3\xa4.fi but the address bar string is correct. If I copy the address bar string, and paste it back into the address bar, then hit enter, the site opens. Safari and Chrome launch the correct site.
  \xc3\xc4 is the UTF8 representation of 'ä'
  Firefox on Windows works correctly, but I pass it a WCHAR (UTF16) name.

  That is weird.<br />
  The forum makes a correct and working link (www.vihtilä.fi) via preview, but changes the URL to the escaped encodeURI version when it is posted.
  I can't replicate what you are doing, but the page opens via a desktop shortcut with "<b>-url http://www.vihtilä<i></i>.fi</b>" command line parameter.

• CA stops Internal domain names for certificates

  I have got this information from digicert http://www.digicert.com/internal-names.htm  is there any way to ensure all clients works properly.
  Should we have to change our internal domain names to external ones, this will be a problem and visible. It gives us insecured feeling.
  Experts please throw your views.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi,
  Thanks for the great information from Andy.
  Following is some detailed information on Split DNS, just for your reference:
  Split-brain DNS is known by a number of names, for example, split DNS or split-horizon DNS. Simply, it describes a DNS configuration where there are two DNS zones with the same namespace – but one DNS zone services internal-only requests, and the other
  DNS zone services external-only requests. However, many of the DNS SRV and A records contained in the internal DNS will not be contained in the external DNS, and the reverse is also true. In cases where the same DNS record exists in both the internal and external
  DNS (for example, www.contoso.com), the IP address returned will be different based on where (internal or external) the query was initiated.
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Mail Service With Internal vs External Domain Question

  I have a SLS setup with a private domain ex: server.acmewidgets.private
  The local dns resolves correctly
  I have a static IP for this server and I would like it to handle the email for my domain which is ex: acmewidgets.com
  (Currently acmewidgets.com has been having it's website and email handled by an external source)
  Do I need to reinstall the SLS with the domain server.acmewidgets.com to get the email working correctly? Or do I simply just point the MX Records to the static IP of server.acmewidgets.private?
  If I do not need to reinstall, what needs to be done to create the flow of email in and out of the SLS?

  No need to re-install Snow Leopard Server, you will need however to configure a few things.
  First up you will need to configure the Mail service to accept mail for this external domain as at the moment it will be configured to only accept mail for your local domain.
  In *Server Admin*, go to the Mail section and click on Advanced, now click on Hosting. In the hosting section you can add as many domains as you like for the mail server to accept mail for, the simplest way is to add the domains as virtual hosts.
  Point your external MX records to the address for the server so that mail will be directed to your server. If your server is on a fixed external IP address then all done.
  If your server is behind a firewall and on a private IP address you will need to forward port 25 on your firewall to the Snow Leopard Server. If you are also running DNS you should create a new Zone for your external domain with MX records that point to your Snow Leopard Server as clients will need to know that your server is the final delivery destination for that domain. If your server really is on a live fixed external IP address this step is not necessary.

• 802.1x PEAP Windows 2008 NPS Certificate

  I've setup a centrally switched SSID on a 5508 WLC utilising 802.1x PEAP authentication to a pair of Windows 2008 NPS which authenticate the PEAP username and password to our Active Directory domain.
  Currently the Windows 2008 NPS servers are utilsing a server certificate issued from our internal Certificate Authority with the certificate being presented to the device upon connection depending upon which server the WLC sends the authentication too. The servers names on the internally issued certificate are in the form of:
  Server01.domain.local
  Server02.domain.local
  Due to these certificates being internally issued certificates when some devices specifically Apple iPad and iPhones connect to the SSID initally they are prompted to accept the certificate but it is listed as not verified as its issued by an internal domain CA and not an external root certificate authority.
  I am going to be obtaining an external root CA issued certificate for both servers to replace the internally issued certifcates however I notice using the internal certificate if I connect a device to the SSID and accept the certificate of server with certificate name server01.domain.local and then if disable the ability for clients to connect to server01 the WLC will automatically forward the authentication connection to the next server on the list however as this server is presenting a different certificate "server02.domain.local" devices which are conducting certificate validation will fail to connect as the certificate does not match the previously accept certificate.
  Does anyone know a way around this?
  Will adding say server02.domain.local as an additional name to the certificate for server01.domain.local resolve this issue?

