Certificates and OWA setup questions
Hi All,
I would like to setup my exchange 2007 organization with OWA access as well as Outlook Anywhere access.
I have some confusionwhen it comes toCertificates on Exchange 2007. As I understand(correct me if I'm wrong),in Exchange 2007, you have to set an externalurl for the WebServices, UM, OAB, and OWA virtual directories, and since they require HTTPS, they all need to have a common name.....say mail.mydomain.com
Is getting a Unifiied Communications Certificate the proper way to go about this?
What about OWA, should it be reversed proxied through ISA 2006? I was reading that, if you use ISA and want internal users to use FBA, then you'll need to create an external owa virtual directory......if that's the case, then how is getting a Unified Communication certificate the best decision?
This all may be confusing the way I am typing it, probably because it is confusing me.
Also what happens if you have multiple sites, say a NY office and a CA office? Do you put a CAS server in each? If so, how do certificates work then?
Any help is much appreciated.....I was going through the CBTNuggets 70-236 course, and they made it seem like setting up a CAS server was a piece of cake, but once I read the chapter on CAS in Jim Mcbee's "exchange 2007 Implementing and Administration" I quickly realized that it is very involved.
Thanks!
August 4th, 2008 3:47am
Just wondering if anyone can help out on this.....would be much appreciated
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2008 6:06pm
Hiya Chap, you are quite correct in saying that certificates are potentially one of the most confusing aspects of Exchange.
There are many articles out there on the configuration of certs within Exchange, however due to the possibilities there is not real definitive "one size fits all" guide - for example;
If you are an organisation where you only make use of SSL via OWA and your internal namespace for OWA is the same as your external namespace e.g. if you hit owa.mydomain.com both internal and externally - you can get away with one certificate for both.
The above makes the configuration of the Autodiscover service simpler as the Internal and External URI's can also be the same. (It is important to also understand that the correct configuration of the Autodiscover service relies on a correct SSL configuration)
However if you are an organisation whereyou have multiple domains and namespaces you might have more than one certificate - or indeed a certificate which supports more than one domain.
In terms of ISA server - one of the recommended ways to deploy OWA 2007 is via ISA - however it is not quite a reverse proxy - essentially you publish your OWA site from the CAS via the proxy - this involves a copy of the certificate on the ISA server and the CAS.
All of the above possible does not help, therefore I recommend looking at the following articles:
http://technet.microsoft.com/en-us/library/bb232838(EXCHG.80).aspx- About Autodiscover
http://msexchangeteam.com/archive/2007/04/30/438249.aspx- MSExchange Team on Autodiscover
http://technet.microsoft.com/en-us/library/bb201695(EXCHG.80).aspx- Configuring Services for AutoDiscover
http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx- SSL on a CAS - pay attention to the More Information Articles
http://telnetport25.wordpress.com/2008/03/28/exporting-existing-ssl-owa-certificates-from-exchange-2003-fes-to-exchange-2007-sp1-cas-on-windows-2008/- How to export an existing SSL cert to Exchange 2007
http://telnetport25.wordpress.com/2008/03/28/exporting-existing-ssl-owa-certificates-from-exchange-2003-fes-to-exchange-2007-sp1-cas-on-windows-2008/- Renewing an SSL certificate in Exchange 2007
I also recommend that you mess around with the above in a Test lab for a while - when you have read through the articles it becomes a little more clear.
I hope this helps
August 6th, 2008 10:47pm