New to SSL and setting up 2010
Hi, I know there are probably an answer out there already, but I'm not afraid to admint I'm SSL ignorant. So here it is: Exchange 2003 / 2010 coexistence. Just set up the 2010 and mail is flowing fine within the environment. Have not moved any users to 2010 yet. I want to make sure that I get the SSL cert req correct. I also want Outlook Anywhere, ActiveSync, OWA and autodiscover. All my mail is routed through a smart host, MXlogic.com, for SPAM services. 2003 Front end is FE.domain.com CAS server = EXCAS1.domain.com Hub Server = EXHUB1.domain.com Mailbox Svr = EXMB1.domain.com So I am guessing that I just do this for the cert req to VeriSign: 1. cas.domain.com call it 65.100.100.101 2. owa.domain.com, 65.100.100.101 with an internet facing web page of owa.domain.com 3. ActiveSync.domain.com, 65.100.100.1, with activesync.domain.com 4. Autodiscover.domain.com, 65.100.100.1 internet facing autodiscover.domain.com 5. FE.domain.com, but that is on 65.100.100.100 so I'm not sure what to do on that one unless it just comes in through EXHUB1 and redirects inside. And then add all of those with A records on my internet DNS. Seems like a lot of things my users may have to know, depending on how they connect. I would love it if I could tell my users to go to something like "auto.domain.com" or "corpmail.domain.com" ( this in use by the legacy owa) and have it set up their phone, owa, or whatever. But I guess that's wishful thinking. So the question is what am I actually asking for from Verisign, SAN cert with 1 through 4 above? And a second for the legacy FE.domain.com with a different IP? Or do I just set it all up and generate it from exchange and send it? Thanks in advance
November 4th, 2011 6:35pm

Your SSL Unified Communications Certificate (UCC) that you install on the Exchange 2010 server must have at a minimum: 2. The common name (CN) set to the URL commonly used for OWA (let's call it owa.domain.com). 4. A Subject Alternative Name (SAN) with autodiscover.domain.com. 1, 3 and 5 are not required unless you have some pressing need to use something other than "owa" for the name. If "owa" doesn't seem right for ActiveSync, then use "email" or something else instead for everything except "autodiscover". If you plan to have a true coexistence scenario where all users use the same URL for OWA and Exchange 2003 users are redirected to the Exchange 2003 server, then you need an additional single-name certificate with "legacy.domain.com". This is the name used in all of Microsoft's documentation and it's the hostname we think of, but in reality you can make that name anything you want except "owa" (in this example) or "autodiscover". In fact, if your Exchange 2003 server has a certificate with a name other than owa, you can use that name as your legacy name. Optionally, for additional SANs you can add the server names of your CAS array, and any other names you think you might use to gain access to the servers, like if you want to use a different name for ActiveSync (not required), a different name for POP or IMAP services (not required), but those things are icing on the cake and there's no requirement that you pay extra for a certificate with them in it. You do not need to use this certificate for SMTP. For most uses, the self-signed certificate that's installed by default on your Hub Transport role server is sufficient. In any case, that certificate doesn't work for hub transport because you need a certificate with the server name. Go Daddy has the most reasonably priced certificates I've seen, with a 3-year 5-SAN cert going for $216 or five years for $360. Really, there's no need to buy a high-priced certificate. In my opinion, your Exchange server is not trying to prove its identity to your users like a bank's web server does since your users will find out quickly enough if it's not since their mail won't be there; the certificate is really needed for encryption. You must generate the certificate request on one of your CAS servers that you present to the CA you're buying the certificate from. The Exchange 2010 Certifiate Wizard is really good for this. That is a mandatory first step so don't buy anything until you've done that. TechNet has pretty good documentation on this topic. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2011 9:31pm

Thanks Ed, Just so I get it right. is legacy.domain.com the actual name, or is that just a generic for whatever the current 2003 name is? And then, autodiscover.domain.com can be everything except OWA, Right? thanks again
November 7th, 2011 11:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics