badabing1
asked on
Exchange 2010 - Certificates
Hi,
If we have the following: -
company.local
company.co.uk
Exchange 2010 SP1 installed at 2 sites with the following roles at each site: -
1. CAS
2. HUB
3. UM
4. MAILBOX
So, if we request a certificate with the following SAN names
1. Email01.company.local
2. Email02.company.local
3. autodiscover.company.co.uk
4. mail.company.co.uk
5. company.co.uk
Will this be sufficient? And will the certificate need to be applied to both CAS servers?
OR
Is it possible to use a Wild card certificate even though we have 2 domain names for internal and external?
company.local
company.co.uk
Many thanks
If we have the following: -
company.local
company.co.uk
Exchange 2010 SP1 installed at 2 sites with the following roles at each site: -
1. CAS
2. HUB
3. UM
4. MAILBOX
So, if we request a certificate with the following SAN names
1. Email01.company.local
2. Email02.company.local
3. autodiscover.company.co.uk
4. mail.company.co.uk
5. company.co.uk
Will this be sufficient? And will the certificate need to be applied to both CAS servers?
OR
Is it possible to use a Wild card certificate even though we have 2 domain names for internal and external?
company.local
company.co.uk
Many thanks
ASKER
Thanks for your reponse.
Can someone please clarify the following:
- Is it possible to have company.local and company.co.uk as a wild card name in ONE SSL Certificate
Can someone please clarify the following:
- Is it possible to have company.local and company.co.uk as a wild card name in ONE SSL Certificate
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you cannot have alternate names in a wildcard certificate
and you do NOT need the server names in your SAN, technically you would need only
autodiscover.company.co.uk
mail.company.co.uk
If you want to be rechable from inside on the .local then you can add mail.domain.local also
and you do NOT need the server names in your SAN, technically you would need only
autodiscover.company.co.uk
mail.company.co.uk
If you want to be rechable from inside on the .local then you can add mail.domain.local also
We found that the only way it worked properly for us it to get a UC cert and list the following as the Subject Alternate Names. When we tried to use wildcard certs we kept getting errors when trying to connect via owa through TMG.
CAS01.companyname.com
CAS02.CompanyName.com
CAS01.internal.companyname
CAS02.internal.CompanyName
owaaddress.internal.compan
owaaddress.companyname.com
autodiscover.companyname.c
autodiscover.internal.comp
casarray.companyname.com
casarray.internal.companyn
TMG01.companyname.com
TMG02.companyname.com
CAS01.companyname.com
CAS02.CompanyName.com
CAS01.internal.companyname
CAS02.internal.CompanyName
owaaddress.internal.compan
owaaddress.companyname.com
autodiscover.companyname.c
autodiscover.internal.comp
casarray.companyname.com
casarray.internal.companyn
TMG01.companyname.com
TMG02.companyname.com
ASKER
Thanks
the DNS record for Mail.company.co.uk should point to your firewall or reverse proxy which in turn directs traffic on 443 to your CAS server, if you have multiple CAS servers in a site then this would be the CasArray. in a DR scenario where the primary site goes dark, you would update the DNS record to redirect to the second site (could take upto 48 hours though)