We recently migrated from Exchange 2003 to 2010. Half of our Outlook users are using Outlook from terminal server which is in the same domain as Exchange. The other half of Outlooks are installed on laptops which are not on domain. They usually use OpenVPN to connect to Exchange (and also to other services) but occasionally, when they are located somewhere where there are most outgoing ports blocked (hotels mostly), they use OutlookAnywhere.
We have 2 certificates: one for 'ourexchangeserver', self-signed, and other for '*.ourexternaldomain.tld', signed by StartCom.
By opening EMC > Server Configuration > Exchange Certificates, we can assign IMAP, POP, SMTP and IIS services to a given certificate.
The problem is that RPC also seems to use this same certificate. So when we assign the wildcard certificate to IIS, we can access OWA externally without any security alerts but Outlooks display a security alert that host name is invalid (does not match the issued to field on the presented certificate).
When we assign the self-signed certificate to IIS, it's the other way around: Outlooks don't complain but browser displays the same security alert when visiting OWA.
My certificate provider (StartCom) does not allow me to generate a certificate issued to a host with missing or nonexistent domain part.
Would it be possible to configure Exchange 2010 with these 2 certificates so that OWA would present the public certificate and RPC traffic would be covered with the self signed certificate?
The usual answers to this problem are:
The special certificates have multiple Subject Alternate Names on them so they can be valid for a variety of names. Presumably, both your internal and external names for your OWA and RPC services.