Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Posted on 2006-07-11
10
Medium Priority
?
1,024 Views
Last Modified: 2013-11-15
Best way to Set Up SSL Certificates for an Exchange NLB Frontend Cluster

Currently we have 1 Exchange 2000 OWA Server with SSL
We are upgrading to Exchange 2003 with 2 NLB OWA servers.
Can we use the current SSL for both servers and add it to the virtual name?
Any addvice welcome

Thanks
0
Comment
Question by:ad25cn1x
  • 5
  • 3
  • 2
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17081312
You are going to have to purchase an additional certificate either way - as SSL certificates are good for a single server only.

If you are not going to have any mobile devices connect, then you could look at a wildcard SSL certificate. Windows Mobile doesn't support wildcards.

Otherwise two SSL certificates on the same name that you are going to point the clients at should work.

Simon.
0
 

Author Comment

by:ad25cn1x
ID: 17082592
These servers will be used for OWA only, Why can you not just use the same certificate the outside world will see the same original name but both physical servers will have different names.
We use verisign at the moment
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082718
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Hi!
In the general case when you are using an SSL certificate for a single server. The name specified in the certificate should match the name by which that server is resolved, otherwise you will get a warning for the validity of the certificate.
The situation is totally different in the case of NLB. All the hosts participating in the NLB cluster are being accessed using one virtual IP address. This address is resolved to the name by which your OWA NLB cluster (like MAIL.MYCOMPANY.COM) is going to be accessed. Based on that it is obvious that if you already have an existing certificate for “MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MYCOMPANY.COM” (actually I doubt you can do this from the same provider).
You have to export the existing certificate as it is demonstrated in step2 in the following Video tutorial:
http://www.netometer.net/video/tutorials/replace55/index.html

and import it in each node of your NLB cluster – step8:

http://www.netometer.net/video/tutorials/replace55/index.html


Dean
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17082747
I am sorry. I meant the FQD name of your OWA - if you already have an existing certificate for “MAIL.MYCOMPANY.COM” you don’t need to purchase additional certificates for the same name “MAIL.MYCOMPANY.COM”.

Dean
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083075
While you can use the same certificate on other machines - you will find that the SSL certificate issuer doesn't allow it. SSL certificates are supposed to be for one server only. You shouldn't share the certificate.
You will need to speak to the SSL certificate provider to see whether the certificate can be used on more than one physical machine.

Simon.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17083327
That is not true for the NLB case. Here is an excerpt from Verisign’s  policy:
http://64.233.187.104/search?q=cache:rz5uGnnQzMsJ:www.verisign.com/ssl/ssl-information-center/faq/ssl-basics.html+SSL+certificate+network+Load+Balancing&hl=en&gl=us&ct=clnk&cd=19

“Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17083348
That was why I said to speak to the certificate operator - they all have their own rules.

Although if I had paid out $400 for an SSL certificate I would like to be able to use it on more than one server!

Simon.
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 1000 total points
ID: 17083401
Actually I might be wrong. When I followed the link “See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information”: http://www.verisign.com/static/001496.pdf
It turns out that for the case of NLB where all the servers are going to be accessed using the same name you have to either:
- Purchase unique certificate for each server (as they share the same name you have to specify a different OU for each of them)
- Purchase a Licensed Certificate Option

Dean

0
 

Author Comment

by:ad25cn1x
ID: 17101281
Thanks for the info.
We are going to export the SSL on to both servers (It should work) and informe Veritas.
I will let you know how we get on.

Anyone know how to force OWA to use SSL i.e. HTTPS
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17101353
I think that is the best approach:
http://support.microsoft.com/kb/839357/en-us

Dean
PS:Of course you have to choose "require" insead of "request" encryption for the "Exchange" virtual directory.  
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question