[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

SSL Configuration for Exchange 2007/2010 Coexistance

Can anyone explain how to configure the SSL on the Exchange 2007 and 2010 CAS server in a coexistance setup. Read a bunch of different ways to do this on the internet and MS articles are not clear.

2007 CAS has existing UCC/SAN with
mail.domain.com
CAS Netbios
CAS.FQDN
autodiscover.FQDN

2010 Should have?????
mail.domain.com
autodiscover.FQDN
legacy.domain.com
2010CAS.FQDN
2007CAS.FQDN

Do i request the new 2010 CAS server with the above names and then export / import this SSL to the 2007 CAS?
0
bushido2006
Asked:
bushido2006
1 Solution
 
Madan SharmaConsultantCommented:
All users can connect via EXCHNGE2010 CAS server in an coexistence scenario. you only need a SSL certificate for your exchange2010 and just create a DNS entry for your exchange2007 users as legacy.domain.com.
and if you have valid certificate on exchange2007 and you want use the same on exchange2010 then you have to revoke your existing certificate and create nee CSR via exchange2010 certificate and reissued the certificate from your SSL authority.
 
0
 
gleekCommented:
Well some of your questions depend on different factors in your environment.

If you are going to co-exist you need an alternate namespace for the 2007 environment.  So if it is legacymail.domain.com you will need that in the SAN for BOTH servers.  The other way you could do this is use a wildcard certificate for both but since either way you need a new cert do what makes the most sense for you (Keep in mind wildcard certs on 07 can be trickey with Outlook Anywhere).

So depending if you have to buy a cert or you have an internal CA you have to do the following.

Use the cert wizard on the Exchange 2010 console and create a new cert request.  
cn=mail.domain.com
SANs:
autodiscover.domain.com
legacymail.domain.com
FQDN of 2010 CAS
* FQDN of Legacy CAS (This is only if you are going to export this cert and use it for the 2007 box)

Once you get the crt or pfx file back you import the cert using Exchange 2010 pending cert request and complete it.
Assign ISS services to the cert in 2010
Open Certificates MMC
Export the Certificate and make a private key
Import the Certificate on the Exchange 2007 server
Find the thumbprint (Get-ExchangeCertificate)
Enable the Certificate (Enable-ExchangeCertificate -thumbprint XXX -Services POP,IMAP,IIS)

Now, both certs should be up and functional.
However, do not forget to change the virtual directories of OWA, AS,OAB, and Web Services etc.. for 2007 for the new namespace

Do not forget to have DNS records created for the new namespace.

Again, depending on your environment you may need to make more changes.  Do you use ISA/TMG in the DMZ?  If so you need to create legacymail.domain.com publishing rules for a web listener.  If you use Forms Based Authen you need to make sure Basic is on for 2010 to avoid double prompts.


http://blogs.technet.com/b/exchange/archive/2009/11/20/3408856.aspx

Hopefully this is enough to give you the overall idea but if you have anything more specific please ask.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now