Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2010 with One IP address and One SSL Certificate

Posted on 2010-11-22
13
Medium Priority
?
925 Views
Last Modified: 2012-06-21

I am upgrading from 2003 and have run into the certificate prolem.  I have read it is possible to redirect owa and autodiscovery to the same domain on the certicate (mail.domain.com)  But if I understand correctly you have to have 2 ip addreses to do this.  I also don't have the abilility to create a SRV record on my domain host provider DNS site.  

My configuration is as follows:  Windows 2008R2, Exchange 2010 with all roles but UMC installed.  I also have an Edge transport in the perimeter. We have 1 ip address.  We have a certificate for mail.domain.com.  How can I set all services to be directed to my ip address and use this single certificate?  

Also, what would the internal DNS settings be since again it all goes to 1 ip address?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html is an article I found and is so close to what i'm looking for.  I hope there is a solution to this prolbem.



Thanks.

0
Comment
Question by:piatt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34194460
You do not need 2 IP addresses.  Point all of them (owa, autodicover and mail) to the same IP address.

You do not necessarily need any SRV records either.  Outlook will check for SRV records if it does not find autodiscover.yourdoamin.com, or mail.yourdomain.com/autodiscover.xml.  If it finds any one of those, it will be happy.

Make sure you get a SSL certificate with the correct Subject Alternative Names (SAN).  If you don't have a SAN SSL cert, you need to get one.

if you have only 1 IP address, you will need to set up your networking gear (firewall/router) to send port 25 traffic to your Edge server, and port 80, 443 and whatever else (if you decide to use IMAP for example) to the Mail-ClientAccess-Hub server.

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34194528
You can simply just add another IP address to your network card properties, this will give you another internal server IP address
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34196128
For making a redirection from external you will need to configure your external DNS to point to your internal server and this is only possible when you have a real and an internal IP (Exchange Server). After all these you will need to configure the HTTP Redirect in your IIS. The basic concept is, when a external user will try to connect to your exchange environment it will ping to (webmail.xcbfg.com) this request will go to your real dns address (webmail.xcbfg.com) and that dns address will connect to your real ip and the real ip will connect to your internal exchange ip using NAT. so I think you will need two ips connecting from uotside.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:piatt
ID: 34197069
I do have a certificate for my external domain but it only has mail.domain.com on it.  I am not able to get another one due to costs.  So with this one certificate what would the external DNS look like pointing to 1 ip address?

From what I've read I need mail.domain.com, autodiscover.domain.com but then a SRV record pointing the autodiscover back to mail.domain.com.  If I don't need a SRV record how can I accomplish everything going to my 1 ip using a single name certificate?

For my internal DNS we have forward lookup zones for domain.internal and domain.com.  Again I need everything pointing to the server using the one certificate.  All roles are on one server.
0
 

Author Comment

by:piatt
ID: 34197086
Oh I guess I should also mention that I'm not able to create SRV records on my providers DNS server.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34197257
Sorry to be blunt about it, but.....

A Windows server license costs how much?
Exchange server license costs how much?
Exchange access CALs cost how much?

When you've spent all that to end up with a messaging system that can scale up to enterprose levels, what is the $100 or so per year for a SAN SSL cert?




0
 

Author Comment

by:piatt
ID: 34197444
Considering we are a non-profit and receive software and hardware at substantial savings, the cost for another certificate (which we pay full retail value for) does make a difference.  We just renewed our certificate last year for 3 years.  So yes, the $100/year additional to the $300+ we paid for our exisiting certificate makes a difference.
0
 

Author Comment

by:piatt
ID: 34197737
Well I am waiting to hear from my certificate provider to see what they can do for us in exchange for the 3 year certificate.  If they can do the exchange for a 1 year UUC then I'll be ok.  I was afraid the 1 ip with 1 SSL name wouldn't work.
0
 
LVL 14

Accepted Solution

by:
Kaffiend earned 2000 total points
ID: 34197827
Well, to make it work right, you will need a proper SSL SAN cert.  (Case of wrong timing when you got your cert last year - could've gotten a SAN cert for the same price.  I feel for you).  For the price you paid, maybe your cert allows SANs - perhaps the SSL CA will let you re-key the cert with SANs.

Ether that (which is the easier way), or change to a DNS host that supports SRV records.

If you don't go with either one of these options, your environment becomes a little harder to manage - you will then be forced to use your own cert, and have to import it into every outlook client computer (and most handsets).  Still doable, just a lot more work.
0
 

Author Comment

by:piatt
ID: 34198391
Thanks for the info.  Just checked and it will cost way too much to get a SAN cert. since I have to purchase a 3 year (they would credit 1 year).  So that's out. Double checked with my DNS host and they don't do SRV records.  Ugh!  Can't use own cert. due to iPhones, blackberry, and users on the road.  It would be to confusing for them.

So I'm still trying to figure out a solution to this... not sure I will find one though.  Maybe switching to a different DNS host instead of our website provider will be next.
0
 

Author Comment

by:piatt
ID: 34198603
So now I'm thinking about Configure Outlook Anywhere to Use an SSL Certificate with Redirection. Will this cause any problems with phones using active sync?  Or are there any other issues I should be aware of?

Thank you.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34202744
I think ActiveSync will be fine - it uses a virtual directory under the default web site - if your cert is valid for the default web site, trust should not be an issue.

A good tool (in case you don't already know of it) to test things out is:  textexchangeconnnectivity.com
It's a website run by Microsoft that will test your Exchange set up.  You don't have to pass every single one of those tests there, just at least one pass in each category and you should be good.
0
 

Author Comment

by:piatt
ID: 34208134
Thank you so much for your help!

I did find that I am able to add another (outside) ip address to my security device.  So the original article I referred to will work in my situation now using  the outlook anywhere SSL redirection.

:-)
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question