juggernaughty
asked on
Internal/External URL difference and how they're used (2)
So I read this post by coolsport00 and it is a great question. There is a lot of autodiscover/CAS information out there about configuring internal/external URL's but it is NOT clear why there are two URLs to begin with. I have a few theories but am hoping to get someone like sembee or kieran_b to clear this up or point me to good material.
Question: What is the very basic reason for having internal and external URLs for Exchange 2007 web services?
Point 1: Let's say I have an MX record that points to "MAIL.CONTOSO.COM". I then configure my OWA external URL to be "MAIL.CONTOSO.COM" so that my users can connect outside of the domain. Why would I configure my internal URL to be anything different? If I only had one URL to configure, then the only other step would be to configure DNS internally to point to the correct IP. Therefore, one URL to configure making it much simpler.
Point 2: I could see this being used only if I didn't want my internal NETBIOS name published in my SAN SSL certificate. However ISA would have to be used.
I would deploy an enterprise CA internally and request a certificate for whatever I wanted my internal URL to be and import the certificate into the CA certificate snap-in. I would import it and then enable it. All domain users would trust the cert by default since they are domain members.
Then I would request a SAN certificate with autodiscover and external CN such as "MAIL.CONTOSO.COM". I would then import it into exchange as well. HOWEVER, I would NOT ENABLE it as this would overwrite the internal CA issued certificate. I would instead export it and import it into the ISA server. This works however it is a kludge and cannot be what MS intended the multiple URLs to be used for.
Thank in advance as this will be a long post im sure.
Question: What is the very basic reason for having internal and external URLs for Exchange 2007 web services?
Point 1: Let's say I have an MX record that points to "MAIL.CONTOSO.COM". I then configure my OWA external URL to be "MAIL.CONTOSO.COM" so that my users can connect outside of the domain. Why would I configure my internal URL to be anything different? If I only had one URL to configure, then the only other step would be to configure DNS internally to point to the correct IP. Therefore, one URL to configure making it much simpler.
Point 2: I could see this being used only if I didn't want my internal NETBIOS name published in my SAN SSL certificate. However ISA would have to be used.
I would deploy an enterprise CA internally and request a certificate for whatever I wanted my internal URL to be and import the certificate into the CA certificate snap-in. I would import it and then enable it. All domain users would trust the cert by default since they are domain members.
Then I would request a SAN certificate with autodiscover and external CN such as "MAIL.CONTOSO.COM". I would then import it into exchange as well. HOWEVER, I would NOT ENABLE it as this would overwrite the internal CA issued certificate. I would instead export it and import it into the ISA server. This works however it is a kludge and cannot be what MS intended the multiple URLs to be used for.
Thank in advance as this will be a long post im sure.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I appreciate the posts and that is why i accepted multiple answers. I think the real answer to my question is that there are internal and external URLs pending the type of environment for which Exchange 2007 will be installed.
There are many different scenarios in which the URLs and certificates (SAN, standard, wildcard) can be deployed with Exchagne 2007, and I guess they just wanted to build in flexibility. But the documentation on the topic is sparse and it can make deployment confusing and difficult.
There are many different scenarios in which the URLs and certificates (SAN, standard, wildcard) can be deployed with Exchagne 2007, and I guess they just wanted to build in flexibility. But the documentation on the topic is sparse and it can make deployment confusing and difficult.
ASKER