• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 883
  • Last Modified:

manage multiple certificate on SBS 2011 with Exchange 2010


We have a client that has 2 ISP’s i.e. Ethernet and cable company.  Primary is our Ethernet ISP and cable is the backup on Sonicwall.  They have SBS 2011 with exchange 2010 installed.  Primary ISP’s A record is Mail1.mydomain.com and secondary is Mail2.mydomain.com.  We have purchased certificates for both Mail1 and Mail2 for mydomain from same CA but Exchange  only allows one to be active at a time.  If internet on Primary goes down then we have to manually change to Mail2 certificate.  Is it possible to have this automated so we don’t have to do this manually.  I am open for different ideas on how to setup certificates.

2 Solutions
Kent DyerIT Security Analyst SeniorCommented:
Cerutil or certificate store (in either IE and/or Firefox) on the computer should be able to allow/install multiple certs..  This should cover what you need to manage multiple certs on your server.


Easiest fix is a wildcard certificate *.domain.com
Or even a uc certificate with a subject alternate name .. That way you have 1 and the same certificate.
You can have mail1 point to both IPs.

Alternatively, you could add an additional smtp receiver that is bound to another IP to which the cable IP is configured to forward then attach the second certificate to that receiver.
Rob WilliamsCommented:
There are other problems to consider, the server will always respond to the default gateway and you cannot have two.  You need a dual WAN port router and most will not allow forwarding on both WAN connections.

You cannot set up Reverse DNS on both connections.

Most SBS sites simply use a backup mail service such as no-ip's BackUp MX, about $35/year
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It seems as though what you are trying to accomplish is to have redundancy for inbound email using a failover.  You cannot use separate host names for this -- BOTH need to be mail.mydomain.com.  Exchange will only announce itself with a single name. So this eliminates the problem you are trying to resolve.

You would then need to just set up TWO MX records with the same host name (mail.mydomain.com) each pointing to the different IP addresses, with your main one having a higher priority weight (lower number) number than the other.

Contrary to what Rob stated above, it may be possible to set up Reverse DNS (PTR) on both connections to be the same (ie, just mail.mydomain.com). There are a few other considerations and this is a good discussion about those:  http:Q_24980487.html

Sonicwall will handle an automatic failover configuration just fine.

If you cannot get your ISPs to provide you with the proper reverse DNS though, then you need to use a backup MX as Rob suggested above.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now