Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Confused On Exchange 2010 SSL Certificates

Posted on 2011-02-21
23
Medium Priority
?
1,092 Views
Last Modified: 2012-05-11
Right now I have an Exchange 2003 server and seperate OWA server that uses a self generated Certificate which is host on our ISA server.

I'm now in the process of planning & setting up our new Exchange 2010 enviroment my setup is as follows:

1x TMG server
2x CAS Servers in an Array
1x Mailbox server

I have a mix of Windows XP client which are slowly being replaced by Windows 7.

I'm confused as to which type of SSL certificate I now how to buy

I have read the a Wildcard certificate is the way to go but XP clients may have problems with this typy of certificate and that SAN/UC is the way to go.

Also do I need to create a DNS or CNAME call autodiscover or is this automatically generated???

Please help
0
Comment
Question by:compdigit44
  • 12
  • 9
  • 2
23 Comments
 

Expert Comment

by:fix-my-computer
ID: 34946847
Just so that you dont fall into the trap we did, dont forget to turn off encrypted traffic when adding client access to the CAS server roles, unless you have a office 2007-2010 environment...By default it is turned on.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34947607
SAN certificate with 4 names:

1.Mail.domain.com ( mandatory)
2.OWA.domain.com orwebmail.domain.com ( optional), you can use mail to access owa site ( it depends on your external domain  dns settings)
3.autodiscover .domain.com ( if you need to enable autodicover, this is the time to include this name on the certificate)
4.server name ( netbios name for example ex-server).

0
 
LVL 20

Author Comment

by:compdigit44
ID: 34951151
Thanks for the reply's can you please help me understand the following.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?
3) For the SAN/UC certificate I still a llittle confused  on the names needed
3a) mail.domain.com - is this the internal FQDN of my mail server or external?
3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Author Comment

by:compdigit44
ID: 34951186
ALso since the CAS server needs to be setup before the maibox server, does the certificate need to be isntalled on theCAS server before the mailbox server is setup?

When does the purchased SSL certificate get installed on my CAS server or TMG server????
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34951782
You can add/ remove/ delete /assign certificates to CAS server after successful installation and TMG server as well.

1) A Wilidcard certificate would work but only if you have Windows 7 clients and not XP correct?
No, it is supported on XP, Vista and 7.
http://help.godaddy.com/article/567

"2) We are using Office 2007 and maybe a few Office 2003 installs still remaining. Can client encrytpint be disabled then enabled later on? What are the advantage or  disadvantage of this feature?"
I hadn't use office 2003 long time ago... sorry,I can't confirm on this.

"3a) mail.domain.com - is this the internal FQDN of my mail server or external?"
External.

"3c) On the autodiscover I'm not sure if we are going to use this feature of not but I want the option there though. Do I really need to have the host name autodiscover.domain.com or is autodiscover just a place holder name???"

On option is to create A record ( autodiscover.domain.com ) to allow autodiscover work..
another options :
http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952016
Thanks ok but I'm confused should I go with a wildcard certificate or SAN/UC if I have a mix of XP and WIndows 7 clients? End user home PC can range any thing from MAC of through Windows 98 - WInodows 7
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952029
Also the purchased SSL certificate is installed on the CAS array andn ot the TMG server correct???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34952060
You should install it on all servers. ( TMG and CAS servers.)

This article will ask your question...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34952286
thanks.

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34953742
Should I setup my Widnows 2008 NLB before I install the Exchagne CAS rol or after?
0
 

Expert Comment

by:fix-my-computer
ID: 34954268
To answer about the office 2003 and encrypted traffic, it is as simple as this. If you have ANY outlook 2003 users and you have forgotten to turn it off (on as default) they will not connect period. Outlook 2003 does not support encrypted traffic point to point, only outlook 2007 and above.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34954449
Thank you

Any thoughts on my other question..

Right now my users access Exchange owa by typing in somethingn like this

https://owa.domain.com/exchange

for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956315
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34956367
for my new SSL certificate could i just register my new external mailserver name which would cover OWA as well..

If i understood you, you need to access OWA as mail.domain.com ? if so it depends on the CAS configuration on EMC. ( it is configurable and doable).

Further more, How external clients can find exchange server ( dns resolving process)? clients ask dns about MX record, then MX should points to A record ( for example mail.domain.com ).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34961820
Which type of certificate from your experience so you recommend I should get a SAN/UC or Wildcard?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34961969
SAN is enough for exchange server publishing. but Wildcard would help if you want to publish another services...

So, if you want to use for exchange server publishing, SAN will work perfectly.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34962649
Thanks..
BTW,  if the internal name of my cas server is ser1.domain.com can I setup another name for the server externally???
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34962935
yes you can.

for example, external mail record is mail.domain.com but internally ser1.domain.com.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34963112
Great thanks
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34964176
stupid question do I run the certificate creation wizard against my mailbox server or CAS server?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34965156
Not stupid at all, CAS server, because it faces and serves the clients.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 34972149
Thanks..

But this certificate that is generated from teh CAS server gets installed on both my CAS and TMG server which are servers physical servers correct?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 2000 total points
ID: 34974585
You should generate the certificate and install it on CAS server itself (regardless if it is a physical or virtual machine). then export this certificate with the private key to TMG server and install it.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question