?
Solved

SSL and Exchange 2010 best practices

Posted on 2010-11-15
6
Medium Priority
?
1,181 Views
1 Endorsement
Last Modified: 2012-06-27
I am installing exch 2010 into my already existing exch 2003 and 2007 infrastructure. I will have all 3 versions of exchange running concurrently till I eventually migrate to just 2010.
Im looking at some of the recommendations for SSL and certificate designs. I’m guessing the best method for use with services like:
•      Outlook Web App
•      Exchange Control Panel
•      Exchange Web Services
•      Exchange ActiveSync
•      Outlook Anywhere
•      Autodiscover
•      Outlook Address Book distribution
Is to use a Commercial CA. I see where in my scenario Microsoft recommends a certificate for Legacy.contoso.com, my existing name space : mail.contoso.com and autodiscover.contosco.com. Can I use a wildcard cert for this? Is it recommended or not?
Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

Any ideas or advice is appreciated!
1
Comment
Question by:KratosDefense
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 23

Accepted Solution

by:
Justin Durrant earned 1000 total points
ID: 34140128
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 1000 total points
ID: 34140619
>> Can I use a wildcard cert for this? Is it recommended or not?

yes you can use a wildcard certificate without any problems

>> Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

for your webapp/activesync/outlook anywhere i would recommend a commercial one however an internal PKI would work just fine

for your connectors, if you mean by that your SMTP connectors, just keep the default self-sign there is no need to changed unless you are using smtp over tls
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34142518
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

Certificate Use in Exchange 2007 Server
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 

Expert Comment

by:DEFclub
ID: 34828787
agree
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34869426
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question