• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1026
  • Last Modified:

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Currently we have 1 Exchange 2000 OWA Server with SSL
We are upgrading to Exchange 2003 with 2 NLB OWA servers.
Can we use the current SSL for both servers and add it to the virtual name?
Any addvice welcome

Thanks
0
ad25cn1x
Asked:
ad25cn1x
  • 5
  • 3
  • 2
1 Solution
 
SembeeCommented:
You are going to have to purchase an additional certificate either way - as SSL certificates are good for a single server only.

If you are not going to have any mobile devices connect, then you could look at a wildcard SSL certificate. Windows Mobile doesn't support wildcards.

Otherwise two SSL certificates on the same name that you are going to point the clients at should work.

Simon.
0
 
ad25cn1xAuthor Commented:
These servers will be used for OWA only, Why can you not just use the same certificate the outside world will see the same original name but both physical servers will have different names.
We use verisign at the moment
0
 
NetoMeter ScreencastsCommented:
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Hi!
In the general case when you are using an SSL certificate for a single server. The name specified in the certificate should match the name by which that server is resolved, otherwise you will get a warning for the validity of the certificate.
The situation is totally different in the case of NLB. All the hosts participating in the NLB cluster are being accessed using one virtual IP address. This address is resolved to the name by which your OWA NLB cluster (like MAIL.MYCOMPANY.COM) is going to be accessed. Based on that it is obvious that if you already have an existing certificate for “MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MYCOMPANY.COM” (actually I doubt you can do this from the same provider).
You have to export the existing certificate as it is demonstrated in step2 in the following Video tutorial:
http://www.netometer.net/video/tutorials/replace55/index.html

and import it in each node of your NLB cluster – step8:

http://www.netometer.net/video/tutorials/replace55/index.html


Dean
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
NetoMeter ScreencastsCommented:
I am sorry. I meant the FQD name of your OWA - if you already have an existing certificate for “MAIL.MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MAIL.MYCOMPANY.COM”.

Dean
0
 
SembeeCommented:
While you can use the same certificate on other machines - you will find that the SSL certificate issuer doesn't allow it. SSL certificates are supposed to be for one server only. You shouldn't share the certificate.
You will need to speak to the SSL certificate provider to see whether the certificate can be used on more than one physical machine.

Simon.
0
 
NetoMeter ScreencastsCommented:
That is not true for the NLB case. Here is an excerpt from Verisign’s  policy:
http://64.233.187.104/search?q=cache:rz5uGnnQzMsJ:www.verisign.com/ssl/ssl-information-center/faq/ssl-basics.html+SSL+certificate+network+Load+Balancing&hl=en&gl=us&ct=clnk&cd=19

“Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

0
 
SembeeCommented:
That was why I said to speak to the certificate operator - they all have their own rules.

Although if I had paid out $400 for an SSL certificate I would like to be able to use it on more than one server!

Simon.
0
 
NetoMeter ScreencastsCommented:
Actually I might be wrong. When I followed the link “See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information”: http://www.verisign.com/static/001496.pdf
It turns out that for the case of NLB where all the servers are going to be accessed using the same name you have to either:
- Purchase unique certificate for each server (as they share the same name you have to specify a different OU for each of them)
- Purchase a Licensed Certificate Option

Dean

0
 
ad25cn1xAuthor Commented:
Thanks for the info.
We are going to export the SSL on to both servers (It should work) and informe Veritas.
I will let you know how we get on.

Anyone know how to force OWA to use SSL i.e. HTTPS
0
 
NetoMeter ScreencastsCommented:
I think that is the best approach:
http://support.microsoft.com/kb/839357/en-us

Dean
PS:Of course you have to choose "require" insead of "request" encryption for the "Exchange" virtual directory.  
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now