redmanjb
asked on
Need to modify current Exchange 2007 setup from using two SSL certs (one for Autodiscover), to one UCC cert.
Our environment currently has two CAS servers (CAS1 and CAS2), and two mailbox servers (all using Server 2008). The mailbox servers are clustered (CCR), and only one of the two CAS servers are being utilized right now, but will soon be load-balanced (and will be called CAS). On the current CAS server (CAS2), we have two virtual directories in IIS, one for Autodiscover, and one for OWA (the Default Website), with one SSL cert tied to each (autodiscover.domain.com, and mail.domain.com). Everything works fine, but some people using laptops that are not on our domain and are offsite, have difficulties. I am about to purchase a UCC cert, and wish to combine both of the virtual directories, having just the one cert tied to it.
The UCC cert (common name: mail.domain.com) will include the following SANs:
domain.com
domain.net
mail.domain.net
autodiscover.domain.com
autodiscover.domain.net
cas
cas1
cas2
autodiscover
We need the .net and .com, as some people in our company use both. Anyways, what is the easiest way to change from one way of doing things to the other? And what all has to be done? Thanks for the help! :)
The UCC cert (common name: mail.domain.com) will include the following SANs:
domain.com
domain.net
mail.domain.net
autodiscover.domain.com
autodiscover.domain.net
cas
cas1
cas2
autodiscover
We need the .net and .com, as some people in our company use both. Anyways, what is the easiest way to change from one way of doing things to the other? And what all has to be done? Thanks for the help! :)
ASKER
Thank you for the reply. I've already purchased and created the cert, but my question is about the virtual directories in IIS. Right now there is one called Autodiscover and another called Default Website (for OWA)...
Are users getting a certificate error? You should remove the old certificates to ensure they they don't get the wrong one. What is your question about the virtual directories?
ASKER
This question is only about the virtual directories. Things are working ok now, but, the configuration needs to change from a 2 SSL Cert setup, to a one UCC SSL Cert setup.
Right now, in IIS on the Client Access Server, we have the following virtual directories:
Autodiscover (for autodiscover.domain.com)
Default Website (for smtp.domain.com)
There is one cert tied to each virtual directory. And each virtual directory has an IP address bound to it.
The problem with our current setup is that we are forced to use two different IP addresses for IIS, one for each virtual directory. This is preventing us from setting up load-balancing for the Client Access Server, as we'd only be able to load-balance one of the IP addresses (the one for OWA, and not autodiscover). Therefore, we need to set up Exchange and IIS to use one virtual directory which is protected by a UCC cert. This is the ideal way to set up Exchange 2007, and is the ideal way for us because we'd be able to load balance both OWA and Autodiscover.
Right now, in IIS on the Client Access Server, we have the following virtual directories:
Autodiscover (for autodiscover.domain.com)
Default Website (for smtp.domain.com)
There is one cert tied to each virtual directory. And each virtual directory has an IP address bound to it.
The problem with our current setup is that we are forced to use two different IP addresses for IIS, one for each virtual directory. This is preventing us from setting up load-balancing for the Client Access Server, as we'd only be able to load-balance one of the IP addresses (the one for OWA, and not autodiscover). Therefore, we need to set up Exchange and IIS to use one virtual directory which is protected by a UCC cert. This is the ideal way to set up Exchange 2007, and is the ideal way for us because we'd be able to load balance both OWA and Autodiscover.
Ok, I'm still not clear on where you're stuck. Have you tried to remove the old certificates and use the new one? The ip is bound to the website, not the virtual directory. Do you have one of the virtual directories in a different website? Why are you forced to use two ip addresses?
You should be able to use the same certificate for both virtual directories. The ip address isn't in your UCC certificate, so it shouldn't matter what ip you use. As long as DNS resolves correctly and the URL matches your cert, it should work.
You should be able to use the same certificate for both virtual directories. The ip address isn't in your UCC certificate, so it shouldn't matter what ip you use. As long as DNS resolves correctly and the URL matches your cert, it should work.
ASKER
I had stepped away from this issue for quite awhile, but ended up resolving it. I had to delete the virtual directories in IIS, and run a command in EMS to basically uninstall autodiscover and reinstall it, which put the virtual directory in the correct place and configured everything...which is what I was trying to get assistance with, stating again and again that the question was about the virtual directories, not IP addresses or certs. The cert had already been created with the appropriate SANs, and IP addressing wasn't an issue at all.
I do appreciate your input though LaserSpot...thank you.
I do appreciate your input though LaserSpot...thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use this page to generate the request command:
https://www.digicert.com/easy-csr/exchange2007.htm
paste the request into the Exchange Management Shell; use the resulting data to purchase the certificate.
Download the UCC cert
Run this from the Exchange shell to get the thumbprints of your old certs:
Get-ExchangeCertificate | FL *
Remove all the old certs:
Remove-ExchangeCertificate
run MMC and use the Certificates snap-in to install the new certificate
Run this from the Exchange shell to get the thumbprint of your new cert:
Get-ExchangeCertificate | FL *
Run this shell command to set Exchange to use the new UCC certificate:
Enable-ExchangeCertificate