I have a single exchange 2007 server using a self signed certificate and want to get a public SAN certificate to enable Outlook Anywhere and to avoid the security warnings in OWA. My internal namespace is the same as my external namespace, company.com and I am using split brain DNS. If I understand things correctly, I should have the follwing names assigned to the certificate: mail.company.com, company.com, autodiscover.company.com, servername.company.com, and servername. Does this sound correct? Am I missing anything else? THANKS!Regards, Mike

Hi Mike, The simplest answer is that you need to include any name used to access the Exchange 2007 server. If you access the server both internally and externally, but the internal and external names are the same, that simplifies things even more (you don't need to repeat duplicate names). If you use different names for internal and external access (e.g., owa.domain.com and owa.domain.local) you will need to include both internal and external names in your certificate. While we can't tell you exactly what to put in your certificate, we can give you some points to work with: You need to include the fully-qualified domain name and netbios name of your Exchange server(s) (e.g, owa.domain.com and owa.local). If you will be using the autodiscover service, you will need to include an entry for autodiscover (the autodiscover service will automatically use autodiscover.domain.com). If you use the same URL for OWA, Activesync, Outlook Anywhere, or any other service you might be using on the Exchange 2007 server, and do not have any CAS servers involved, you should pretty much be covered. If you do use different URLs, make sure to include those as well. If you are using any CAS servers, make sure to include the netbios and internal fully-qualified domain name of every CAS server involved. Regards Ron

I don't put the root of the domain name in to my certificates. On all domains that I manage the root of the domain (example.com) is pointing to the corporate web site. Therefore if you internal and external domains are the same then you need: host.example.com (common name, Outlook Anywhere, OWA, ActiveSync, MX records etc). autodiscover.example.com server.example.com (Exchange server FQDN) server (Exchange server NETBIOS). Nothing else. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Thanks, would you recommend a UCC/SAN certificate or a wildcard certificate?Regards, Mike

I don't use wildcard certificates in any of my deployments to ensure maximum compatibility. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

On my Side I always use UC Mult-domain SSL certificate. You can check detail at this url: http://www.entrust.net/ssl-certificates/unified-communications.htm Ron

And more information, please see: Exchange 2007 lessons learned - generating a certificate with a 3rd party CA http://msexchangeteam.com/archive/2007/02/19/435472.aspx If you are using wildcard certificate, there will be issue for Outlook Anywhere. Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Once I acquire and install the SAN certificate, will this be a seamless process or will my end users in Outlook or OWA be presented with a warning or challenge? Thanks!Regards, Mike

As long as the certificate is from a trusted source and is for the URLs that the users are already familiar with, then it will not appear any different to the users - no prompts etc. If you get certificate prompts then something is wrong with the setup of the certificate. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Thank you all for your assistance.Regards, Mike