Internal/External URL difference and how they're used (2)

So I read this post by coolsport00 and it is a great question. There is a lot of autodiscover/CAS information out there about configuring internal/external URL's but it is NOT clear why there are two URLs to begin with. I have a few theories but am hoping to get someone like sembee or kieran_b to clear this up or point me to good material.

Question: What is the very basic reason for having internal and external URLs for Exchange 2007 web services?

Point 1: Let's say I have an MX record that points to "MAIL.CONTOSO.COM". I then configure my OWA external URL to be "MAIL.CONTOSO.COM" so that my users can connect outside of the domain. Why would I configure my internal URL to be anything different? If I only had one URL to configure, then the only other step would be to configure DNS internally to point to the correct IP. Therefore, one URL to configure making it much simpler.

Point 2: I could see this being used only if I didn't want my internal NETBIOS name published in my SAN SSL certificate. However ISA would have to be used.

I would deploy an enterprise CA internally and request a certificate for whatever I wanted my internal URL to be and import the certificate into the CA certificate snap-in. I would import it and then enable it. All domain users would trust the cert by default since they are domain members.

Then I would request a SAN certificate with autodiscover and external CN such as "MAIL.CONTOSO.COM". I would then import it into exchange as well. HOWEVER, I would NOT ENABLE it as this would overwrite the internal CA issued certificate. I would instead export it and import it into the ISA server. This works however it is a kludge and cannot be what MS intended the multiple URLs to be used for.

Thank in advance as this will be a long post im sure.
LVL 1
juggernaughtyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DMTechGrooupCommented:
If I am reading you message right.. you are talking about Split DNS..
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
0
Sci-Fi-SiCommented:
>Question: What is the very basic reason for having internal and external URLs for Exchange 2007 >web services?

1.
This is normally a requirement when one is hosting ones own DNS to respond to internet traffic.
In order to respond to a URL query from the internet it is nessessary to reply with a WAN IP address. A local IP address in this instance would be meaningless to a request from the Internet.

In order to be able to view a domain across a LAN it is nessessary to reply with a local IP address ie 192.168.x.x or 10.x.x.x. If a local DNS server were to reply with a WAN address the router would regard this request as a loop-back and think it's under attack. Thus it is important when hosting ones own DNS for Internet responses to have two local DNS servers. One to reply to Internet requests (generally a web server will also have DNS installed to reply to internet requests) And another DNS server (generally the domain controller) which will have the local IP address of the web server listed.

>the very basic reason for having internal and external URLs

If a network only has one DNS server it is nessessary to have 2 URL. One which replies with an external IP address and the other to reply with a local IP - even though they both point to the same website.

2.
>Point 2: I could see this being used only if I didn't want my internal NETBIOS name published in >my SAN SSL certificate. However ISA would have to be used.

No certificates are issued by authorities for NETBIOS names only domain names. If you wish to experiment with certificates there are many sites that offer them for free and others that offer a 90 day trial period. No you do not need to use ISA server to do this. If you need traffic on your local network to be encrypted your own server can create one.

>I would deploy an enterprise CA internally and request a certificate for whatever I wanted my >internal URL to be and import the certificate into the CA certificate snap-in. I would import it and >then enable it. All domain users would trust the cert by default since they are domain members.

Certificates are issued on the domain not subdomain therefore http://subdomain.domain.com has the same certificate as http://domain.com

>All domain users would trust the cert by default since they are domain members.
Certificates are only automatically trusted if they come from an already trusted CA. Firefox trusts more CA's than IE.

All the best
Sci-Fi Si

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
juggernaughtyAuthor Commented:
I apologize for not getting back sooner. I appreciate you all trying to help so I have cut up the pts to each of you.
0
juggernaughtyAuthor Commented:
I appreciate the posts and that is why i accepted multiple answers. I think the real answer to my question is that there are internal and external URLs pending the type of environment for which Exchange 2007 will be installed.
There are many different scenarios in which the URLs and certificates (SAN, standard, wildcard) can be deployed with Exchagne 2007, and I guess they just wanted to build in flexibility. But the documentation on the topic is sparse and it can make deployment confusing and difficult.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.