• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Exchange 2010 with One IP address and One SSL Certificate


I am upgrading from 2003 and have run into the certificate prolem.  I have read it is possible to redirect owa and autodiscovery to the same domain on the certicate (mail.domain.com)  But if I understand correctly you have to have 2 ip addreses to do this.  I also don't have the abilility to create a SRV record on my domain host provider DNS site.  

My configuration is as follows:  Windows 2008R2, Exchange 2010 with all roles but UMC installed.  I also have an Edge transport in the perimeter. We have 1 ip address.  We have a certificate for mail.domain.com.  How can I set all services to be directed to my ip address and use this single certificate?  

Also, what would the internal DNS settings be since again it all goes to 1 ip address?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html is an article I found and is so close to what i'm looking for.  I hope there is a solution to this prolbem.



Thanks.

0
piatt
Asked:
piatt
1 Solution
 
KaffiendCommented:
You do not need 2 IP addresses.  Point all of them (owa, autodicover and mail) to the same IP address.

You do not necessarily need any SRV records either.  Outlook will check for SRV records if it does not find autodiscover.yourdoamin.com, or mail.yourdomain.com/autodiscover.xml.  If it finds any one of those, it will be happy.

Make sure you get a SSL certificate with the correct Subject Alternative Names (SAN).  If you don't have a SAN SSL cert, you need to get one.

if you have only 1 IP address, you will need to set up your networking gear (firewall/router) to send port 25 traffic to your Edge server, and port 80, 443 and whatever else (if you decide to use IMAP for example) to the Mail-ClientAccess-Hub server.

0
 
MegaNuk3Commented:
You can simply just add another IP address to your network card properties, this will give you another internal server IP address
0
 
abhijitmdpCommented:
For making a redirection from external you will need to configure your external DNS to point to your internal server and this is only possible when you have a real and an internal IP (Exchange Server). After all these you will need to configure the HTTP Redirect in your IIS. The basic concept is, when a external user will try to connect to your exchange environment it will ping to (webmail.xcbfg.com) this request will go to your real dns address (webmail.xcbfg.com) and that dns address will connect to your real ip and the real ip will connect to your internal exchange ip using NAT. so I think you will need two ips connecting from uotside.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
piattAuthor Commented:
I do have a certificate for my external domain but it only has mail.domain.com on it.  I am not able to get another one due to costs.  So with this one certificate what would the external DNS look like pointing to 1 ip address?

From what I've read I need mail.domain.com, autodiscover.domain.com but then a SRV record pointing the autodiscover back to mail.domain.com.  If I don't need a SRV record how can I accomplish everything going to my 1 ip using a single name certificate?

For my internal DNS we have forward lookup zones for domain.internal and domain.com.  Again I need everything pointing to the server using the one certificate.  All roles are on one server.
0
 
piattAuthor Commented:
Oh I guess I should also mention that I'm not able to create SRV records on my providers DNS server.
0
 
KaffiendCommented:
Sorry to be blunt about it, but.....

A Windows server license costs how much?
Exchange server license costs how much?
Exchange access CALs cost how much?

When you've spent all that to end up with a messaging system that can scale up to enterprose levels, what is the $100 or so per year for a SAN SSL cert?




0
 
piattAuthor Commented:
Considering we are a non-profit and receive software and hardware at substantial savings, the cost for another certificate (which we pay full retail value for) does make a difference.  We just renewed our certificate last year for 3 years.  So yes, the $100/year additional to the $300+ we paid for our exisiting certificate makes a difference.
0
 
piattAuthor Commented:
Well I am waiting to hear from my certificate provider to see what they can do for us in exchange for the 3 year certificate.  If they can do the exchange for a 1 year UUC then I'll be ok.  I was afraid the 1 ip with 1 SSL name wouldn't work.
0
 
KaffiendCommented:
Well, to make it work right, you will need a proper SSL SAN cert.  (Case of wrong timing when you got your cert last year - could've gotten a SAN cert for the same price.  I feel for you).  For the price you paid, maybe your cert allows SANs - perhaps the SSL CA will let you re-key the cert with SANs.

Ether that (which is the easier way), or change to a DNS host that supports SRV records.

If you don't go with either one of these options, your environment becomes a little harder to manage - you will then be forced to use your own cert, and have to import it into every outlook client computer (and most handsets).  Still doable, just a lot more work.
0
 
piattAuthor Commented:
Thanks for the info.  Just checked and it will cost way too much to get a SAN cert. since I have to purchase a 3 year (they would credit 1 year).  So that's out. Double checked with my DNS host and they don't do SRV records.  Ugh!  Can't use own cert. due to iPhones, blackberry, and users on the road.  It would be to confusing for them.

So I'm still trying to figure out a solution to this... not sure I will find one though.  Maybe switching to a different DNS host instead of our website provider will be next.
0
 
piattAuthor Commented:
So now I'm thinking about Configure Outlook Anywhere to Use an SSL Certificate with Redirection. Will this cause any problems with phones using active sync?  Or are there any other issues I should be aware of?

Thank you.
0
 
KaffiendCommented:
I think ActiveSync will be fine - it uses a virtual directory under the default web site - if your cert is valid for the default web site, trust should not be an issue.

A good tool (in case you don't already know of it) to test things out is:  textexchangeconnnectivity.com
It's a website run by Microsoft that will test your Exchange set up.  You don't have to pass every single one of those tests there, just at least one pass in each category and you should be good.
0
 
piattAuthor Commented:
Thank you so much for your help!

I did find that I am able to add another (outside) ip address to my security device.  So the original article I referred to will work in my situation now using  the outlook anywhere SSL redirection.

:-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now