Solved

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Posted on 2006-07-11
10
1,004 Views
Last Modified: 2013-11-15
Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Currently we have 1 Exchange 2000 OWA Server with SSL
We are upgrading to Exchange 2003 with 2 NLB OWA servers.
Can we use the current SSL for both servers and add it to the virtual name?
Any addvice welcome

Thanks
0
Comment
Question by:ad25cn1x
  • 5
  • 3
  • 2
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17081312
You are going to have to purchase an additional certificate either way - as SSL certificates are good for a single server only.

If you are not going to have any mobile devices connect, then you could look at a wildcard SSL certificate. Windows Mobile doesn't support wildcards.

Otherwise two SSL certificates on the same name that you are going to point the clients at should work.

Simon.
0
 

Author Comment

by:ad25cn1x
ID: 17082592
These servers will be used for OWA only, Why can you not just use the same certificate the outside world will see the same original name but both physical servers will have different names.
We use verisign at the moment
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082718
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Hi!
In the general case when you are using an SSL certificate for a single server. The name specified in the certificate should match the name by which that server is resolved, otherwise you will get a warning for the validity of the certificate.
The situation is totally different in the case of NLB. All the hosts participating in the NLB cluster are being accessed using one virtual IP address. This address is resolved to the name by which your OWA NLB cluster (like MAIL.MYCOMPANY.COM) is going to be accessed. Based on that it is obvious that if you already have an existing certificate for “MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MYCOMPANY.COM” (actually I doubt you can do this from the same provider).
You have to export the existing certificate as it is demonstrated in step2 in the following Video tutorial:
http://www.netometer.net/video/tutorials/replace55/index.html

and import it in each node of your NLB cluster – step8:

http://www.netometer.net/video/tutorials/replace55/index.html


Dean
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082747
I am sorry. I meant the FQD name of your OWA - if you already have an existing certificate for “MAIL.MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MAIL.MYCOMPANY.COM”.

Dean
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083075
While you can use the same certificate on other machines - you will find that the SSL certificate issuer doesn't allow it. SSL certificates are supposed to be for one server only. You shouldn't share the certificate.
You will need to speak to the SSL certificate provider to see whether the certificate can be used on more than one physical machine.

Simon.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17083327
That is not true for the NLB case. Here is an excerpt from Verisign’s  policy:
http://64.233.187.104/search?q=cache:rz5uGnnQzMsJ:www.verisign.com/ssl/ssl-information-center/faq/ssl-basics.html+SSL+certificate+network+Load+Balancing&hl=en&gl=us&ct=clnk&cd=19

“Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083348
That was why I said to speak to the certificate operator - they all have their own rules.

Although if I had paid out $400 for an SSL certificate I would like to be able to use it on more than one server!

Simon.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 250 total points
ID: 17083401
Actually I might be wrong. When I followed the link “See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information”: http://www.verisign.com/static/001496.pdf
It turns out that for the case of NLB where all the servers are going to be accessed using the same name you have to either:
- Purchase unique certificate for each server (as they share the same name you have to specify a different OU for each of them)
- Purchase a Licensed Certificate Option

Dean

0
 

Author Comment

by:ad25cn1x
ID: 17101281
Thanks for the info.
We are going to export the SSL on to both servers (It should work) and informe Veritas.
I will let you know how we get on.

Anyone know how to force OWA to use SSL i.e. HTTPS
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17101353
I think that is the best approach:
http://support.microsoft.com/kb/839357/en-us

Dean
PS:Of course you have to choose "require" insead of "request" encryption for the "Exchange" virtual directory.  
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question