355LT1
asked on
SAN Certs and URLs for CAS\HUB NLB?
I am planning on seting up a Exchange Server 2010 DAG with two CAS\HUB Servers and two Mailbox role servers. After I setup the DAG and want to setup CAS\HUB HA with NLB what is required for SAN certificates and Virtual Directoy URLs when I switch from one CAS\HUB to two CAS hubs with NLB?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you agree both CAS in the NLB with have identical SAN UCC certificates similar to the following;
• OWA/EAS/OA/EWS url (like mail.domain.com, some companies go for one url per service).
• Autodiscover.domain.com, where domain.com is the email domain part of your user’s email address.
• Legacy.domain.com, if you are co-existing or thinking of co-existing Exchange 2010 with earlier versions.
No need for CAS array urls, NLB cluster names, CAS server NETBIOS or FQDN.
Question is where do I add the CAS array urls and would the NLB need to be named mail.domain.com?
• OWA/EAS/OA/EWS url (like mail.domain.com, some companies go for one url per service).
• Autodiscover.domain.com, where domain.com is the email domain part of your user’s email address.
• Legacy.domain.com, if you are co-existing or thinking of co-existing Exchange 2010 with earlier versions.
No need for CAS array urls, NLB cluster names, CAS server NETBIOS or FQDN.
Question is where do I add the CAS array urls and would the NLB need to be named mail.domain.com?
Yes, the NLB will have the same name as the casarray. If you run the new certificate wizard this asks the questions about what services you want to support. This generates. Csr which you send off to the public ca, one the cert is returned you complete the csr and import the cert. you the. Export and import the cert onto the other cas server.
If you have your external domain called some.domain.com you can manage with only 2 names in the SAN >some.externaldomain.com and autodiscover.externaldomai
The CasArray FQDN is only used when you set the MAPI point for databases
Get-MailboxDatabase |Set-MailboxDatabase -RpcClientAccessServer
It should be local and it is not used in the SAN if you dont need to load balance the internl urls like EWS,OAB .. etc.
Now if you go with only those two names you will configure a split dns with an internal dns zone called externaldomain.com and an A record poining to the ip of your VIP NLB
Then you will have to configure all internal URL with some.externaldomain.com
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover-part2.html
Also check this KB :
http://technet.microsoft.com/en-us/library/bb310763.aspx
If the Active Directory site won't be the target of proxying from another Client Access server, but there are internal Outlook 2010 clients within the site, the InternalURL property should be set to a load-balanced value, and that name should be included on the certificate. Then Outlook 2010 users in that site will benefit from being given a load-balanced URL from the Autodiscover service to access the ECP, rather than a specific server FQDN.