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SSL Renewal - internal domain error

  Hi,
  We renewed our certificate with Godaddy and was not allowed to include internal domains. The rules seemed to have changed. We have Exchange 2010.
  In outlook we are now getting an error:
  server01.mycompany.local
  TICK
  TICK
  X The name on the security certificate is invalid or does not match the name of the site
  Do you want to proceed?
  This topic first appeared in the Spiceworks Community

  Yep. In April this year the common rules that most CAs adhere to changed to state exactly this.  No more something.local certs would be issued.  I also think that Chrome and maybe Firefox will drop support of these certs too, sometime in the next 6 - 18 months. 
  And so you get that error.  Your options are limited now to:
  Live with it.  Not ideal but an option.Deploy your own internal CA, get all your internal systems to trust it as a root CA and then issue your internal certs.  Not sure of your exchange config, so this could be really painful to implement.  Internal CAs are not trivial things at the best of times.
  Rename your domain.  Hmm ...Build a new domain for exchange to live in, or migrate everything to it. I'm probably missing options too.

• Integrating Exchange 2013 & Lync Server 2013: can't use a certificate with Seth-AuthConfig

  I'm trying to integrate Exchange and Lyn Server. One of the first steps is to bind a correct certificate to IIS on all of the CAS servers and set it as a main certificate in the global AuthConfig object. The certificate must be the same on all of the
  CAS servers because the autodiscover.domain.local DNS record points to all of them, and Lync Server uses this FQDN to access Exchange servers. The thumbprint of this certificate must be specified in Set-AuthConfig command run on an Exchange server.
  We have an internal enterprise CA. I generated a certificate on one of the CAS servers and bound it to all of the Exchange services. Then I exported it, imported it on the second CAS server and bound it to all of the services as well. Now Exchange correctly uses
  it for OWA, for example, and IE gives no security warnings when I connect to OWA.
  However, whenever I run Set-AuthConfig command on any server, it keeps telling me that
  The certificate with thumbprint XXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyNotAccessible).
  The key IS accessible - I can export the certificate along with its private key. What's wrong?

  Here's the answer.
  It seems that the -Server switch in the Set-AuthConfig command is only used to specify where you want to look for the certificate with the given thumbprint. However, it's impossible to predict which Exchange server will actually perform the operation
  (the Server switch doesn't influence it a bit). It could be ANY server, even a mailbox one with no CAS role at all. And, of course, another Exchange server has no access to the certificate store of the CAS server where the certificate is actually stored. It
  was exactly the case in my environment.
  So in order to enable this certificate you must import it on ALL of your Exchange servers. You need't (and even shouldn't) enable it for any services on your mailbox servers if you don't want to, just import it.

• Follow up - DNS (internal domain has same name as external website)

  Hi,
  I am following up with on previous blog entry about resolving an domain internal name to an external website found here:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/4d97325b-ff3a-4f46-ba6e-dc3f4ff978e1/dns-internal-domain-has-same-name-as-external-website
  On October 30, 2014
  HayashiTech provided a response suggesting the use of netsh interface portproxy on the DC's to resolve this issue. There has been no feedback to this suggestion and I am very curious what opinions are out there for this suggestion as it appears to be the
  best option provided yet.
  Thank you in advance as well for all the great guidance I have found provided by Ace and his followers.

  Interesting question. I've not seen that solution before, but having done a test on my lab setup it certainly seems to work as expected. Eg, using :
  netsh interface portproxy add v4tov4 listenport=80 listenaddress=dc1.abc.com connectport=80 connectaddress=www.abc.com
  on my DC where I've setup a working external domain name with the www record pointing to the website, and the non-www record pointing to the DC, requests to the non-www address are successfully being redirected to the www address (after confirming it didn't
  happen prior to adding the portproxy).
  So on the face of it that does look like a workable solution. I haven't used it myself in anger obviously, but the two downsides I can think of immediately to this solution are :
  1) This operates as a proxy, so unlike the IIS method that Ace mentioned where it would tell the client to go to the www address instead (so the client connects direct), this method keeps your DC acting as a middle man, eg all communications to that address
  go through your DC rather than direct from the client to the website. Depending on what they're doing on the website this may or may not be an issue for you.
  2) Since the client is continuing to connect to the DC throughout, if you ever did need the have something on the DC responding to port 80 then you could have issues. That said, according to
  https://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx the portproxy listenaddress can be a FQDN rather than IP, so that could mitigate any issues there.

• Changing the internal domain to a subdomain -- Help!

