Solved

Confused On Exchange 2010 SSL Certificates

Posted on 2011-02-21
23
1,087 Views
Last Modified: 2012-05-11
Right now I have an Exchange 2003 server and seperate OWA server that uses a self generated Certificate which is host on our ISA server.

I'm now in the process of planning & setting up our new Exchange 2010 enviroment my setup is as follows:

1x TMG server
2x CAS Servers in an Array
1x Mailbox server

I have a mix of Windows XP client which are slowly being replaced by Windows 7.

I'm confused as to which type of SSL certificate I now how to buy

I have read the a Wildcard certificate is the way to go but XP clients may have problems with this typy of certificate and that SAN/UC is the way to go.

Also do I need to create a DNS or CNAME call autodiscover or is this automatically generated???

Please help
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 2
23 Comments
 

Expert Comment

by:fix-my-computer
ID: 34946847
Just so that you dont fall into the trap we did, dont forget to turn off encrypted traffic when adding client access to the CAS server roles, unless you have a office 2007-2010 environment...By default it is turned on.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34947607
SAN certificate with 4 names:

1.Mail.domain.com ( mandatory)
2.OWA.domain.com orwebmail.domain.com ( optional), you can use mail to access owa site ( it depends on your external domain  dns settings)
3.autodiscover .domain.com ( if you need to enable autodicover, this is the time to include this name on the certificate)
4.server name ( netbios name for example ex-server).

0
 
LVL 20

Author Comment

by:compdigit44
ID: 34951151
Thanks for the reply's can you please help me understand the following.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?
3) For the SAN/UC certificate I still a llittle confused  on the names needed
3a) mail.domain.com - is this the internal FQDN of my mail server or external?
3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 20

Author Comment

by:compdigit44
ID: 34951186
ALso since the CAS server needs to be setup before the maibox server, does the certificate need to be isntalled on theCAS server before the mailbox server is setup?

When does the purchased SSL certificate get installed on my CAS server or TMG server????
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34951782
You can add/ remove/ delete /assign certificates to CAS server after successful installation and TMG server as well.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
No, it is supported on XP, Vista and 7.
http://help.godaddy.com/article/567

"2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?"
I hadn't use office 2003 long time ago... sorry,I can't confirm on this.

"3a) mail.domain.com - is this the internal FQDN of my mail server or external?"
External.

"3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???"

On option is to create A record ( autodiscover.domain.com ) to allow autodiscover work..
another options :
http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952016
Thanks ok but I'm confused should I go with a wildcard certificate or SAN/UC if I have a mix of XP and WIndows 7 clients? End user home PC can range any thing from MAC of through Windows 98 - WInodows 7
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952029
Also the purchased SSL certificate is installed on the CAS array andn ot the TMG server correct???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34952060
You should install it on all servers. ( TMG and CAS servers.)

This article will ask your question...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952286
thanks.

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34953742
Should I setup my Widnows 2008 NLB before I install the Exchagne CAS rol or after?
0
 

Expert Comment

by:fix-my-computer
ID: 34954268
To answer about the office 2003 and encrypted traffic, it is as simple as this. If you have ANY outlook 2003 users and you have forgotten to turn it off (on as default) they will not connect period. Outlook 2003 does not support encrypted traffic point to point, only outlook 2007 and above.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34954449
Thank you

Any thoughts on my other question..

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956315
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956367
for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..

If i understood you, you need to access OWA as mail.domain.com ? if so it depends on the CAS configuration on EMC. ( it is configurable and doable).

Further more, How external clients can find exchange server ( dns resolving process)? clients ask dns about MX record, then MX should points to A record ( for example mail.domain.com ).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34961820
Which type of certificate from your experience so you recommend I should get a SAN/UC or Wildcard?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34961969
SAN is enough for exchange server publishing. but Wildcard would help if you want to publish another services...

So, if you want to use for exchange server publishing, SAN will work perfectly.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34962649
Thanks..
BTW,  if the internal name of my cas server is ser1.domain.com can I setup another name for the server externally???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34962935
yes you can.

for example, external mail record is mail.domain.com but internally ser1.domain.com.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34963112
Great thanks
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34964176
stupid question do I run the certificate creation wizard against my mailbox server or CAS server?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34965156
Not stupid at all, CAS server, because it faces and serves the clients.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34972149
Thanks..

But this certificate that is generated from teh CAS server gets installed on both my CAS and TMG server which are servers physical servers correct?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 500 total points
ID: 34974585
You should generate the certificate and install it on CAS server itself (regardless if it is a physical or virtual machine). then export this certificate with the private key to TMG server and install it.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question