Improve company productivity with a Business Account.Sign Up

x
?
Solved

UC/SAN certificates in a multi-site environment

Posted on 2011-09-12
5
Medium Priority
?
384 Views
Last Modified: 2012-05-12
Hello,

I administer an Exchange environment with 5 sites in different towns, connected via WAN links. The main office is our mail gateway (for incoming traffic, anyway) and there is a Hub/MBX/CAS server at each site in the same internal AD domain (domain.internal). While intra-office traffic is handled through the WAN/VPN, each office's server can send external mail directly and has its own OWA configuration, e.g. city1.pubdomain.com/OWA, etc. There are also multiple public domains, pubdomain.com, thisdomain.org, etc. I had previously installed wildcard certificates on each server, which worked fine in the Exchange 2003 days (all sites are 2007-2010 now), but I would like to unify/simplify this process.

Two questions:
1- exactly how many SAN names do I need to include? I understand that the internal FQDN is needed, but is each individual internal servername necessary? If I'm understanding that right, my list would look something like this:
server1, server2, ..... server5
server1.domain.internal, ... server5.domain.internal
mail.domain.internal
autodiscover.domain.internal
mail.pubdomain.com
mail.thisdomain.org
autodiscover.pubdomain.com
autodiscover.thisdomain.org
city1.pubdomain.com, ..., city5.pubdomain.com
city1.thisdomain.org, ..., city5.thisdomain.org

That's a lot of names! can this list reasonably be shortened?

2- Some SAN certificate vendors are now advertising certificates that can be installed on multiple servers. Would that be helpful/cost-effective in this situation, or is that more for multiple servers in the same site?

Thanks in advance for clearing this up.
0
Comment
Question by:ICCHOOPS
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
ctc1900 earned 1400 total points
ID: 36525391
For a public facing CAS, I'd suggest you avoid using internal mail servers and stick to generic names that would be used for OWA/EWS/ActiveSync access.

mail.domain1.org
mail.domain2.org
autodiscover.domain1.org
autodiscover.domain2.org
legacy.domain1.org (for E2K3 co-existance)
legacy.domain2.org
...and any other domain you could think you could use in the future for OWA/EWS/ActiveSync access.


0
 
LVL 1

Author Comment

by:ICCHOOPS
ID: 36525610
Hi, CTC,

That seems reasonable, as I already have internal DNS stub zones for the public domains. Should I be including city1.domain1.org, city2.domain2.org, city2.domain1.org, etc. along with them?

Also, any insight on part 2 of my question?

Thanks a lot!
0
 
LVL 4

Assisted Solution

by:ctc1900
ctc1900 earned 1400 total points
ID: 36525710
Yup, adding the city*.domain*.org makes sense.

Regarding question 2. Yes, you could add the same certificate to multiple Exchange CAS servers regardless of site, the key thing is for the SAN certificate to have the needed subject names.  In the past, I've installed the certificate in one Exchange CAS server, export it from within Exchange and import it to the other ones.
0
 
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 600 total points
ID: 36527630
How many internet facing CAs server do you have.
If more then one add all of them
Your primary domain webmail and autodiscover.
Thats all

Also for your 2nd email domain you need to make the below IIS changes
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
0
 
LVL 1

Author Comment

by:ICCHOOPS
ID: 36713087
Thanks for sharing
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Importing Outlook PST contacts to Exchange Server can become a complicated task. Situations arise where an Exchange user is not able to import contacts from PST to Exchange Mailboxes in an efficient manner. Try SysTools Exchange Import to move conta…
Microsoft has decided to launch the Exchange Server 2019 this year for its on-premise users. What’s new now Microsoft is going to serve its users? How good is it going to be on the current Exchange Server 2016? This blog is going to answer all queri…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question