?
Solved

SSL and Exchange 2010 best practices

Posted on 2010-11-15
6
Medium Priority
?
1,217 Views
1 Endorsement
Last Modified: 2012-06-27
I am installing exch 2010 into my already existing exch 2003 and 2007 infrastructure. I will have all 3 versions of exchange running concurrently till I eventually migrate to just 2010.
Im looking at some of the recommendations for SSL and certificate designs. I’m guessing the best method for use with services like:
•      Outlook Web App
•      Exchange Control Panel
•      Exchange Web Services
•      Exchange ActiveSync
•      Outlook Anywhere
•      Autodiscover
•      Outlook Address Book distribution
Is to use a Commercial CA. I see where in my scenario Microsoft recommends a certificate for Legacy.contoso.com, my existing name space : mail.contoso.com and autodiscover.contosco.com. Can I use a wildcard cert for this? Is it recommended or not?
Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

Any ideas or advice is appreciated!
1
Comment
Question by:KratosDefense
5 Comments
 
LVL 23

Accepted Solution

by:
Justin Durrant earned 1000 total points
ID: 34140128
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 1000 total points
ID: 34140619
>> Can I use a wildcard cert for this? Is it recommended or not?

yes you can use a wildcard certificate without any problems

>> Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

for your webapp/activesync/outlook anywhere i would recommend a commercial one however an internal PKI would work just fine

for your connectors, if you mean by that your SMTP connectors, just keep the default self-sign there is no need to changed unless you are using smtp over tls
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34142518
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

Certificate Use in Exchange 2007 Server
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 

Expert Comment

by:DEFclub
ID: 34828787
agree
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34869426
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question