Solved

Wilcard and Self-Signed Certificates - Exchange 2010 upgrade

Posted on 2011-03-11
9
551 Views
Last Modified: 2012-05-11
We already own certificates and more importantly a wildcard certificate for our domain.  During the upgrade to Exchange 2010 from Exchange 2003, we need to make sure that we can use the wildcard to minimize downtime.  If we were to request new certificates, we would have to revoke the current certificates meaning we'd have untrusted connections for end-users until we get the new certificate generated.

If we use a wildcard certificate on our externally facing Load Balancers and do self signed certificates internally, will this work for Exchange 2010 and 2003 during coexistence?  I seem to think it will since the wildcard is a catch-all and will work for the new legacy.domain.com and the older mail.domain.com along with autodiscover.domain.com.

Can we do this?
0
Comment
Question by:liquid101
  • 4
  • 4
9 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35108249
it should work, you don't need to use self signed though, you can just import the wildcard certificate in to Exchange 2010.

What sort of load balancer are you using?
0
 
LVL 1

Author Comment

by:liquid101
ID: 35108311
We have F5 Load Balancers to work with.  I'm not sure of the model, though, but it's a pretty sweet box.  I'm just now getting a good handle on what it is capable of from the subject matter expert on the team here.
0
 
LVL 2

Expert Comment

by:ITengineer
ID: 35108317
What kind of exchange setup do you have? one server for each role?
0
 
LVL 1

Author Comment

by:liquid101
ID: 35108363
The 2003 setup is 2 front-end OWA boxes, 1 Transport Box, and 3 Mailbox servers.  

We're looking at 2 CAS/HUB (Dual role) and 3 Mailbox servers for the 2010 setup.  We're also debating SSL offloading at the F5s to help with CPU load on the front-end servers.  No UM or Edge in the setup as we already have hardware SPAM and Anti-Virus boxes.

We're really hesitant though with such a large user-base.  Once we start the upgrade, we want to make sure that it's as seamless as possible.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 74

Expert Comment

by:Glen Knight
ID: 35108386
Whatever you do you will need to have the CAS and the Front End servers available externally at the same time.  Exchange 2010 will redirect the clients to the legacy URL so this will also need to be created.  You should really just use a CAS Array and point the clients at this, there is no need to use a load balancer since the CAS array uses NLB
0
 
LVL 1

Author Comment

by:liquid101
ID: 35108470
We're staying away from the software LB solution since the old front-end is already Load Balanced through the same hardware.  By creating a new VIP, we're hoping that it will redirect almost instantly with the new external DNS change.  Here's the hardware load balancing article that I've been reading for Exchange 2010:  http://goo.gl/kDNNF  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35108482
OK, that's fine.  You will still require the legacyURL and an additional IP address.

And as already stated, you can just import the wildcard certificate so there is no need to use self signed certs.
0
 
LVL 1

Author Comment

by:liquid101
ID: 35108499
Thanks for the good feedback!  I have yet to find anyone who's had anything "break" during the upgrade to 2010, but we still have to be cautious.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35108506
I have done quite a few in my time and documented them in articles both here on EE and on my blog, if you do them carefully and allow appropriate amounts of time there is no reason why anything should go wrong.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
outlook, calendar 21 41
SMTP to host name when only have IP field 3 37
Edge Transport Server Slow Responses 1 10
outlook 3 25
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now