Hi all, For Exchange 2007, we decided that we are going to use one certificate mail.company.com, not SAN certificate. CAn anyone help me? Should I use IIS to generate certificate or I have to use Exchange shell to generate the certificate? Also, years ago, I found one tech paper that have all steps on how to use one certificate for Exchange 2007 and now, I can not find it anymore. can anyone send me the link if you have one? Thank you.

You should use the Exchange Shell to create the CSR, import the cert, and enable the cert for IIS. Do not use the IIS tools to do this. Here is the article to help you with the one name cert: http://www.amset.info/exchange/singlenamessl.aspTim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

Thanks for the link. This link talks about using SRV record with one cert. Can we use one cert with redirection method? as in doccuemnted in http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx scenario 4?

Yes you can use one cert with the srv redirection method.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Do I have to Exchange shell to generate cert. request file for mail.mycompany.com? Thank you.

Yes it's recommended to use the exchange shell rather than iis.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Any reason why you are going down the single name route? Particularly when you can get SAN certificates for less than $70/year ? If you are going to use the redirection method then be prepared for phone calls from users when they get the prompts. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

>Any reason why you are going down the single name route? Particularly when you can get SAN certificates for less than $70/year ? At our corp site, we have our Exchange 2007 SP1 with CAS/HUB/MBX set up. it only used one cert with redirection method. Now, at our another site (DR site), we are going to set up another Exchange 2007 server with CAS/HUB/MBX for dial tone purpose in case that the corp site is down. If I use SAN for the server at DR site, I do not see any benefits since we do not have autodiscover.mycompany.com for our external DNS records. for the corp site. What do you think? >If you are going to use the redirection method then be prepared for phone calls from users when they get the prompts. I tried OWA from the main site since it has redirection set up. I do not get any prompt. How did they set up so that users would not get any prompts? Thank you.

As OWA doesn't use autodiscover, you haven't really done a valid test. The prompt I am referring to is the one generated by Outlook when you are using Outlook Anywhere. If you aren't using Outlook Anywhere then the redirect method isn't even being used, because internally autodiscover comes from the domain. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

I just checked and Outlook Anywhere is disabled. So, should I still use the rediection method if we disabled outlook anywhere? Thank you.

If you are not using Outlook Anywhere and all clients are on the domain, then autodiscover doesn't really apply. What you do with redirection method or not doesn't matter because it isn't being used. As long as the autodiscover URI value on get-clientaccessserver is configured correctly, then it shouldn't generate any errors. The additional names etc are all down to Outlook being used outside of your network via Outlook Anywhere and the configuration of remote clients. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.