• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

How many names to I need in my UCC certificate?

New installation of Exchange 2010; an existing Exchange 2003 server in the organization/domain.

I need:
- activesync over the internet
- pop3 over the internet   (don't need imap)
- owa over the internet
- mail exchanged between the new 2010 and the old 2003 without certificate errors
- mail to continue to flow back and forth between the new 2010 server and the smarthost at appriver.com (outside our network)... this is currently working with no certificates installed

How many certificates do I need?  They come in groups of 5 from godaddy.com (best price).

Thanks


0
gateguard
Asked:
gateguard
  • 6
  • 5
  • 2
  • +2
4 Solutions
 
Jeff BeckhamEngineerCommented:
I'd go with 1 cert:

<yourservername>.<yourdomainname>.com
mail.<yourdomainname>.com (or whatever external URL you wanted to use)
legacy.<yourdomainname>.com (or whatever legacy URL you wanted to use)
<yourdomainname>.com (for TLS)
autodiscover.<yourdomainname>.com (if you wanted to support Outlook Autodiscover externally)
0
 
gateguardAuthor Commented:
And this will cover me for activesync, pop-mail and outlook web access?

Thanks.
0
 
madhatter5501Commented:
if you are using all 5 names right away and you may need to upgrade later, I would purchase a 10 name SAN cert, this is because if you need more names later, you will have to buy a new san cert.  better just to do it up front.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
AkhaterCommented:
all you need is

mail.externaldomain.com (or owa. as you like)
autodiscover.externaldomain.com
legacy.externaldomain.com (or whatever other name you want)


you do not need anything else
0
 
Jeff BeckhamEngineerCommented:
I'd agree with the 3 regular web certs.  I was thinking in terms of a UC/SAN cert with the 5.
0
 
Suliman Abu KharroubIT Consultant Commented:
Mail.domain.com ( where your MX record points )
server.domain.local ( local domain)
Server name (netbios name )
autodiscover.domain.com


and one optional:
owa.domain.com
0
 
AkhaterCommented:
again you do not need any netbios name or internal domain in the certificate in exchange 2010
0
 
Suliman Abu KharroubIT Consultant Commented:
Per http://www.digicert.com/ssl-support/exchange-2010-san-names.htm

netbios and internal FQDN are still needed.
0
 
AkhaterCommented:
:) I don't care what digicert says they are not needed
0
 
Suliman Abu KharroubIT Consultant Commented:
ok :)
0
 
AkhaterCommented:
Not needed doesn't mean they should not be added, it just means that they are not needed.

The problem in 2007 was that a lot of people were reluctant in exposing the internal servers and domain names by including them in the certificates so Microsoft worked on this in 2010 and we are now able to have it perfectly running without any netbios or internal name.

if you check the New-ExchangeCertificate of exchange 2010 you will see it has 2 options IncludeServerFQDN and IncludeServerNetBIOSName that would include the server FQDN (internal) and the netbios name in the CSR it means that you can add them but, if they were required, it wouldn't be an option to add them
0
 
Suliman Abu KharroubIT Consultant Commented:
Thanks you Akhater for sharing your knowledge with us.

>>if you check the New-ExchangeCertificate of exchange 2010 you will see it has 2 options IncludeServerFQDN and IncludeServerNetBIOSName that would include the server FQDN (internal) and the netbios name in the CSR it means that you can add them but, if they were required, it wouldn't be an option to add them.

in which cases the netbios names and internal FQDN would be required ?

thanks again.

0
 
AkhaterCommented:
it is never required but you can include them, in other terms it is easier to do the setup if the netbios name and the internal fqdn are in the certificate

Let's take an example. if your internal domain is mydomain.local and external domain is mydomain.com

when you first do the setup all URLs will be pointing to the internal fqdn so, from a configuration perspective, it is easier to include the internal fqdn in the certificate then going over split dns configuration and change all the URLs etc...

0
 
Suliman Abu KharroubIT Consultant Commented:
Thank you dear :)
0
 
AkhaterCommented:
most welcome !
0
 
gateguardAuthor Commented:
Thanks, everyone.  Very interesting discussion.  

I'm going to go with the "it is easier to do the setup" and include the internal.

Thanks again.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now