• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1371
  • Last Modified:

SAN certificate for Exchange 2003

I have a server running Exchange 2003 and I want to set up RPC over HTTPS. I know I will need a certificate with all of my server names (host name, outside DNS name, Etc).  I've done this before using exchange 2007 but I was able to generate the certificate request using the Exchange Management Shell, (very easy).

In 2003 there is no Shell as far as I know and the only way I can see to manage your certificates is using IIS. As far as I can tell there is no way to generate a cert request was Subject Alternative Names using IIS, and from what I can tell if I use something else to generate the cert request then I can't get IIS to use that certificate.

Any help would be greatly appreciated!

Thanks in advance.
0
armerdan
Asked:
armerdan
  • 2
  • 2
2 Solutions
 
BrianKronbergCommented:
- Exchange 2003 does not support SAN certificates
- Exchange 2003 only requires one name on the certificate, i.e. webmail.company.com
- Certificate requests are handled by IIS just like any IIS 6.0 website

http://www.globalsign.com/support/install/install_mexch.php
0
 
Burns2007Commented:
you don't need one for exchagne 2003, as you don't have autodiscover to require multiple hostnames.

Good guide on how to set it up: http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html

Whatever external address you are going to use: mail.mydomain.com etc is all you need.

0
 
armerdanAuthor Commented:
Just to make sure I'm understanding:

The only address I need on the certificate for 2003 is the public fully qualified domain name (mail.company.com)?

If that is the case then the clients inside the office won't have any trouble connecting to the various Exchange services?

That is great if that is the case. Does that mean that the internal traffic is not encrypted? I guess it's just hard to imagine that mail.domainname.local doesn't need to be there as well as mail.company.com Etc.

Thanks!
0
 
BrianKronbergCommented:
Yes you only need a simple SSL certificate with a single name (like mail.company.com).  As for if internal users connect via SSL, well, that is dependent on how you configure your server.

I have seen where companies will not use SSL internally because they have a WAN accelerator that does not accelerate SSL, only MAPI and HTTP.

I have also seen where a company will be publishing Exchange externally via ISA and Forms Based Authentication (FBA) will be configured on ISA.  Since FBA can only be done on ISA or Exchange, internal users will use HTTP instead.  This can be resolved by adding another website on the Ex2003 server to support FBA for internal users.

If you are not using ISA then I would configure FBA on Ex2003 and automatically redirect users from port 80 to port 443 so SSL is used internally and externally.   (google this, there are lots of resources how to redirect OWA)
0
 
armerdanAuthor Commented:
Thanks a lot it's up and working now. I never thought I'd be more comfortable with 07 than 03........ Wow.

Thanks again.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now