asked on

Exchange 2007 unified communications certificate- assistance with configuration

We have Exchange 2007 installed and working with a self signed exchange certificate, although we had to point it to our company public URL:

main.company.com

to allow for microsoft push email to work. This obviously is not the solution as now all internal outlook clients get the exchange cert prompt when they log in, as the cert does not point at the internal server name:

exchange.company.local

With all the new services like outlook anywhere and the autodiscover service on 2007 there seems to be no choice but to buy a unified messaging certificate from digicert or comodo or whoever does it

However, what confuses me is the URL or SAN listing and the configuration changes to get this working. The recommended is this:

mailserver -- Private Server Name
mailserver.local -- Internal LAN name
mailserver.mydomain.net -- POP/SMTP/IMAP Server
mailserver.domain.com -- POP/SMTP/IMAP Server
owa.domain.com -- Outlook Web Access
autodiscover.domain.com AutoDiscover

the local ones I have no problem with, it's the public/autodiscover service that I'm not sure about.

Going by the above example the autodiscover will be:

autodisocover.company.com - so do I then need to buy this subdomain? point it at our main public IP, and configure an internal DNS zone (non AD) for company.com with 'autodiscover' as a 'A' host record?

Doing this will mean all DNS resolution for the public company.com name on the internet will change to be resolved internally? and that particular DNS zone will have to point at the internal IP address of the exchange server.

What worries me also is how will this affect external non domain users that come in on the public URL mail.company.com, and connect to services based on port redirection, if internal resolution for company.com points to the internal exchange server.

Do we need internal forward lookup for all public URL entries in this certificate? If yes, then there will be mutliple DNS forward zones (non AD) pointing at the exchange server.

Am I looking at this wrong? This problem is apparent becuase our internal AD domain is not the same as our public domain- but I guess this is the 'norm' for security/ AD setup.

Any help will be appreciated.

LegendZM

You won't need to buy the sub domain 'autodiscover' because this is for local users.

domains to put on UCC:

mail.domain.com (which was the common name)
autodiscover.domain.local
server.domain.local
server (ie just the NETBIOS name).

For exchange 2007 you need what is called a UCC certificate:

Multiple Domain Certificates, also called Unified Communications Certificates (UCC), provide the most flexible class of SSL Certificates today by securing multiple domain names with one certificate.
Secure up to 100 domain names on one certificate.
Save money because the cost of one Multiple Domain Certificate, with additional domain names, is less than the cost of individual certificates for each unique domain name.
Compatible with Microsoft Exchange Server 2007 and Microsoft Communications Server.
Simplifies the process of managing multiple certificates with varying expiration dates.
Our Single, Multiple Domain and Subdomain certificates all use the same rock-solid, 256-bit encryption technology, proving that your Web site is a secure place for customers to conduct business.
NOTE: The UCC Certificate is ideal for Communication Server, Exchange Server and other Enterprise Applications, as well as for single companies or entities with many related URLs. This Certificate is not recommended for use with sites completely separate from each other (e.g. a network provider who builds Web sites for competitors).

https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8901#tb

You can no longer use 1 certificate for the domain 'owa or mail.your domain.com

you need 1 certificate for multiple domains
outlook 2007 uses autodiscovery.yourdomain.com which you need a cert for
owa uses it's own, etc

So instead of purchasing multiple certs, you need a UCC cert that covers all of it.

You need to generate the command from exchange powershell, here's a web based tool that will help you.

https://www.digicert.com/easy-csr/exchange2007.htm
and a MS KB on the command used: http://technet.microsoft.com/en-us/library/aa998327.aspx
Once done , use this command to import the certificate in Exchnage PS: http://technet.microsoft.com/en-us/library/bb124424.aspx

lastly, you can use this page to help you generate the command line: https://www.digicert.com/easy-csr/exchange2007.htm

LegendZM

lastly: http://msexchangeteam.com/archive/2007/04/30/438249.aspx

you could use autodiscover.domain.com if you are using non domain joined clients.

orphanc

ASKER

Hiya legendzm thank you for your response.

I am fine with using the powershell to generate the unified communications certificate, and import it- thanks for the links though :)

However I'm still not 100 % on what URLs need to be entered on the cert. You say:

mail.domain.com (which was the common name) - which I take to be the public IP
autodiscover.domain.local - ?
server.domain.local - fine
server (ie just the NETBIOS name)- fine

The autodiscover.domain.local URL is what I initially thought- so I just added a A host record in DNS for autodiscover- Microsoft recommend this but I have since been reading mixed material eg) the article you have attached:

http://msexchangeteam.com/archive/2007/04/30/438249.aspx

this section reads:

"For non domain joined clients or clients that are not able to directly access the domain, Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign).

We do have many non domain users that connect in to use exchange so do we then have to input both entries:

autodiscover.domain.local
autodiscover.domain.com

and also do you have an autodiscover A host record for both? Eg)

domain.local AD forward lookup zone - A host - autodiscover = point exchange IP
domain.com (non AD zone) - A host - autodiscover = point to exchange IP

I also read that every URL must been able to be resolved internally for this to work for all services?

This make sense?

Thanks for your comments :)

LegendZM

I usually do autodiscover.domain.local (or whatever your internal domain is) and autodiscover.domain.com

You just need autodiscover.domain.com, not .local sorry.

I'm not sure if you have to set anything. I didn't have to. The server has an XML file that tells the clients the information.: http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

orphanc

ASKER

Hmm, so you just need autodiscover.domain.com

where domain .com follows the @ sign of your email policy? Ok how did you configure your DNS?

I

ASKER CERTIFIED SOLUTION

LegendZM

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

orphanc

ASKER

Hi Legend,

I have just seen you response after all this time.
I will allocate you the points to this question as you answer it correctly.

I ended up logging a call with microsoft so I can get the correct list for this, and they were even confused.

In the end I did.

mail.domain.com
autodiscover.domain.com
autodiscover.domain.local
server.domain.local
server netbios name
public URL for router

DNS A record for autodiscover.domain.local was set to internal IP of server, and it all seems to work.

Thanks for your input. Sorry to confuse.