[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 632
  • Last Modified:

Exchange 2010: Do I need to have a seperate certificate for each of my CAS servers in my round robin CAS Array?

Having some snafu's when it comes to assigning internal users and external users to my CASA (Client Access Server Array).  My 2ndary server doesn't have a certificate for the external namespace 'email.companyname.com'.  My guess is if I want to set up Outlook Anywhere and OWA onto the CASA namespace each server needs a public signed cert.  Am I correct?

0
ChocolateRain
Asked:
ChocolateRain
  • 4
  • 4
  • 3
1 Solution
 
praveenkumare_spCommented:
you need only one certificate.

if ur doing ssl offloading then u dont need to install the certificate on the cas server

if ur not doing you can use same certificae on both the cas servers
0
 
Malli BoppeCommented:
When you are saying CAS array is it in a NLB?
Yes you need to install the SAN certificate on all the CAS servers.
0
 
praveenkumare_spCommented:
youn can use this link to see your exchange certificates
http://praveen-exchange.blogspot.com/2011/04/where-are-my-certificates.html
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
ChocolateRainAuthor Commented:
No, not a NLB.  A poor mans array, Round Robin DNS CASA.  Not doing SSL offloading.
0
 
ChocolateRainAuthor Commented:
Another funny thing is when you manager certs in the EMC and try to apply a cert to OWA or ActiveSync it wholesale gets you to choose "IIS", there is no option for choosing any sub category of IIS (OWA, Outlook Anywhere, ActiveSync, OAB, etc) in this wizard.  Fair enough, but when you run the BPA tool it informs you with a yellow exclamation "SSL is enabled on the IIS root directory", well duh, the EMC forces you to apply it across all of IIS and not specific sub folders of the default site!

I assume that to get rid of this I need to go into whatever Subfolders/Sites in IIS and remove this cert from applying to them...?  Idk, it doesn't post a link to fix this in BPA and I don't want to break anything.

Has anyone else encountered this 'feature'?
0
 
praveenkumare_spCommented:
ya you can have one cert for IIS

if u dont want to use certn for a particular subdirectory u have to remove in IIS

this is the default behavior of EXCHANGE
0
 
Malli BoppeCommented:
Below link explains how to install SAN certifcate. But with round robin  I don't know how you could install the SAN certifcate. I recomend you to have just 1 CAS server instead of 2 CAS servers in round robin
0
 
praveenkumare_spCommented:
if u have only one server , where does round robin come in to picture ;)
0
 
Malli BoppeCommented:
I don't think you can use round robin for  CAS serves. Never seen any one using it. It might work internally but when using for external access you going to have issues.
Forgot to paste the link
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010
0
 
ChocolateRainAuthor Commented:
Getting a CASA (Client Access Server Array) working is a little more challenging.  I’m trying to setup a CASA with Round Robin.  It’s working internally very well for MAPI clients.  But I’m trying to extend this to OWA, ActiveSync and Outlook Anywhere for external clients.

There is a few problems with this as I am learning.  

If these requests are coming in from the firewall/router and need to be pointed to the Round Robin DNS Host(s).  But how does one do this?  The external namespace “email.domain.com” is on my public DNS servers.  This resolves to an IP and hits my firewall.  How would I “round robin” this from the firewall point to the CASA?  The CASA is technically a DNS shared namespace and not an IP address so my firewall would have to have internal DNS information.  Even with its DNS pointed internally it can't NAT an IP address to a FQDN.  If the CASA provided an IP address that I could point the firewall’s NAT policy to that would be great but it doesn’t.  The DAG has an internal IP address but the CASA doesn’t.

This is the nature of the problem and leads me to believe that user "mboppe" is correct when saying that a Round Robin CASA won't work externally.

0
 
Malli BoppeCommented:
How come I wasn't awarded any points if you felt that my comments were appropriate answer.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now