  Hello, so I have a huge project coming up and i was wondering if someone had some experience on this that could give me some advice.
  So,  started working on this company that has an internal domain called.. lets say abc.com  and external alphabetaghama.org   ..  the problem we have is that we cannot get certs for our internal domain for public access like our exchange
  server fqdn for example is exchange.abc.com ... Someone else owns abc.com which prompted my new boss to fix this and now i have a project to change our internal domain to match our external but I know that the best practice is to have a
  subdomain as the internal domain and I think that's the route my boss wants to go with..  which brings me to my question.
  What will I have to do to get this accomplished... our external domain name is really just a forward zone and i dont have a forest so does that mean that i will have to build a alphabetaghama.org forest and add a subdomain like corp.alphabetaghama.org 
  for our internal and then migrate everything over? 
  We currently have exchange 2007 with 2008R2 DC's..  our new domain would be on 2012R2 DCs with the same exchange server..
  Sorry if something doesn't make sense, I'm a little new to a major project like this...

  Hi,
  This really depends on the requirements. As the Domain restructure is a huge project, we'd better have some experts with good experenses at hand. And if the problem (to get public access) is solved,  it is recommended to have a good consideration
  if the rebuilding is needed.
  Regarding the internal domain name, maybe you want to have a look into the below MS article:
  How Domain Rename Works
  http://technet.microsoft.com/en-us/library/cc738208(v=WS.10).aspx
  For your reference:
  ADMT Guide: Migrating and Restructuring Active Directory Domains
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  One thing to mind is ADMT tool may cannot
  be installed on a Windows Server 2012 DC, so please make sure in the target domain we have a Windows Server 2008 DC to be the ADMT server.
  ADMT 3.2 and PES 3.1 installation errors on Windows Server 2012
  http://support.microsoft.com/kb/2753560
  Hope this may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Best practices of having a different external/internal domain

  In the midst of migrating from a joint Windows/Mac server environment to a completely Apple one. Previously, DNS was hosted on the Windows machine using the companyname.local internal domain. When we set up the Apple server, our Apple contact created a new internal domain, called companyname.ltd. (Supposedly there was some conflict in having a 10.5 server be part of a .local domain - either way it was no worries either way.) Companyname.net is our website.
  The goal now is to have the Leopard server run everything - DNS, Kerio mailserver, website, the works. In setting up the DNS on the Mac server this go around, we were advised to just use companyname.net as the internal domain name instead of .ltd or .local or something like that. I happen to like having a separate local domain just for clarity's sake - users know if they are internal/external, but supposedly the Kerio setup would respond much better to just the one companyname.net.
  So after all that - what's the best practice of what I should do? Is it ok to have companyname.net be the local domain, even when companyname.net is also the address to our external website? Or should the local domain be something different from that public URL? Or does it really not matter one way or the other? I've been running companyname.net as the local domain for a week or so now with pretty much no issues, I'd just hate to hit a point where something breaks long term because of an initial setup mixup.
  Thanks in advance for any advice you all can offer!

  Part of this is personal preference, but there are some technical elements to it, too.
  You may find that your decision is swayed by the number of mobile users in your network. If your internal machines are all stationary then it doesn't matter if they're configured for companyname.local (or any other internal-only domain), but if you're a mobile user (e.g. on a laptop that you take to/from work/home/clients/starbucks, etc.) then you'll find it a huge PITA to have to reconfigure things like your mail client to get mail from mail.companyname.local when you're in the office but mail.companyname.net when you're outside.
  For this reason we opted to use the same domain name internally as well as externally. Everyone can set their mail client (and other apps) to use one hostname and DNS controls where they go - e.g. if they're in the office or on VPN, the office DNS server hands out the internal address of the mail server, but if they're remote they get the public address.
  For the most part, users don't know the difference - most of them wouldn't know how to tell anyway - and using one domain name puts the onus on the network administrator to make sure it's correct which IMHO certainly raises the chance of it working correctly when compared to hoping/expecting/praying that all company employees understand your network and know which server name to use when.
  Now one of the downsides of this is that you need to maintain two copies of your companyname.net domain zone data - one for the internal view and one for external (but that's not much more effort than maintaining companyname.net and companyname.local) and make sure you edit the right one.
  It also means you cannot use Apple's Server Admin to manage your DNS on a single machine - Server Admin only understands one view (either internal or external, but not both at the same time). If you have two DNS servers (one for public use and one for internal-only use) then that's not so much of an issue.
  Of course, you can always drive DNS manually by editing the zone files directly.