Exchange 2007 SSL, domain issues

We have inherited a configuration that we cannot back out of. Here is what we have:

internal domain is contoso.com. we do not own contoso.com and the current owner will not sell.

the internal name of the mail server is exchange2007.contoso.com

email domain is contosointernational.com

OWA access is through another shortened domain ctsi.com, ie. exchange.csti.com/owa

We want to purchase a commercial cert that will allow activesync to work, secure owa access, and still allow email to work internally. How can we make this work with what we have?

Thanks.
LVL 1
ehilder1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tomotCommented:
You need to purchase SAN (Subject Alternate Names) certificate. This type of certificate supports multiple names on it. You can purchase from Globalsign (we did), and you can add up to about 40 different names. For example:
contoso.com
exchange2007.contoso.com
contosointernational.com
exchange.csti.com
Autodiscover. exchange.csti.com
Autodiscover. contosointernational.com

http://www.globalsign.com/ssl/buy-ssl-certificates/unified-communications-ssl/index.html
0
tomotCommented:
And I forgot to mention, you can install this one certificate with multiple names on more than one server, so if you have multiple CAS servers you can use one cert.
0
praveenkumare_spCommented:
I think tomot got it almost right but he missed on the important part where ehilder1 does not own contoso.com  and i believe that is the reason he is posting this question


Follow the below steps to solve ur issue
1)Get a SAN certificate which has all potential urls used by ur users in accessing ur exchange server.

2)As u cannot have exchange2007.contoso.com in ur certificate as contoso.com does not belong to u , u need to change the url used the internal users to the URL presnt in the certificate

3)Please follow the KB 940726 http://support.microsoft.com/kb/940726 to change the URLS..


Let me know if u need more info or do not understand the given link
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

tomotCommented:
praveenkumare_sp, indeed you are correct, I did not take into consideration the ownership of contoso.com in which case the KB does address the redirection.
0
ehilder1Author Commented:
Theoretically, can we just add the cert exchange.csti.com, add the domain to our internal dns and then point both the internal and external URL in exchange at that location?  I am not particularly concerned about autodiscover capabilities and don't quite see if there is any critical tie between server.contoso.com having a valid certificate except for autodiscover?


0
tomotCommented:
Since contoso.com is your primary internal domain (where your exchange server resides), your Outlook 2007 (and up) clients will try to connect to
yourCASserver.contoso.com/autodiscover/autodiscover.xml to get the location of Exchange services like OAB and F/B.
If you don’t have a proper certificate for your exchange server domain, Outlook clients will always get invalid cert. popup at start.
The solution described at KB 940726 would alleviate this problem.
0
praveenkumare_spCommented:
autodiscover is necessary for OOF, OAB, Freebuzy to work

so you will have to do the following steps(copying from my previous comments)


Follow the below steps to solve ur issue
1)Get a SAN certificate which has all potential urls used by ur users in accessing ur exchange server.

2)As u cannot have exchange2007.contoso.com in ur certificate as contoso.com does not belong to u , u need to change the url used the internal users to the URL presnt in the certificate

3)Please follow the KB 940726 http://support.microsoft.com/kb/940726 to change the URLS..


Let me know if u need more info or do not understand the given link
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.