Solved

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Posted on 2006-07-11
10
1,006 Views
Last Modified: 2013-11-15
Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Currently we have 1 Exchange 2000 OWA Server with SSL
We are upgrading to Exchange 2003 with 2 NLB OWA servers.
Can we use the current SSL for both servers and add it to the virtual name?
Any addvice welcome

Thanks
0
Comment
Question by:ad25cn1x
  • 5
  • 3
  • 2
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17081312
You are going to have to purchase an additional certificate either way - as SSL certificates are good for a single server only.

If you are not going to have any mobile devices connect, then you could look at a wildcard SSL certificate. Windows Mobile doesn't support wildcards.

Otherwise two SSL certificates on the same name that you are going to point the clients at should work.

Simon.
0
 

Author Comment

by:ad25cn1x
ID: 17082592
These servers will be used for OWA only, Why can you not just use the same certificate the outside world will see the same original name but both physical servers will have different names.
We use verisign at the moment
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082718
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Hi!
In the general case when you are using an SSL certificate for a single server. The name specified in the certificate should match the name by which that server is resolved, otherwise you will get a warning for the validity of the certificate.
The situation is totally different in the case of NLB. All the hosts participating in the NLB cluster are being accessed using one virtual IP address. This address is resolved to the name by which your OWA NLB cluster (like MAIL.MYCOMPANY.COM) is going to be accessed. Based on that it is obvious that if you already have an existing certificate for “MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MYCOMPANY.COM” (actually I doubt you can do this from the same provider).
You have to export the existing certificate as it is demonstrated in step2 in the following Video tutorial:
http://www.netometer.net/video/tutorials/replace55/index.html

and import it in each node of your NLB cluster – step8:

http://www.netometer.net/video/tutorials/replace55/index.html


Dean
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082747
I am sorry. I meant the FQD name of your OWA - if you already have an existing certificate for “MAIL.MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MAIL.MYCOMPANY.COM”.

Dean
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083075
While you can use the same certificate on other machines - you will find that the SSL certificate issuer doesn't allow it. SSL certificates are supposed to be for one server only. You shouldn't share the certificate.
You will need to speak to the SSL certificate provider to see whether the certificate can be used on more than one physical machine.

Simon.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17083327
That is not true for the NLB case. Here is an excerpt from Verisign’s  policy:
http://64.233.187.104/search?q=cache:rz5uGnnQzMsJ:www.verisign.com/ssl/ssl-information-center/faq/ssl-basics.html+SSL+certificate+network+Load+Balancing&hl=en&gl=us&ct=clnk&cd=19

“Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083348
That was why I said to speak to the certificate operator - they all have their own rules.

Although if I had paid out $400 for an SSL certificate I would like to be able to use it on more than one server!

Simon.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 250 total points
ID: 17083401
Actually I might be wrong. When I followed the link “See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information”: http://www.verisign.com/static/001496.pdf
It turns out that for the case of NLB where all the servers are going to be accessed using the same name you have to either:
- Purchase unique certificate for each server (as they share the same name you have to specify a different OU for each of them)
- Purchase a Licensed Certificate Option

Dean

0
 

Author Comment

by:ad25cn1x
ID: 17101281
Thanks for the info.
We are going to export the SSL on to both servers (It should work) and informe Veritas.
I will let you know how we get on.

Anyone know how to force OWA to use SSL i.e. HTTPS
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17101353
I think that is the best approach:
http://support.microsoft.com/kb/839357/en-us

Dean
PS:Of course you have to choose "require" insead of "request" encryption for the "Exchange" virtual directory.  
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
how to add IIS SMTP to handle application/Scanner relays into office 365.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question