Jump to content
RESET Forums (homeservershow.com)

Anywhere Access and sub domains


Recommended Posts

AA is setup and works however I am able to access it through server.mydomain.net AND mydomain.net. When asked for the SSL cert i used the one i had for mydomain.net as i dont have one for server.mydomain.net yet. What do I do when I want to put up a website on the root domain? Will i lose AA?


The server is running 2012 R2 with Essentials Role installed. Server Also acts as DHCP/DNS as well as backup for two PCs in the domain.

Edited by DannyKlenz
Link to comment
Share on other sites

That depends on how everything is set up.


Are you familar with host headers setting in IIS? If not... well, that's what you'd want to look into.

Link to comment
Share on other sites

  • 2 months later...

I agree with Drashna, it really depends... but I know for fact, that you can use a wild card to deal with issues like that (among many other problems). You can't do this within the Anywhere access domain "setup" directly.. you have to do a workaround with IIS Server Certificates to generate your own cert and use it (import) into the wizard.


If you purchased a cert from a real authority, and did not pay for the ridiculously expensive wild card cert... you are out of luck. Importing it locks you into whatever subdomain you registered. I think they run about 150$ or so a year. If you registered with the freebee Microsoft (or other provider) to get a cert... you are out of luck. They most likely generated a subdomain for you to use against their own top level domain for doing redirection and automated dynamic dns stuff... its' free, what can you expect.


If you setup Essentials manually (as in, the domain part), and are using mydomain.net, you can walk back through the domain creation process.. keeping the domain name the same (by doing the manual selection, "I have manually configured my domain name"), and at the "setup a trusted SSL certificate" select "I want to use an existing SSL certificate" and select next...


(note: in the area above that radial select box, you can change the prefix from "remote" to the logical hosting name if you want, or use a name that is "not" the server name so you have more control via DNS on how internal and external clients connect to RWA. This is a bit complex to explain here).


Regardless, at this point you will want to alt-tab or switch to the IIS Control panel, select your realm (your host server) and open the "Server Certificates" addon package. Create a new "domain certificate" and use the wild card setting for the "common name" field (e.g.: *.mydomain.net ), fill out the remains fields as normal and select next. Select the online certificate authority (which is that domain controller, host server), and give the cert a friendly name ("my awesome wildcard cert") and select finish. In the list of available server certificates, you will now see the newly generated cert listed and it should denote this wildcard under the "issued to" property in the list (e.g.: *.mydomain.net ). Export that certificate to a PFX file, give it a password.


switch back to the anywhere access setup, and you should be in the "Import the trusted certificate" panel. Browse to the cert you just exported, enter your password and select next. Your services are now configured to accept any subdomain you choose to have directed to it, and you can also use that cert for a WWW.mydomain.net, or WOW.mydomain.net, or ILIKECATS.mydomain.net....




Since we are running Essentials and it has directory services as well as a built in Certificate Authority service... you can create your own.




one thing to note, for clients that connect to your essentials server ( https:// ilikecats.mydomain.net ), they will still get a warning about the certificate this way because we are not using a corporate controlled monopoly certificate authority... oh, I meant to just say certificate authority.


but wait, we do run our own CA... just simply export the certificate by connecting to https:// ilikecats.mydomain.net/connect/default.aspx?get=caroot.cer and download that to your workstation. Run Internet Explorer with "administrative" credentials, bring up "tools" (that gear icon thingy", go into internet options > content tab > select "certificates" button > select "trusted root certificate authorities" and import that caroot.cer file into that "trusted root certificate authorities".


see, you trust yourself? I do.... and you could deploy this via a GPO if you want.

Edited by tswalker
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...