We help IT Professionals succeed at work.

SAN Certs and URLs for CAS\HUB NLB?

355LT1 asked
I am planning on seting up a  Exchange Server 2010 DAG with two CAS\HUB Servers and two Mailbox role servers. After I setup the DAG and want to setup CAS\HUB HA with NLB what is required for SAN certificates and Virtual Directoy URLs when I switch from one CAS\HUB to two CAS hubs with NLB?
Watch Question

As a rule you would need

Webmail.domain.com for external client access
Webmail.domain.local for internal client access if the internal and external domains differ.
Autodiscover.domain.com for autodiscover purposes.

I've chosen webmail as the end point but your environment might be different.

You can run the create new certificate wizard and this will generate a certificate request for you.

Every situation is different but have a look at this blog

All come to this : How the clients will access the CAS (in your case the NLB) through an internal or  external address.
If you have your external domain called some.domain.com you can manage with only 2 names in the SAN >some.externaldomain.com and autodiscover.externaldomain.com
The CasArray FQDN is only used when you set the MAPI point for databases
Get-MailboxDatabase |Set-MailboxDatabase -RpcClientAccessServer
It should be local and it is not used in the SAN if you dont need to load balance the internl urls like EWS,OAB .. etc.

Now if you go with only those two names you will configure a split dns with an internal dns zone called externaldomain.com and an A record poining to the ip of your VIP NLB
Then you will have to configure all internal URL with some.externaldomain.com

Also check this KB :
If the Active Directory site won't be the target of proxying from another Client Access server, but there are internal Outlook 2010 clients within the site, the InternalURL property should be set to a load-balanced value, and that name should be included on the certificate. Then Outlook 2010 users in that site will benefit from being given a load-balanced URL from the Autodiscover service to access the ECP, rather than a specific server FQDN.


Do you agree both CAS in the NLB with have identical SAN UCC certificates similar to the following;
•      OWA/EAS/OA/EWS url (like mail.domain.com, some companies go for one url per service).
•      Autodiscover.domain.com, where domain.com is the email domain part of your user’s email address.
•      Legacy.domain.com, if you are co-existing or thinking of co-existing Exchange 2010 with earlier versions.
No need for CAS array urls, NLB cluster names, CAS server NETBIOS or FQDN.

Question is where do I add the CAS array urls and would the NLB need to be named mail.domain.com?

Yes, the NLB will have the same name as the casarray. If you run the new certificate wizard this asks the questions about what services you want to support. This generates. Csr which you send off to the public ca, one the cert is returned you complete the csr and import the cert. you the. Export and import the cert onto the other cas server.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.