Solved

How many names to I need in my UCC certificate?

Posted on 2011-09-14
16
495 Views
Last Modified: 2012-05-12
New installation of Exchange 2010; an existing Exchange 2003 server in the organization/domain.

I need:
- activesync over the internet
- pop3 over the internet   (don't need imap)
- owa over the internet
- mail exchanged between the new 2010 and the old 2003 without certificate errors
- mail to continue to flow back and forth between the new 2010 server and the smarthost at appriver.com (outside our network)... this is currently working with no certificates installed

How many certificates do I need?  They come in groups of 5 from godaddy.com (best price).

Thanks


0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 9

Accepted Solution

by:
jebeckham earned 125 total points
ID: 36539589
I'd go with 1 cert:

<yourservername>.<yourdomainname>.com
mail.<yourdomainname>.com (or whatever external URL you wanted to use)
legacy.<yourdomainname>.com (or whatever legacy URL you wanted to use)
<yourdomainname>.com (for TLS)
autodiscover.<yourdomainname>.com (if you wanted to support Outlook Autodiscover externally)
0
 

Author Comment

by:gateguard
ID: 36539609
And this will cover me for activesync, pop-mail and outlook web access?

Thanks.
0
 
LVL 11

Assisted Solution

by:madhatter5501
madhatter5501 earned 125 total points
ID: 36539617
if you are using all 5 names right away and you may need to upgrade later, I would purchase a 10 name SAN cert, this is because if you need more names later, you will have to buy a new san cert.  better just to do it up front.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 125 total points
ID: 36539893
all you need is

mail.externaldomain.com (or owa. as you like)
autodiscover.externaldomain.com
legacy.externaldomain.com (or whatever other name you want)


you do not need anything else
0
 
LVL 9

Expert Comment

by:jebeckham
ID: 36540324
I'd agree with the 3 regular web certs.  I was thinking in terms of a UC/SAN cert with the 5.
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 125 total points
ID: 36541095
Mail.domain.com ( where your MX record points )
server.domain.local ( local domain)
Server name (netbios name )
autodiscover.domain.com


and one optional:
owa.domain.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36541325
again you do not need any netbios name or internal domain in the certificate in exchange 2010
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36541599
Per http://www.digicert.com/ssl-support/exchange-2010-san-names.htm

netbios and internal FQDN are still needed.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36541606
:) I don't care what digicert says they are not needed
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36541608
ok :)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36541626
Not needed doesn't mean they should not be added, it just means that they are not needed.

The problem in 2007 was that a lot of people were reluctant in exposing the internal servers and domain names by including them in the certificates so Microsoft worked on this in 2010 and we are now able to have it perfectly running without any netbios or internal name.

if you check the New-ExchangeCertificate of exchange 2010 you will see it has 2 options IncludeServerFQDN and IncludeServerNetBIOSName that would include the server FQDN (internal) and the netbios name in the CSR it means that you can add them but, if they were required, it wouldn't be an option to add them
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36541692
Thanks you Akhater for sharing your knowledge with us.

>>if you check the New-ExchangeCertificate of exchange 2010 you will see it has 2 options IncludeServerFQDN and IncludeServerNetBIOSName that would include the server FQDN (internal) and the netbios name in the CSR it means that you can add them but, if they were required, it wouldn't be an option to add them.

in which cases the netbios names and internal FQDN would be required ?

thanks again.

0
 
LVL 49

Expert Comment

by:Akhater
ID: 36541747
it is never required but you can include them, in other terms it is easier to do the setup if the netbios name and the internal fqdn are in the certificate

Let's take an example. if your internal domain is mydomain.local and external domain is mydomain.com

when you first do the setup all URLs will be pointing to the internal fqdn so, from a configuration perspective, it is easier to include the internal fqdn in the certificate then going over split dns configuration and change all the URLs etc...

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36541759
Thank you dear :)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36541764
most welcome !
0
 

Author Closing Comment

by:gateguard
ID: 36543263
Thanks, everyone.  Very interesting discussion.  

I'm going to go with the "it is easier to do the setup" and include the internal.

Thanks again.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question