CAS Namespace and Cert Question
Hi all, I am about to install our first exchange 2010 CAS server (currently we have exchange 2007 and 2003) and I have a question about the namespace. Right now our namespaces for owa and activesync are "exchange1.domain.com", "exchange2.domain.com", exchange3.domain.com".
As you can see the namespaces are the names of the 3 servers. However, really only exchange1.domain.com is being used for external dns. My question is, since everything is currently configured for exchange1.domain.com, when I put in exchange 2010 CAS, do I
want to create a new namespace without the server name like "webmail.domain.com"? And, if I do this do I still need to create the "legacy" namespaces (legacy.domain.com) since I won't really be sharing the exchange1.domain.com namespace? Should I go with Option
A or Option B below?
Option A:
namespace and Cert = "exchange1.domain.com" with "legacy.domain.com" added to it? In other words, keep existing namespace and add legacy to the cert and external dns?
Option B:
namespace and Cert= "webmail.domain.com" for exchange 2010 and keep "exchange1.domain.com" for existing exchange 2007? In other words, create a new external namespace and purchase a new SSL Cert for webmail?
March 16th, 2012 3:19pm
most public certificates will give you up to five names in one certificate, for the namespace its up to you, you can create any namespace and update your external domain DNS records with it but using webmail.domain.com or mail.domain.com will be easier to
remember, keep in mind to add the autodiscover.domain.com to automatically configured the client using outlook 2007 and 2010.
for the legacy.domain.com you will needed only if the exchange will co-exsist with your old exchange 2007 for a while (until finally move all users), if you will move all users in a short time do not added to you certificate otherwise included.
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2012 9:15pm
What are your end users entering in to their browsers, ActiveSync devices etc for external access at the moment?
The idea is that you point the external host name at the Exchange 2010 server, have a legacy host name in place, then it doesn't matter what they are using they get connected.
However you might want to consider moving away from the server's real names, and having a generic URL for external traffic and then having a second internal URL for the RPC CAS Array. Point the external NAT to the Exchange 2010 server, and as long as you
are using an SSL certificate with the correct names in it, it should work fine.
You will need to have a seperate external legacy host name, so it will increase the number of names in the SSL certificate (unless you use a cheap single name certificate for the legacy host name only).
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 18th, 2012 11:07am
Hello,
Do you have further questions on this thread?
Thanks,
Simon Wu
Exchange Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
tnmff@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 4:35am
Thank you all.
Yes, I will be in co-existence mode for some time. Also, "exchange1.mydomain.com" is what is being entered by the users for activesync and for OWA.
So, will I still need the name "legacy.mydomain.com" even if I get a new name with something generic like "webmail.mydomain.com" and still have my "exchange1.mydomain.com" namespace and cert? I guess what I am trying to ask is do I need the cert and namespace
"legacy" if "exchange1" is my legacy (exchange 2007) and "webmail" (exchange 2010) is my new? Or are you all saying that I need to go ahead and have all 3 namespaces and certs, "legacy, exchange1 and webmail"? Thank you all for your help!
March 19th, 2012 8:59am
For a completely transparent move you will need to have all three names in the SSL certificate, as well as autodiscover etc. That will cover you for all combinations of access.
As long as you get the DNS correct externally, then the use of the old name will fade out naturally.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 9:23am
perfect! thank you very much.
March 19th, 2012 10:51am
Will I need to generate the cert on exchange then submit it to my authority and have them add the names or do I just contact them without generating new cert code to submit to them and have them add the two new names, "webmail" and "legacy"?
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 12:23pm
you can either create a certificate request using EMC or EMS and send the Text file for the Certificate Providers
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010 ,
or you can use digicert tool https://www.digicert.com/easy-csr/exchange2010.htm which will provide you with the exact command to run in powershell to generate the request file.
March 19th, 2012 1:24pm
thank you, I understand how to generate the text, I was just wondering if I need to generate the text for a new cert or if I could just add "legacy" and "webmail" to my existing cert?
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 1:41pm
If you have a public certificate you can modify the names using the provider website, but in all cases a new certificate will be generated then you will replace the new certificate with your old one.
March 19th, 2012 1:50pm
gotcha, ok thank you very much!!
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 1:54pm
I appoligize, this new cert will then be installed on 2010 CAS correct and not back on 2007? Also, I will have 2 2010 CAS, does each one need a seperate cert or do I install the same one on both? I will be using a CAS Array with windows NLB.
March 19th, 2012 3:34pm
you will need to install the same certificate on all Exchange CAS servers 2010 & 2007
check this post to know what exaclty the certificate should contain
http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/1f72a7c5-0310-48c9-8207-bbe7149687b0/#5bfb8f89-682f-4091-a119-5c381a285a4d
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 3:43pm
Ok, I think I got it now :)
Thanks!
March 19th, 2012 3:51pm
I am sorry......one more question please.
the new "webmail.mydomain.com" namespace will be added to external DNS, do I need to change the external DNS of "exchange1.mydomain.com" to "legacy.mydomain.com" or add "legacy.mydomain.com" as an additional external IP?
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 12:27pm
good question, well we agreed on the records which is webmail.mydomain.com and legacy.mydomain.com, for the Exchange1.mydomain.com if you will not use it anymore remove the record from your external DNS only (you can recreated anytime you need it)
now if your users will need to access Exchange 2007 or 2003 from the internet using OWA, then they should be able to be routed from the internet to the Exchange 2007 or 2003 servers which mean the webmail.mydomain.com will be pointing to Exchange 2010 and
have its own public IP, and legacy.mydomain.com will be pointing to Exchange 2007 or 2003 and also need separated public IP.
the other solution will be if you are using TMG or ISA server or your firewall support publishing rules, if so you can create web listener for the legacy record then you can point both url's to the firewall (same public IP) and the firewall will direct the
traffic to the proper server.
March 20th, 2012 4:44pm
Hi again, I just wanted to ask (because it wasn't mentioned in this thread) for those who might be reading this thread for similar help. The webmail.mydomain.com and legacy.mydomain.com will also need to be added as MX records too as they are
also added to the external DNS as A records, correct?
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2012 9:49am
MX records in another thing to address and is out of scope here, MX records related to the HUB servers (SMTP) and how to receive email from the internet, the URL's you mentioned is needed to connect the users to the CAS Servers so the MX should point to
your Public IP that used to receive emails, and the SMTP port on your firewall should eventually point to the Exchange 2010 Server I dont know how is your setup put in most cases only the SMTP port on the firewall will be changed to point to the HUB Servers
private IP Address (in-case you are not using Edge servers).
March 25th, 2012 7:04am
Thank you. All SMTP traffic goes through the firwall and the firewall sends it to a Spam Filter. The Spam Filter currently sends allowed email to my exchange 2007 CAS server. My plan was to point the Spam Filter to the new CAS Array.
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2012 9:40am