We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Exchange 2010: Do I need to have a seperate certificate for each of my CAS servers in my round robin CAS Array?

Medium Priority
Last Modified: 2012-05-11
Having some snafu's when it comes to assigning internal users and external users to my CASA (Client Access Server Array).  My 2ndary server doesn't have a certificate for the external namespace 'email.companyname.com'.  My guess is if I want to set up Outlook Anywhere and OWA onto the CASA namespace each server needs a public signed cert.  Am I correct?

Watch Question

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

When you are saying CAS array is it in a NLB?
Yes you need to install the SAN certificate on all the CAS servers.
youn can use this link to see your exchange certificates


No, not a NLB.  A poor mans array, Round Robin DNS CASA.  Not doing SSL offloading.


Another funny thing is when you manager certs in the EMC and try to apply a cert to OWA or ActiveSync it wholesale gets you to choose "IIS", there is no option for choosing any sub category of IIS (OWA, Outlook Anywhere, ActiveSync, OAB, etc) in this wizard.  Fair enough, but when you run the BPA tool it informs you with a yellow exclamation "SSL is enabled on the IIS root directory", well duh, the EMC forces you to apply it across all of IIS and not specific sub folders of the default site!

I assume that to get rid of this I need to go into whatever Subfolders/Sites in IIS and remove this cert from applying to them...?  Idk, it doesn't post a link to fix this in BPA and I don't want to break anything.

Has anyone else encountered this 'feature'?
ya you can have one cert for IIS

if u dont want to use certn for a particular subdirectory u have to remove in IIS

this is the default behavior of EXCHANGE

Below link explains how to install SAN certifcate. But with round robin  I don't know how you could install the SAN certifcate. I recomend you to have just 1 CAS server instead of 2 CAS servers in round robin
if u have only one server , where does round robin come in to picture ;)

I don't think you can use round robin for  CAS serves. Never seen any one using it. It might work internally but when using for external access you going to have issues.
Forgot to paste the link


Getting a CASA (Client Access Server Array) working is a little more challenging.  I’m trying to setup a CASA with Round Robin.  It’s working internally very well for MAPI clients.  But I’m trying to extend this to OWA, ActiveSync and Outlook Anywhere for external clients.

There is a few problems with this as I am learning.  

If these requests are coming in from the firewall/router and need to be pointed to the Round Robin DNS Host(s).  But how does one do this?  The external namespace “email.domain.com” is on my public DNS servers.  This resolves to an IP and hits my firewall.  How would I “round robin” this from the firewall point to the CASA?  The CASA is technically a DNS shared namespace and not an IP address so my firewall would have to have internal DNS information.  Even with its DNS pointed internally it can't NAT an IP address to a FQDN.  If the CASA provided an IP address that I could point the firewall’s NAT policy to that would be great but it doesn’t.  The DAG has an internal IP address but the CASA doesn’t.

This is the nature of the problem and leads me to believe that user "mboppe" is correct when saying that a Round Robin CASA won't work externally.


How come I wasn't awarded any points if you felt that my comments were appropriate answer.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.