Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange 2010 with One IP address and One SSL Certificate

Posted on 2010-11-22
13
908 Views
Last Modified: 2012-06-21

I am upgrading from 2003 and have run into the certificate prolem.  I have read it is possible to redirect owa and autodiscovery to the same domain on the certicate (mail.domain.com)  But if I understand correctly you have to have 2 ip addreses to do this.  I also don't have the abilility to create a SRV record on my domain host provider DNS site.  

My configuration is as follows:  Windows 2008R2, Exchange 2010 with all roles but UMC installed.  I also have an Edge transport in the perimeter. We have 1 ip address.  We have a certificate for mail.domain.com.  How can I set all services to be directed to my ip address and use this single certificate?  

Also, what would the internal DNS settings be since again it all goes to 1 ip address?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html is an article I found and is so close to what i'm looking for.  I hope there is a solution to this prolbem.



Thanks.

0
Comment
Question by:piatt
13 Comments
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34194460
You do not need 2 IP addresses.  Point all of them (owa, autodicover and mail) to the same IP address.

You do not necessarily need any SRV records either.  Outlook will check for SRV records if it does not find autodiscover.yourdoamin.com, or mail.yourdomain.com/autodiscover.xml.  If it finds any one of those, it will be happy.

Make sure you get a SSL certificate with the correct Subject Alternative Names (SAN).  If you don't have a SAN SSL cert, you need to get one.

if you have only 1 IP address, you will need to set up your networking gear (firewall/router) to send port 25 traffic to your Edge server, and port 80, 443 and whatever else (if you decide to use IMAP for example) to the Mail-ClientAccess-Hub server.

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34194528
You can simply just add another IP address to your network card properties, this will give you another internal server IP address
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34196128
For making a redirection from external you will need to configure your external DNS to point to your internal server and this is only possible when you have a real and an internal IP (Exchange Server). After all these you will need to configure the HTTP Redirect in your IIS. The basic concept is, when a external user will try to connect to your exchange environment it will ping to (webmail.xcbfg.com) this request will go to your real dns address (webmail.xcbfg.com) and that dns address will connect to your real ip and the real ip will connect to your internal exchange ip using NAT. so I think you will need two ips connecting from uotside.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:piatt
ID: 34197069
I do have a certificate for my external domain but it only has mail.domain.com on it.  I am not able to get another one due to costs.  So with this one certificate what would the external DNS look like pointing to 1 ip address?

From what I've read I need mail.domain.com, autodiscover.domain.com but then a SRV record pointing the autodiscover back to mail.domain.com.  If I don't need a SRV record how can I accomplish everything going to my 1 ip using a single name certificate?

For my internal DNS we have forward lookup zones for domain.internal and domain.com.  Again I need everything pointing to the server using the one certificate.  All roles are on one server.
0
 

Author Comment

by:piatt
ID: 34197086
Oh I guess I should also mention that I'm not able to create SRV records on my providers DNS server.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34197257
Sorry to be blunt about it, but.....

A Windows server license costs how much?
Exchange server license costs how much?
Exchange access CALs cost how much?

When you've spent all that to end up with a messaging system that can scale up to enterprose levels, what is the $100 or so per year for a SAN SSL cert?




0
 

Author Comment

by:piatt
ID: 34197444
Considering we are a non-profit and receive software and hardware at substantial savings, the cost for another certificate (which we pay full retail value for) does make a difference.  We just renewed our certificate last year for 3 years.  So yes, the $100/year additional to the $300+ we paid for our exisiting certificate makes a difference.
0
 

Author Comment

by:piatt
ID: 34197737
Well I am waiting to hear from my certificate provider to see what they can do for us in exchange for the 3 year certificate.  If they can do the exchange for a 1 year UUC then I'll be ok.  I was afraid the 1 ip with 1 SSL name wouldn't work.
0
 
LVL 14

Accepted Solution

by:
Kaffiend earned 500 total points
ID: 34197827
Well, to make it work right, you will need a proper SSL SAN cert.  (Case of wrong timing when you got your cert last year - could've gotten a SAN cert for the same price.  I feel for you).  For the price you paid, maybe your cert allows SANs - perhaps the SSL CA will let you re-key the cert with SANs.

Ether that (which is the easier way), or change to a DNS host that supports SRV records.

If you don't go with either one of these options, your environment becomes a little harder to manage - you will then be forced to use your own cert, and have to import it into every outlook client computer (and most handsets).  Still doable, just a lot more work.
0
 

Author Comment

by:piatt
ID: 34198391
Thanks for the info.  Just checked and it will cost way too much to get a SAN cert. since I have to purchase a 3 year (they would credit 1 year).  So that's out. Double checked with my DNS host and they don't do SRV records.  Ugh!  Can't use own cert. due to iPhones, blackberry, and users on the road.  It would be to confusing for them.

So I'm still trying to figure out a solution to this... not sure I will find one though.  Maybe switching to a different DNS host instead of our website provider will be next.
0
 

Author Comment

by:piatt
ID: 34198603
So now I'm thinking about Configure Outlook Anywhere to Use an SSL Certificate with Redirection. Will this cause any problems with phones using active sync?  Or are there any other issues I should be aware of?

Thank you.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34202744
I think ActiveSync will be fine - it uses a virtual directory under the default web site - if your cert is valid for the default web site, trust should not be an issue.

A good tool (in case you don't already know of it) to test things out is:  textexchangeconnnectivity.com
It's a website run by Microsoft that will test your Exchange set up.  You don't have to pass every single one of those tests there, just at least one pass in each category and you should be good.
0
 

Author Comment

by:piatt
ID: 34208134
Thank you so much for your help!

I did find that I am able to add another (outside) ip address to my security device.  So the original article I referred to will work in my situation now using  the outlook anywhere SSL redirection.

:-)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question