Exchange 2007 CAS SSL clarification
Can someone help or point me to where I can find out how to deploy a SSL certificate for single AD site with two CAS servers. In exchange 2003 it was simple. Now I understand microsoft is pushing users to get a SAN cert to cover multiple domain names in a single cert. In a single site with multiple CAS I would imagine the users request for autodiscovery and such would be load balanced. I know external users will only be pointed to one of the CAS servers. So do I leave one of the CAS servers with a self-signed certificate and get a SAN for the CAS server that is exposed externally. Can you get a SAN for an internal domian like test.local. I have read many post but it would help to get some clarification. In the end I don't wont cert errors for anyone internally or externally.
May 29th, 2007 8:18pm
You will need to generate a certificate request from each server with all the SAN names included. This can be done from the exchange management shell using the new-exchangecertificate commandlet.For more information check out:http://msexchangeteam.com/archive/2007/02/19/435472.aspxBe sure to include -autodiscover so that all required SAN's for this feature are included.You can then use this certificate request file to get a certificate from either an internal CA or a public once such as EntrustIf using an internal CA then you need to run a few commands on your Certification Server to enable issuing of Subject Alternative Names.Check out:http://support.microsoft.com/kb/931351It is always recommended to change all self signed certificates as soon as possible.
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2007 7:44pm
Is this something that you have done. I did not think you could get a SSL certificate with the same SAN for both CAS servers. I thought this would invalidate the purpose of a certificate being unique. I know the CAS server that will be accessed externally would need a valid signed certificate.We will have two for redundancy internally but only one will be exposed externally for OWA and Access Anywhere. I have found that a selfsigned certificate will not generate an error from outlook 2007. Outlook 2007 does give certificate name mismatch errors for a valid certificate if the internal and external dns names don't match. I understand that is why I would need an SAN certificate for the CAS server exposed externally. I would be interested to know how someone has implemented this in production or even a test enviroment.
May 30th, 2007 9:40pm
Yes, I have done this & it works.
The purpose of an SSL Cert is to verify the authenticity of you servers, i.e. that they do indeed belong to your organization & you are a bona fide organization etc.
people like hotmail, go-daddy etc have farms of servers out there using the same public server name in some form of Network Load Balancing scenario to provide the necessary levels of service availability to their clients. For servers hosting multiple sites, there are also wildcard certificates out there which authenticate the validity of you domain but these are not useable with Exchange.
In order to make your HT/CAS servers fully redundant & according to best practices for deploying E2k7, both your CAS servers should be published & some form of NLB configured, either DNS Round Robin (easiest), Hardware Load Balancing (network level) or MS Windows NLB.
If you dont do this, then if you published cas goes down services become unavailable....
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2007 5:51am
I do see on Verisigns site you can purphase a special cert for multiple servers. I still don't know that we will purchase more then one cert. In an ideal world without budgets I can see where having both servers with trusted certificates would be great. We are already spreading our budget thin because of the fact that a clustered exchange 2007 enviroment makes you seperate the hub transport role to another server. So we are going from2 clustered nodes and 1frontend exchange 2003 environment to a 2 cluster node 2 hub transport/cas exchange 2007 environment. Wereally don't have any means to load balance the CAS roleexternally except round-robin dns andalthough thisdoes loadbalancing it really is not high availbility sinceif one server is down users can still be directed to it. In the event that our CAS server did go down we should be able to point our external dns to the other CAS server pretty quickly on our firewall. We could always request another cert or depending on the status of the down CAS server export out the one SAN cert.
In this scenerio do you see any problems with having only one trusted cert. Thanks for your input.
May 31st, 2007 4:09pm
Can you get a Subject alternative certificate for an internal domain like test.local from a trusted authority.
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2007 10:49pm
If you include it as one of the SAN's, yes.
Read here for more:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2624900&SiteID=17
With a really good explanation on the whole process here:
http://www.redline-software.com/eng/support/articles/msexchange/2007/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.php
January 25th, 2008 7:30pm