Solved

SSL and Exchange 2010 best practices

Posted on 2010-11-15
6
1,127 Views
1 Endorsement
Last Modified: 2012-06-27
I am installing exch 2010 into my already existing exch 2003 and 2007 infrastructure. I will have all 3 versions of exchange running concurrently till I eventually migrate to just 2010.
Im looking at some of the recommendations for SSL and certificate designs. I’m guessing the best method for use with services like:
•      Outlook Web App
•      Exchange Control Panel
•      Exchange Web Services
•      Exchange ActiveSync
•      Outlook Anywhere
•      Autodiscover
•      Outlook Address Book distribution
Is to use a Commercial CA. I see where in my scenario Microsoft recommends a certificate for Legacy.contoso.com, my existing name space : mail.contoso.com and autodiscover.contosco.com. Can I use a wildcard cert for this? Is it recommended or not?
Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

Any ideas or advice is appreciated!
1
Comment
Question by:KratosDefense
6 Comments
 
LVL 23

Accepted Solution

by:
Justin Durrant earned 250 total points
ID: 34140128
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 34140619
>> Can I use a wildcard cert for this? Is it recommended or not?

yes you can use a wildcard certificate without any problems

>> Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

for your webapp/activesync/outlook anywhere i would recommend a commercial one however an internal PKI would work just fine

for your connectors, if you mean by that your SMTP connectors, just keep the default self-sign there is no need to changed unless you are using smtp over tls
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34142518
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

Certificate Use in Exchange 2007 Server
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 

Expert Comment

by:DEFclub
ID: 34828787
agree
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34869426
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question