Solved

SSL and Exchange 2010 best practices

Posted on 2010-11-15
6
1,100 Views
1 Endorsement
Last Modified: 2012-06-27
I am installing exch 2010 into my already existing exch 2003 and 2007 infrastructure. I will have all 3 versions of exchange running concurrently till I eventually migrate to just 2010.
Im looking at some of the recommendations for SSL and certificate designs. I’m guessing the best method for use with services like:
•      Outlook Web App
•      Exchange Control Panel
•      Exchange Web Services
•      Exchange ActiveSync
•      Outlook Anywhere
•      Autodiscover
•      Outlook Address Book distribution
Is to use a Commercial CA. I see where in my scenario Microsoft recommends a certificate for Legacy.contoso.com, my existing name space : mail.contoso.com and autodiscover.contosco.com. Can I use a wildcard cert for this? Is it recommended or not?
Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

Any ideas or advice is appreciated!
1
Comment
Question by:KratosDefense
6 Comments
 
LVL 23

Accepted Solution

by:
Justin Durrant earned 250 total points
ID: 34140128
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 34140619
>> Can I use a wildcard cert for this? Is it recommended or not?

yes you can use a wildcard certificate without any problems

>> Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

for your webapp/activesync/outlook anywhere i would recommend a commercial one however an internal PKI would work just fine

for your connectors, if you mean by that your SMTP connectors, just keep the default self-sign there is no need to changed unless you are using smtp over tls
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34142518
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

Certificate Use in Exchange 2007 Server
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 

Expert Comment

by:DEFclub
ID: 34828787
agree
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34869426
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now