• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1605
  • Last Modified:

how to configure scp and cas array with 3 servers and what is the correct url namespace in the uc certificate

Hi
i have a question regarding the configuration of url namespace in the uc certificate when we use cas array.
here are the details :
My Internal And External domain name is the same "MyDomain.COM"
Client Access Server 1 = ch1
Client Access Server 2 = ch2
Client Access Server 3 = ch3
CAS Array = email.mydomain.com
Mailbox Server 1 = MBX1
Mailbox Server 2 = MBX2
Mailbox Server 3 = MBX3
DAG Name = DAG01.mydomain.com
 internal domainQuestions
1. what should be configure in the internal and external urls on owa,ews,autodiscover ect... ?

2. do i need to include the cas array name as the internal url?

3 do i need to include all the cas server names in the uc certificate ? for example in my site       should i include ch1,ch2,ch3 with the domain name?

4. do i need to change something in the scp on active directory?

5. do i need to include the legacy.mydomain.com namespace ?

thank you
0
Ofer_Eliasi
Asked:
Ofer_Eliasi
1 Solution
 
e_aravindCommented:
Questions
1. what should be configure in the internal and external urls on owa,ews,autodiscover ect... ?
OWA
internalURL -- https://fqdn-node1/owa (replace the fqdn-node1 to fqdn-node2 and fqdn-node3 for other 2 servers)
ExternalURl -- https://email.mydomain.com/owa 

EWS
internalURL -- https://fqdn-node1/ews/exchange.asmx (replace the fqdn-node1 to fqdn-node2 and fqdn-node3 for other 2 servers)
ExternalURl -- https://email.mydomain.com/ews/exchange.asmx 

2. do i need to include the cas array name as the internal url?
IMO, no need to have the CAS-Array name as the InternalURL

3 do i need to include all the cas server names in the uc certificate ? for example in my site should i include ch1,ch2,ch3 with the domain name?
Yes

4. do i need to change something in the scp on active directory?
Normally the SCP entries would be the FQDN-Names of the CAS servers
Thatz why we need to have the CAS server names in the UC Certificates

5. do i need to include the legacy.mydomain.com namespace ?
From the diagram you dont have any legacy server -- E2k3, so no need to have that URL in the UC and in any of the URLs

Option-2:
=========
If you want to reduce the number of entries in the UC Certificate
a) you can have the internal-URl and externalURL as email.mydomain.com
b) change the SCP objects @ AD to email.mydomain.com
set-clientaccessserver server1 -AutodiscoverInternalURI https://email.domain.com/autodiscover/autodiscover.xml
Note: You may need to have the same for all the 3 Nodes
Ensure that the email.domain.com resolves to the CAS-Array

IMO, the above configuration should work fine
0
 
seb_ackerCommented:
Hi

I don't totally agree with the preceeding :
1) InternalURL should also point to the CAS array name, otherwise the cas failover and loadbalancing process will not be used for internal connections.


3) the certificate that's installed on the CAS servers must effectively have all names that will be used INTERNALLY, including the server dns names.
If you're using a reverse proxy for publishing the server to the internet, the certificate on the proxy should only use the names email.domain,autodiscover.domain.com (and perhaps one or two more if you want to separate the external access for outlook, owa and activesync).


0
 
AkhaterCommented:
Ok let me see how to say this

1. When you call your cas array name email.domain.com you give me the impression that the same URL will be used to access owa from outside the company. If this is the case then your cas array name is "wrong"! Your cas array name should NOT be resolvable from outside the company it should be only from internal to the company

2. The cas array name does NOT need to be in the certificate

3. your internal server names does NOT need to be in the certificate

4. the internal URL for OWA and ECP should always be server FQDN and not the nlb name or anything else

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Ofer_EliasiAuthor Commented:
the cas array name email.domain.com is not the external name .
the external name is webmail.domain.com.
i understand that the cas array name should not be included in the certificate but what about all the cas servers internal fqdn names for example ch1.domain.com ch2.domain.com and ch3.domain.com?
the reason i am asking this is because the outlook 2010 client prompts me with an error regarding mismatch names in the certificate .

i am going to request a certificate with the names:

webmail.domain.com (for my extenal users)
autodiscover.domain.com
ch1.domain.com
ch2.domain.com
ch3.domain.com

should i leave the name ch1.domain.com on the internal web url as the cas array name is for mapi connections only.
0
 
seb_ackerCommented:
Aggreed that the cas array name should not be "resolved" from the outside,, but the clients must point to the cas IP address. So in this case, internalurls = email.domain.com, external=webmail.domain.com

the fqdn names must be on the certificate
no, you have not to let ch1.domain.com on the internal web url, email.domain.com is ok. But ch1.domain.com, ch2...... must all be on the certificate.
0
 
AkhaterCommented:
again there is no need for any cas server name to be included in the certificate fqdn

of course you can include them if you want but they don't need to be there, a lot of people will not feel comfortable about exposing their internal servernames to the internet
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now