Solved

Exchange 2010 with One IP address and One SSL Certificate

Posted on 2010-11-22
13
920 Views
Last Modified: 2012-06-21

I am upgrading from 2003 and have run into the certificate prolem.  I have read it is possible to redirect owa and autodiscovery to the same domain on the certicate (mail.domain.com)  But if I understand correctly you have to have 2 ip addreses to do this.  I also don't have the abilility to create a SRV record on my domain host provider DNS site.  

My configuration is as follows:  Windows 2008R2, Exchange 2010 with all roles but UMC installed.  I also have an Edge transport in the perimeter. We have 1 ip address.  We have a certificate for mail.domain.com.  How can I set all services to be directed to my ip address and use this single certificate?  

Also, what would the internal DNS settings be since again it all goes to 1 ip address?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html is an article I found and is so close to what i'm looking for.  I hope there is a solution to this prolbem.



Thanks.

0
Comment
Question by:piatt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34194460
You do not need 2 IP addresses.  Point all of them (owa, autodicover and mail) to the same IP address.

You do not necessarily need any SRV records either.  Outlook will check for SRV records if it does not find autodiscover.yourdoamin.com, or mail.yourdomain.com/autodiscover.xml.  If it finds any one of those, it will be happy.

Make sure you get a SSL certificate with the correct Subject Alternative Names (SAN).  If you don't have a SAN SSL cert, you need to get one.

if you have only 1 IP address, you will need to set up your networking gear (firewall/router) to send port 25 traffic to your Edge server, and port 80, 443 and whatever else (if you decide to use IMAP for example) to the Mail-ClientAccess-Hub server.

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34194528
You can simply just add another IP address to your network card properties, this will give you another internal server IP address
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34196128
For making a redirection from external you will need to configure your external DNS to point to your internal server and this is only possible when you have a real and an internal IP (Exchange Server). After all these you will need to configure the HTTP Redirect in your IIS. The basic concept is, when a external user will try to connect to your exchange environment it will ping to (webmail.xcbfg.com) this request will go to your real dns address (webmail.xcbfg.com) and that dns address will connect to your real ip and the real ip will connect to your internal exchange ip using NAT. so I think you will need two ips connecting from uotside.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:piatt
ID: 34197069
I do have a certificate for my external domain but it only has mail.domain.com on it.  I am not able to get another one due to costs.  So with this one certificate what would the external DNS look like pointing to 1 ip address?

From what I've read I need mail.domain.com, autodiscover.domain.com but then a SRV record pointing the autodiscover back to mail.domain.com.  If I don't need a SRV record how can I accomplish everything going to my 1 ip using a single name certificate?

For my internal DNS we have forward lookup zones for domain.internal and domain.com.  Again I need everything pointing to the server using the one certificate.  All roles are on one server.
0
 

Author Comment

by:piatt
ID: 34197086
Oh I guess I should also mention that I'm not able to create SRV records on my providers DNS server.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34197257
Sorry to be blunt about it, but.....

A Windows server license costs how much?
Exchange server license costs how much?
Exchange access CALs cost how much?

When you've spent all that to end up with a messaging system that can scale up to enterprose levels, what is the $100 or so per year for a SAN SSL cert?




0
 

Author Comment

by:piatt
ID: 34197444
Considering we are a non-profit and receive software and hardware at substantial savings, the cost for another certificate (which we pay full retail value for) does make a difference.  We just renewed our certificate last year for 3 years.  So yes, the $100/year additional to the $300+ we paid for our exisiting certificate makes a difference.
0
 

Author Comment

by:piatt
ID: 34197737
Well I am waiting to hear from my certificate provider to see what they can do for us in exchange for the 3 year certificate.  If they can do the exchange for a 1 year UUC then I'll be ok.  I was afraid the 1 ip with 1 SSL name wouldn't work.
0
 
LVL 14

Accepted Solution

by:
Kaffiend earned 500 total points
ID: 34197827
Well, to make it work right, you will need a proper SSL SAN cert.  (Case of wrong timing when you got your cert last year - could've gotten a SAN cert for the same price.  I feel for you).  For the price you paid, maybe your cert allows SANs - perhaps the SSL CA will let you re-key the cert with SANs.

Ether that (which is the easier way), or change to a DNS host that supports SRV records.

If you don't go with either one of these options, your environment becomes a little harder to manage - you will then be forced to use your own cert, and have to import it into every outlook client computer (and most handsets).  Still doable, just a lot more work.
0
 

Author Comment

by:piatt
ID: 34198391
Thanks for the info.  Just checked and it will cost way too much to get a SAN cert. since I have to purchase a 3 year (they would credit 1 year).  So that's out. Double checked with my DNS host and they don't do SRV records.  Ugh!  Can't use own cert. due to iPhones, blackberry, and users on the road.  It would be to confusing for them.

So I'm still trying to figure out a solution to this... not sure I will find one though.  Maybe switching to a different DNS host instead of our website provider will be next.
0
 

Author Comment

by:piatt
ID: 34198603
So now I'm thinking about Configure Outlook Anywhere to Use an SSL Certificate with Redirection. Will this cause any problems with phones using active sync?  Or are there any other issues I should be aware of?

Thank you.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34202744
I think ActiveSync will be fine - it uses a virtual directory under the default web site - if your cert is valid for the default web site, trust should not be an issue.

A good tool (in case you don't already know of it) to test things out is:  textexchangeconnnectivity.com
It's a website run by Microsoft that will test your Exchange set up.  You don't have to pass every single one of those tests there, just at least one pass in each category and you should be good.
0
 

Author Comment

by:piatt
ID: 34208134
Thank you so much for your help!

I did find that I am able to add another (outside) ip address to my security device.  So the original article I referred to will work in my situation now using  the outlook anywhere SSL redirection.

:-)
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question