Solved

Exchange 2010 with One IP address and One SSL Certificate

Posted on 2010-11-22
13
885 Views
Last Modified: 2012-06-21

I am upgrading from 2003 and have run into the certificate prolem.  I have read it is possible to redirect owa and autodiscovery to the same domain on the certicate (mail.domain.com)  But if I understand correctly you have to have 2 ip addreses to do this.  I also don't have the abilility to create a SRV record on my domain host provider DNS site.  

My configuration is as follows:  Windows 2008R2, Exchange 2010 with all roles but UMC installed.  I also have an Edge transport in the perimeter. We have 1 ip address.  We have a certificate for mail.domain.com.  How can I set all services to be directed to my ip address and use this single certificate?  

Also, what would the internal DNS settings be since again it all goes to 1 ip address?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html is an article I found and is so close to what i'm looking for.  I hope there is a solution to this prolbem.



Thanks.

0
Comment
Question by:piatt
13 Comments
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34194460
You do not need 2 IP addresses.  Point all of them (owa, autodicover and mail) to the same IP address.

You do not necessarily need any SRV records either.  Outlook will check for SRV records if it does not find autodiscover.yourdoamin.com, or mail.yourdomain.com/autodiscover.xml.  If it finds any one of those, it will be happy.

Make sure you get a SSL certificate with the correct Subject Alternative Names (SAN).  If you don't have a SAN SSL cert, you need to get one.

if you have only 1 IP address, you will need to set up your networking gear (firewall/router) to send port 25 traffic to your Edge server, and port 80, 443 and whatever else (if you decide to use IMAP for example) to the Mail-ClientAccess-Hub server.

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34194528
You can simply just add another IP address to your network card properties, this will give you another internal server IP address
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34196128
For making a redirection from external you will need to configure your external DNS to point to your internal server and this is only possible when you have a real and an internal IP (Exchange Server). After all these you will need to configure the HTTP Redirect in your IIS. The basic concept is, when a external user will try to connect to your exchange environment it will ping to (webmail.xcbfg.com) this request will go to your real dns address (webmail.xcbfg.com) and that dns address will connect to your real ip and the real ip will connect to your internal exchange ip using NAT. so I think you will need two ips connecting from uotside.
0
 

Author Comment

by:piatt
ID: 34197069
I do have a certificate for my external domain but it only has mail.domain.com on it.  I am not able to get another one due to costs.  So with this one certificate what would the external DNS look like pointing to 1 ip address?

From what I've read I need mail.domain.com, autodiscover.domain.com but then a SRV record pointing the autodiscover back to mail.domain.com.  If I don't need a SRV record how can I accomplish everything going to my 1 ip using a single name certificate?

For my internal DNS we have forward lookup zones for domain.internal and domain.com.  Again I need everything pointing to the server using the one certificate.  All roles are on one server.
0
 

Author Comment

by:piatt
ID: 34197086
Oh I guess I should also mention that I'm not able to create SRV records on my providers DNS server.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34197257
Sorry to be blunt about it, but.....

A Windows server license costs how much?
Exchange server license costs how much?
Exchange access CALs cost how much?

When you've spent all that to end up with a messaging system that can scale up to enterprose levels, what is the $100 or so per year for a SAN SSL cert?




0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:piatt
ID: 34197444
Considering we are a non-profit and receive software and hardware at substantial savings, the cost for another certificate (which we pay full retail value for) does make a difference.  We just renewed our certificate last year for 3 years.  So yes, the $100/year additional to the $300+ we paid for our exisiting certificate makes a difference.
0
 

Author Comment

by:piatt
ID: 34197737
Well I am waiting to hear from my certificate provider to see what they can do for us in exchange for the 3 year certificate.  If they can do the exchange for a 1 year UUC then I'll be ok.  I was afraid the 1 ip with 1 SSL name wouldn't work.
0
 
LVL 14

Accepted Solution

by:
Kaffiend earned 500 total points
ID: 34197827
Well, to make it work right, you will need a proper SSL SAN cert.  (Case of wrong timing when you got your cert last year - could've gotten a SAN cert for the same price.  I feel for you).  For the price you paid, maybe your cert allows SANs - perhaps the SSL CA will let you re-key the cert with SANs.

Ether that (which is the easier way), or change to a DNS host that supports SRV records.

If you don't go with either one of these options, your environment becomes a little harder to manage - you will then be forced to use your own cert, and have to import it into every outlook client computer (and most handsets).  Still doable, just a lot more work.
0
 

Author Comment

by:piatt
ID: 34198391
Thanks for the info.  Just checked and it will cost way too much to get a SAN cert. since I have to purchase a 3 year (they would credit 1 year).  So that's out. Double checked with my DNS host and they don't do SRV records.  Ugh!  Can't use own cert. due to iPhones, blackberry, and users on the road.  It would be to confusing for them.

So I'm still trying to figure out a solution to this... not sure I will find one though.  Maybe switching to a different DNS host instead of our website provider will be next.
0
 

Author Comment

by:piatt
ID: 34198603
So now I'm thinking about Configure Outlook Anywhere to Use an SSL Certificate with Redirection. Will this cause any problems with phones using active sync?  Or are there any other issues I should be aware of?

Thank you.
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34202744
I think ActiveSync will be fine - it uses a virtual directory under the default web site - if your cert is valid for the default web site, trust should not be an issue.

A good tool (in case you don't already know of it) to test things out is:  textexchangeconnnectivity.com
It's a website run by Microsoft that will test your Exchange set up.  You don't have to pass every single one of those tests there, just at least one pass in each category and you should be good.
0
 

Author Comment

by:piatt
ID: 34208134
Thank you so much for your help!

I did find that I am able to add another (outside) ip address to my security device.  So the original article I referred to will work in my situation now using  the outlook anywhere SSL redirection.

:-)
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now