- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
One of the biggest selling points of Work Folders is that it allows your end users to synchronize corporate data to their personally owned devices with little or no intervention from IT. Since these personally owned devices aren’t going to be managed by IT, we’ll have to take a few extra steps to make sure that end users don’t receive errors when trying to connect to the Work Folders server.
Do you have to use a certificate from a public CA? Technically, no. If you’re only going to expose Work Folders to corporately-managed devices, you can use a certificate from an internal CA and you should be fine.
If you are going to expose Work Folders to non-corporate devices, I usually prefer to go with the solution that is going to generate the fewest support requests. If you have to publish complicated instructions, end users are either going to generate support requests or use an unauthorized solution. If IT takes the time to do the extra setup of using a cert from a public CA, it will eliminate a lot of support headache down the road.
Syncing of data between clients and the Work Folders server is handled by the IIS Hostable Web Core which you may have noticed was installed when we installed Work Folders earlier. To manage the certificates, we’ll need to install the IIS management tools by running the following PowerShell command:
Install-WindowsFeature Web-Mgmt-Console
Next, open the Internet Information Services (IIS) Manager and find the Default Web Site for your Work Folders server.
Internet Information Services (IIS) Manager
The IIS Hostable Web Core should appear to be stopped even though it isn’t. Click on the server name and then double-click on Certificates. In the Actions pane, click on Create Certificate Request.
Create Certificate Request
Fill out the Distinguished Name Properties using your organization’s information. Don’t forget to use the DNS name we created back in Part 2 if you created a DNS entry for the Work Folders server.
Distinguished Name Properties
Make sure your Bit length is at least 2048, choose a name for your certificate request file, and click Finish.
Bit length / File name for the certificate request
You should end up with a certificate request that looks something like the screenshot below that can be submitted to any of the public certificate authorities.
Certificate request
Take the certificate request (CSR) to any of the public Certificate Authorities and purchase your SSL certificate. Once you’ve got the signed certificate, you can go back into the IIS Manager and click Complete Certificate Request to finish the process.
Complete Certificate Request
Before completing the certificate process, check with your Certificate Authority to see if you need to load their Root and/or Intermediate certificates onto your server. If these certificates are needed, you may receive an error in the IIS Manager when trying to add your new certificate.
Specify the path to the certificate, a friendly name, and where the certificate should be stored. Once you’re done, the certificate should look something like in the second screenshot below.
Specify Certificate Auhtority Response / Server certificates in IIS Manager
Click on Default Web Site in the IIS Manager and then click Bindings in the Actions pane.
Bindings
Click the Add button.
Add Site Bindings
Specify HTTPS, select the SSL certificate that was just added, and click OK.
Select the SSL certificate
At this point, Work Folders is configured and ready for users to connect securely. In our next part, I’ll cover setting up the clients to access Work Folders.
I have a server 2012 and my clients connect to the server with VPN(I have configured it in my firewall).I had several problems with folder redirection so I decided to use Work Folder.
Thq question is which one of the method should I use,URL and SSL or just email?
I have tested with a client and when I wanted to use with EMail adress(test@example.local)
It can not connect(I can ping the record of Work Folder from my client).
“.local” isn’t a valid TLD. Is that your actual TLD?
Thank you for the guide, it really helps.
I’m truing to set it up on my local domain (domain.local) and I would like to use a self signed certificate. I don’t really need this to work from outside the domain as I’d like my users to do the sync over a VPN.
Can you please include the steps required to get this feature working using a self signed cert?
So far I have tried many ways but I’m limited with my certificate knowledge.
Getting clients to work reliably with a self-signed certificate is a massive headache. I tried doing it in a lab and even I got frustrated. Imagine how that is going to impact your user adoption if your customers get that frustrated. Pay for the certificate and save yourself the hassle.
If we have a SSL cert from a public CA already what steps are required in this instance?
Ummmm…. That’s what I cover in the article. For Work Folders, I only recommend running it with a certificate from a public CA. Running it with a cert from your corporate CA means every client (including mobile devices) has to have your root cert installed. That’s a huge headache and not worth the cost of a certificate.
Hi Kyle, I see it it covered in the article if you dont have a SSL cert. But we already have a wildcard cert. It is signed by GoDaddy already for our domain. I simply wish to use this cert instead of having GoDaddy resign another cert.
Is that possible to use an already signed cert by a CA?
For test lab purpose we used “http://hostname.domain.local” at windows 10 client os. unable to connect my work folder “There was a problem finding your work folder”. But folder has been created automatically.
Thank you in advance.
Kyle:
I used this guide last year to install and setup Workfolders for all laptop users in our domain. Everything is running perfect, thank you for such a simple to follow document.
This year I am tasked with setting up Workfolders for a child domain (child.parent.com). Is there something that needs to be completed differently for a child domain? I have a wildcard cert, but am still getting errors finding WorkFolder server.
For Selft-Signed SSL or Enterprise CA, you can always use group policy to install the SSL & CA SSL into the client computer.