how to configure scp and cas array with 3 servers and what is the correct url namespace in the uc certificate

Hi
i have a question regarding the configuration of url namespace in the uc certificate when we use cas array.
here are the details :
My Internal And External domain name is the same "MyDomain.COM"
Client Access Server 1 = ch1
Client Access Server 2 = ch2
Client Access Server 3 = ch3
CAS Array = email.mydomain.com
Mailbox Server 1 = MBX1
Mailbox Server 2 = MBX2
Mailbox Server 3 = MBX3
DAG Name = DAG01.mydomain.com
 internal domainQuestions
1. what should be configure in the internal and external urls on owa,ews,autodiscover ect... ?

2. do i need to include the cas array name as the internal url?

3 do i need to include all the cas server names in the uc certificate ? for example in my site       should i include ch1,ch2,ch3 with the domain name?

4. do i need to change something in the scp on active directory?

5. do i need to include the legacy.mydomain.com namespace ?

thank you
Ofer_EliasiAsked:
Who is Participating?
 
e_aravindCommented:
Questions
1. what should be configure in the internal and external urls on owa,ews,autodiscover ect... ?
OWA
internalURL -- https://fqdn-node1/owa (replace the fqdn-node1 to fqdn-node2 and fqdn-node3 for other 2 servers)
ExternalURl -- https://email.mydomain.com/owa 

EWS
internalURL -- https://fqdn-node1/ews/exchange.asmx (replace the fqdn-node1 to fqdn-node2 and fqdn-node3 for other 2 servers)
ExternalURl -- https://email.mydomain.com/ews/exchange.asmx 

2. do i need to include the cas array name as the internal url?
IMO, no need to have the CAS-Array name as the InternalURL

3 do i need to include all the cas server names in the uc certificate ? for example in my site should i include ch1,ch2,ch3 with the domain name?
Yes

4. do i need to change something in the scp on active directory?
Normally the SCP entries would be the FQDN-Names of the CAS servers
Thatz why we need to have the CAS server names in the UC Certificates

5. do i need to include the legacy.mydomain.com namespace ?
From the diagram you dont have any legacy server -- E2k3, so no need to have that URL in the UC and in any of the URLs

Option-2:
=========
If you want to reduce the number of entries in the UC Certificate
a) you can have the internal-URl and externalURL as email.mydomain.com
b) change the SCP objects @ AD to email.mydomain.com
set-clientaccessserver server1 -AutodiscoverInternalURI https://email.domain.com/autodiscover/autodiscover.xml
Note: You may need to have the same for all the 3 Nodes
Ensure that the email.domain.com resolves to the CAS-Array

IMO, the above configuration should work fine
0
 
seb_ackerCommented:
Hi

I don't totally agree with the preceeding :
1) InternalURL should also point to the CAS array name, otherwise the cas failover and loadbalancing process will not be used for internal connections.


3) the certificate that's installed on the CAS servers must effectively have all names that will be used INTERNALLY, including the server dns names.
If you're using a reverse proxy for publishing the server to the internet, the certificate on the proxy should only use the names email.domain,autodiscover.domain.com (and perhaps one or two more if you want to separate the external access for outlook, owa and activesync).


0
 
AkhaterCommented:
Ok let me see how to say this

1. When you call your cas array name email.domain.com you give me the impression that the same URL will be used to access owa from outside the company. If this is the case then your cas array name is "wrong"! Your cas array name should NOT be resolvable from outside the company it should be only from internal to the company

2. The cas array name does NOT need to be in the certificate

3. your internal server names does NOT need to be in the certificate

4. the internal URL for OWA and ECP should always be server FQDN and not the nlb name or anything else

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Ofer_EliasiAuthor Commented:
the cas array name email.domain.com is not the external name .
the external name is webmail.domain.com.
i understand that the cas array name should not be included in the certificate but what about all the cas servers internal fqdn names for example ch1.domain.com ch2.domain.com and ch3.domain.com?
the reason i am asking this is because the outlook 2010 client prompts me with an error regarding mismatch names in the certificate .

i am going to request a certificate with the names:

webmail.domain.com (for my extenal users)
autodiscover.domain.com
ch1.domain.com
ch2.domain.com
ch3.domain.com

should i leave the name ch1.domain.com on the internal web url as the cas array name is for mapi connections only.
0
 
seb_ackerCommented:
Aggreed that the cas array name should not be "resolved" from the outside,, but the clients must point to the cas IP address. So in this case, internalurls = email.domain.com, external=webmail.domain.com

the fqdn names must be on the certificate
no, you have not to let ch1.domain.com on the internal web url, email.domain.com is ok. But ch1.domain.com, ch2...... must all be on the certificate.
0
 
AkhaterCommented:
again there is no need for any cas server name to be included in the certificate fqdn

of course you can include them if you want but they don't need to be there, a lot of people will not feel comfortable about exposing their internal servernames to the internet
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.