one cert. for Exchange 2007
Hi all,
For Exchange 2007, we decided that we are going to use one certificate mail.company.com, not SAN certificate.
CAn anyone help me? Should I use IIS to generate certificate or I have to use Exchange shell to generate the certificate?
Also, years ago, I found one tech paper that have all steps on how to use one certificate for Exchange 2007 and now, I can not find it anymore. can anyone send me the link if you have one?
Thank you.
February 8th, 2011 8:03pm
You should use the Exchange Shell to create the CSR, import the cert, and enable the cert for IIS. Do not use the IIS tools to do this. Here is the article to help you with the one name cert:
http://www.amset.info/exchange/singlenamessl.aspTim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2011 9:07pm
Thanks for the link. This link talks about using SRV record with one cert.
Can we use one cert with redirection method? as in doccuemnted in
http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx scenario 4?
February 9th, 2011 1:11pm
Yes you can use one cert with the srv redirection method.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 1:57pm
Do I have to Exchange shell to generate cert. request file for mail.mycompany.com?
Thank you.
February 9th, 2011 2:14pm
Yes it's recommended to use the exchange shell rather than iis.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 2:22pm
Any reason why you are going down the single name route? Particularly when you can get SAN certificates for less than $70/year ?
If you are going to use the redirection method then be prepared for phone calls from users when they get the prompts.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
February 9th, 2011 5:27pm
>Any reason why you are going down the single name route? Particularly when you can get SAN certificates for less than $70/year ?
At our corp site, we have our Exchange 2007 SP1 with CAS/HUB/MBX set up. it only used one cert with redirection method.
Now, at our another site (DR site), we are going to set up another Exchange 2007 server with CAS/HUB/MBX for dial tone purpose in case
that the corp site is down. If I use SAN for the server at DR site, I do not see any benefits since we do not have autodiscover.mycompany.com
for our external DNS records. for the corp site.
What do you think?
>If you are going to use the redirection method then be prepared for phone calls from users when they get the prompts.
I tried OWA from the main site since it has redirection set up. I do not get any prompt. How did they set up so that
users would not get any prompts?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 5:49pm
As OWA doesn't use autodiscover, you haven't really done a valid test.
The prompt I am referring to is the one generated by Outlook when you are using Outlook Anywhere.
If you aren't using Outlook Anywhere then the redirect method isn't even being used, because internally autodiscover comes from the domain.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
February 9th, 2011 6:09pm
I just checked and Outlook Anywhere is disabled.
So, should I still use the rediection method if we disabled outlook anywhere?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 6:15pm
If you are not using Outlook Anywhere and all clients are on the domain, then autodiscover doesn't really apply. What you do with redirection method or not doesn't matter because it isn't being used. As long as the autodiscover URI value on get-clientaccessserver
is configured correctly, then it shouldn't generate any errors.
The additional names etc are all down to Outlook being used outside of your network via Outlook Anywhere and the configuration of remote clients.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
February 9th, 2011 8:36pm