[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

Certificate with isa 2006, exchange 2003 and moving to exchange 2007

I have an 2003 exchange server that  Is configured with ISA 2006. I have a certificate configured with the name msr.domainname.com that points to it. The only outside services we are using are activesync and outlook over RPC. I want to set this up to point to our exchange 2007 CAS server so I can move these people over to the 2007 Exchange server. Right now the exchange 2007 server is using the self signed cert for internal stuff. I am really confused as the what I need to do certificate with for the new certificate  for exchange 2007. I need to setup a new IPhone for someone that is on the Exchange 2007 server so even if I had to used the self signed cert temporally I am open to that.
0
cardinal
Asked:
cardinal
  • 5
  • 4
1 Solution
 
Jon BrelieSystem ArchitectCommented:
Honestly, I would get a new SAN cert that covers all your internal and external names for the 2007 server.  That way you don't get a service interruption on your 2003 server when you move the DNS pointer, and you don't have to worry about moving the certificate.

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
0
 
cardinalAuthor Commented:
I have already read through that and understand it somewhat. What happens to my existing certificate that I have already purchased if I get a San.
0
 
Jon BrelieSystem ArchitectCommented:
Nothing.  It would continue to exist and function independently.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
cardinalAuthor Commented:
But I would have to have another outside IP address? Right now the way it's setup the dns record for msr.domainname.com point to the ISA server external iP. Would I need to add another listener in ISA and point it to a different external IP address
0
 
Jon BrelieSystem ArchitectCommented:
Yes, it would require an additional public IP address.
0
 
cardinalAuthor Commented:
Ok so tell me if this is right for the san.

I have 2 exchange 2007 servers:

1st  netbois name cicexch and internal is cicexch.domainname.local Has CAS and mailboxes

2nd netbios name ms2010 and internal is ms2010.domainname.local. It has no mailboxes but has one of the CAS servers on it. It will go away.

1 exchange 2003 server that I want to move everyone off of. Right now certificate points to msr.domainname.com.

So for my san would the common name be say msr1.domainname.com and the san names be:

cicexch.domainname.local
cicexch

do I need to add the 2007 server that i will be getting rid of if no one is on that?
0
 
Jon BrelieSystem ArchitectCommented:
Yes.  Wouldn't hurt to also add on:

autodiscover.domainname.com
and
legacy.domainname.com (if you're going to try to serve 2007 and 2003 through the 2007 cas)
0
 
cardinalAuthor Commented:
Thats where I get confused with serving the 2003 through the 2007 cas. I know it work because internally I can put in the 2007 internal address and it redirects me to the 2003 box.
are you saying to add legacy.domainname.com and remove the cert from the 2003 server and add the new san to it?
0
 
Jon BrelieSystem ArchitectCommented:
If you want to serve both that way, then yes.  It depends on the length of your migration as to whether the additional config is worth it to you.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now