UC/SAN certificates in a multi-site environment

Posted on 2011-09-12
Last Modified: 2012-05-12

I administer an Exchange environment with 5 sites in different towns, connected via WAN links. The main office is our mail gateway (for incoming traffic, anyway) and there is a Hub/MBX/CAS server at each site in the same internal AD domain (domain.internal). While intra-office traffic is handled through the WAN/VPN, each office's server can send external mail directly and has its own OWA configuration, e.g., etc. There are also multiple public domains,,, etc. I had previously installed wildcard certificates on each server, which worked fine in the Exchange 2003 days (all sites are 2007-2010 now), but I would like to unify/simplify this process.

Two questions:
1- exactly how many SAN names do I need to include? I understand that the internal FQDN is needed, but is each individual internal servername necessary? If I'm understanding that right, my list would look something like this:
server1, server2, ..... server5
server1.domain.internal, ... server5.domain.internal
autodiscover.domain.internal, ...,, ...,

That's a lot of names! can this list reasonably be shortened?

2- Some SAN certificate vendors are now advertising certificates that can be installed on multiple servers. Would that be helpful/cost-effective in this situation, or is that more for multiple servers in the same site?

Thanks in advance for clearing this up.
Question by:ICCHOOPS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

ctc1900 earned 350 total points
ID: 36525391
For a public facing CAS, I'd suggest you avoid using internal mail servers and stick to generic names that would be used for OWA/EWS/ActiveSync access. (for E2K3 co-existance)
...and any other domain you could think you could use in the future for OWA/EWS/ActiveSync access.


Author Comment

ID: 36525610
Hi, CTC,

That seems reasonable, as I already have internal DNS stub zones for the public domains. Should I be including,,, etc. along with them?

Also, any insight on part 2 of my question?

Thanks a lot!

Assisted Solution

ctc1900 earned 350 total points
ID: 36525710
Yup, adding the city*.domain*.org makes sense.

Regarding question 2. Yes, you could add the same certificate to multiple Exchange CAS servers regardless of site, the key thing is for the SAN certificate to have the needed subject names.  In the past, I've installed the certificate in one Exchange CAS server, export it from within Exchange and import it to the other ones.
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 150 total points
ID: 36527630
How many internet facing CAs server do you have.
If more then one add all of them
Your primary domain webmail and autodiscover.
Thats all

Also for your 2nd email domain you need to make the below IIS changes

Author Comment

ID: 36713087
Thanks for sharing

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question