Solved

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Posted on 2006-07-11
10
998 Views
Last Modified: 2013-11-15
Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Currently we have 1 Exchange 2000 OWA Server with SSL
We are upgrading to Exchange 2003 with 2 NLB OWA servers.
Can we use the current SSL for both servers and add it to the virtual name?
Any addvice welcome

Thanks
0
Comment
Question by:ad25cn1x
  • 5
  • 3
  • 2
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17081312
You are going to have to purchase an additional certificate either way - as SSL certificates are good for a single server only.

If you are not going to have any mobile devices connect, then you could look at a wildcard SSL certificate. Windows Mobile doesn't support wildcards.

Otherwise two SSL certificates on the same name that you are going to point the clients at should work.

Simon.
0
 

Author Comment

by:ad25cn1x
ID: 17082592
These servers will be used for OWA only, Why can you not just use the same certificate the outside world will see the same original name but both physical servers will have different names.
We use verisign at the moment
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082718
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Hi!
In the general case when you are using an SSL certificate for a single server. The name specified in the certificate should match the name by which that server is resolved, otherwise you will get a warning for the validity of the certificate.
The situation is totally different in the case of NLB. All the hosts participating in the NLB cluster are being accessed using one virtual IP address. This address is resolved to the name by which your OWA NLB cluster (like MAIL.MYCOMPANY.COM) is going to be accessed. Based on that it is obvious that if you already have an existing certificate for “MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MYCOMPANY.COM” (actually I doubt you can do this from the same provider).
You have to export the existing certificate as it is demonstrated in step2 in the following Video tutorial:
http://www.netometer.net/video/tutorials/replace55/index.html

and import it in each node of your NLB cluster – step8:

http://www.netometer.net/video/tutorials/replace55/index.html


Dean
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082747
I am sorry. I meant the FQD name of your OWA - if you already have an existing certificate for “MAIL.MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MAIL.MYCOMPANY.COM”.

Dean
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083075
While you can use the same certificate on other machines - you will find that the SSL certificate issuer doesn't allow it. SSL certificates are supposed to be for one server only. You shouldn't share the certificate.
You will need to speak to the SSL certificate provider to see whether the certificate can be used on more than one physical machine.

Simon.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17083327
That is not true for the NLB case. Here is an excerpt from Verisign’s  policy:
http://64.233.187.104/search?q=cache:rz5uGnnQzMsJ:www.verisign.com/ssl/ssl-information-center/faq/ssl-basics.html+SSL+certificate+network+Load+Balancing&hl=en&gl=us&ct=clnk&cd=19

“Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083348
That was why I said to speak to the certificate operator - they all have their own rules.

Although if I had paid out $400 for an SSL certificate I would like to be able to use it on more than one server!

Simon.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 250 total points
ID: 17083401
Actually I might be wrong. When I followed the link “See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information”: http://www.verisign.com/static/001496.pdf
It turns out that for the case of NLB where all the servers are going to be accessed using the same name you have to either:
- Purchase unique certificate for each server (as they share the same name you have to specify a different OU for each of them)
- Purchase a Licensed Certificate Option

Dean

0
 

Author Comment

by:ad25cn1x
ID: 17101281
Thanks for the info.
We are going to export the SSL on to both servers (It should work) and informe Veritas.
I will let you know how we get on.

Anyone know how to force OWA to use SSL i.e. HTTPS
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17101353
I think that is the best approach:
http://support.microsoft.com/kb/839357/en-us

Dean
PS:Of course you have to choose "require" insead of "request" encryption for the "Exchange" virtual directory.  
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now