ehilder1
asked on
Exchange 2007 SSL, domain issues
We have inherited a configuration that we cannot back out of. Here is what we have:
internal domain is contoso.com. we do not own contoso.com and the current owner will not sell.
the internal name of the mail server is exchange2007.contoso.com
email domain is contosointernational.com
OWA access is through another shortened domain ctsi.com, ie. exchange.csti.com/owa
We want to purchase a commercial cert that will allow activesync to work, secure owa access, and still allow email to work internally. How can we make this work with what we have?
Thanks.
internal domain is contoso.com. we do not own contoso.com and the current owner will not sell.
the internal name of the mail server is exchange2007.contoso.com
email domain is contosointernational.com
OWA access is through another shortened domain ctsi.com, ie. exchange.csti.com/owa
We want to purchase a commercial cert that will allow activesync to work, secure owa access, and still allow email to work internally. How can we make this work with what we have?
Thanks.
And I forgot to mention, you can install this one certificate with multiple names on more than one server, so if you have multiple CAS servers you can use one cert.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
praveenkumare_sp, indeed you are correct, I did not take into consideration the ownership of contoso.com in which case the KB does address the redirection.
ASKER
Theoretically, can we just add the cert exchange.csti.com, add the domain to our internal dns and then point both the internal and external URL in exchange at that location? I am not particularly concerned about autodiscover capabilities and don't quite see if there is any critical tie between server.contoso.com having a valid certificate except for autodiscover?
Since contoso.com is your primary internal domain (where your exchange server resides), your Outlook 2007 (and up) clients will try to connect to
yourCASserver.contoso.com/ autodiscov er/autodis cover.xml to get the location of Exchange services like OAB and F/B.
If you don’t have a proper certificate for your exchange server domain, Outlook clients will always get invalid cert. popup at start.
The solution described at KB 940726 would alleviate this problem.
yourCASserver.contoso.com/
If you don’t have a proper certificate for your exchange server domain, Outlook clients will always get invalid cert. popup at start.
The solution described at KB 940726 would alleviate this problem.
autodiscover is necessary for OOF, OAB, Freebuzy to work
so you will have to do the following steps(copying from my previous comments)
Follow the below steps to solve ur issue
1)Get a SAN certificate which has all potential urls used by ur users in accessing ur exchange server.
2)As u cannot have exchange2007.contoso.com in ur certificate as contoso.com does not belong to u , u need to change the url used the internal users to the URL presnt in the certificate
3)Please follow the KB 940726 http://support.microsoft.com/kb/940726 to change the URLS..
Let me know if u need more info or do not understand the given link
so you will have to do the following steps(copying from my previous comments)
Follow the below steps to solve ur issue
1)Get a SAN certificate which has all potential urls used by ur users in accessing ur exchange server.
2)As u cannot have exchange2007.contoso.com in ur certificate as contoso.com does not belong to u , u need to change the url used the internal users to the URL presnt in the certificate
3)Please follow the KB 940726 http://support.microsoft.com/kb/940726 to change the URLS..
Let me know if u need more info or do not understand the given link
contoso.com
exchange2007.contoso.com
contosointernational.com
exchange.csti.com
Autodiscover. exchange.csti.com
Autodiscover. contosointernational.com
http://www.globalsign.com/ssl/buy-ssl-certificates/unified-communications-ssl/index.html