Solved

Confused On Exchange 2010 SSL Certificates

Posted on 2011-02-21
23
1,052 Views
Last Modified: 2012-05-11
Right now I have an Exchange 2003 server and seperate OWA server that uses a self generated Certificate which is host on our ISA server.

I'm now in the process of planning & setting up our new Exchange 2010 enviroment my setup is as follows:

1x TMG server
2x CAS Servers in an Array
1x Mailbox server

I have a mix of Windows XP client which are slowly being replaced by Windows 7.

I'm confused as to which type of SSL certificate I now how to buy

I have read the a Wildcard certificate is the way to go but XP clients may have problems with this typy of certificate and that SAN/UC is the way to go.

Also do I need to create a DNS or CNAME call autodiscover or is this automatically generated???

Please help
0
Comment
Question by:compdigit44
  • 12
  • 9
  • 2
23 Comments
 

Expert Comment

by:fix-my-computer
ID: 34946847
Just so that you dont fall into the trap we did, dont forget to turn off encrypted traffic when adding client access to the CAS server roles, unless you have a office 2007-2010 environment...By default it is turned on.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34947607
SAN certificate with 4 names:

1.Mail.domain.com ( mandatory)
2.OWA.domain.com orwebmail.domain.com ( optional), you can use mail to access owa site ( it depends on your external domain  dns settings)
3.autodiscover .domain.com ( if you need to enable autodicover, this is the time to include this name on the certificate)
4.server name ( netbios name for example ex-server).

0
 
LVL 19

Author Comment

by:compdigit44
ID: 34951151
Thanks for the reply's can you please help me understand the following.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?
3) For the SAN/UC certificate I still a llittle confused  on the names needed
3a) mail.domain.com - is this the internal FQDN of my mail server or external?
3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???

0
 
LVL 19

Author Comment

by:compdigit44
ID: 34951186
ALso since the CAS server needs to be setup before the maibox server, does the certificate need to be isntalled on theCAS server before the mailbox server is setup?

When does the purchased SSL certificate get installed on my CAS server or TMG server????
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34951782
You can add/ remove/ delete /assign certificates to CAS server after successful installation and TMG server as well.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
No, it is supported on XP, Vista and 7.
http://help.godaddy.com/article/567

"2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?"
I hadn't use office 2003 long time ago... sorry,I can't confirm on this.

"3a) mail.domain.com - is this the internal FQDN of my mail server or external?"
External.

"3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???"

On option is to create A record ( autodiscover.domain.com ) to allow autodiscover work..
another options :
http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34952016
Thanks ok but I'm confused should I go with a wildcard certificate or SAN/UC if I have a mix of XP and WIndows 7 clients? End user home PC can range any thing from MAC of through Windows 98 - WInodows 7
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34952029
Also the purchased SSL certificate is installed on the CAS array andn ot the TMG server correct???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34952060
You should install it on all servers. ( TMG and CAS servers.)

This article will ask your question...
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34952286
thanks.

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34953742
Should I setup my Widnows 2008 NLB before I install the Exchagne CAS rol or after?
0
 

Expert Comment

by:fix-my-computer
ID: 34954268
To answer about the office 2003 and encrypted traffic, it is as simple as this. If you have ANY outlook 2003 users and you have forgotten to turn it off (on as default) they will not connect period. Outlook 2003 does not support encrypted traffic point to point, only outlook 2007 and above.
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 19

Author Comment

by:compdigit44
ID: 34954449
Thank you

Any thoughts on my other question..

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956315
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956367
for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..

If i understood you, you need to access OWA as mail.domain.com ? if so it depends on the CAS configuration on EMC. ( it is configurable and doable).

Further more, How external clients can find exchange server ( dns resolving process)? clients ask dns about MX record, then MX should points to A record ( for example mail.domain.com ).
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34961820
Which type of certificate from your experience so you recommend I should get a SAN/UC or Wildcard?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34961969
SAN is enough for exchange server publishing. but Wildcard would help if you want to publish another services...

So, if you want to use for exchange server publishing, SAN will work perfectly.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34962649
Thanks..
BTW,  if the internal name of my cas server is ser1.domain.com can I setup another name for the server externally???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34962935
yes you can.

for example, external mail record is mail.domain.com but internally ser1.domain.com.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34963112
Great thanks
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34964176
stupid question do I run the certificate creation wizard against my mailbox server or CAS server?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34965156
Not stupid at all, CAS server, because it faces and serves the clients.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 34972149
Thanks..

But this certificate that is generated from teh CAS server gets installed on both my CAS and TMG server which are servers physical servers correct?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 500 total points
ID: 34974585
You should generate the certificate and install it on CAS server itself (regardless if it is a physical or virtual machine). then export this certificate with the private key to TMG server and install it.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This video discusses moving either the default database or any database to a new volume.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now