installing exchange 2010 certificate just for webapp with two ssl certification
assume an exchange 2010 organization serving about 20 accepted domains
our external clients are not allowed to use outlook
they just use web browsers and outlook webapp
i have set records in our dns service provider for all accepted domains as email.accepteddomain.com
assume we have car.com and food.com and health.com accepted domains
external clients connect to email.food.com email.health.com and email.car.com
these addressess direct them to ex 2010 outlook webapp and so everything is ok
and now about certificates. right now we are using domain (internal 2008 r2 domain) certificates so definitely external clients get a warning on opening webpapp
i have not purchased any SAN certificate yet but i have two certificates from godaddy (currently unassigned to any web site)
now here is what i want to do :
1- i will go to my dns server (which iz zoneedit) and redirect all those webapp addresses to one
email.car.com --> email.company.com
email.food.com --> email.company.com
email.health.com --> email.company.com
and then i get two certs for email.company.com and autodiscover.company.com
so anybody from outside goes to those url's and is redirected to email.company.com and a cert is published for that (and i think autodiscover will be also used)
am i right ?
does this work ?
you know i cannot test it because once certs are issued you cannot change them and the money will be gone !:
and some more info :
1- we have just one site but three CAS, two edge and two HUB servers
2- i will just publish one owa address for all (just email.company.com). all the people will use it with their smtp address (their address in domain) or if needed, they will use their email@theiraccepteddomain.
3- yes ! all mx records point to our two edge servers
4- i should again tell you that nobody uses outlook from outside. they all use OWA (i should give activesync service to some users but that is not my concern for now)
so with these information in hand, is just two cert enough ? (one for email.company.com and one for autodiscover.company.com)
and by the way, should these be installed in IIS ?! or in exchange server certificate
because owa is a website i think certs should be requested and installed in cas server IIS ! am i right ?
but on the other hand i have seen that all certs (including autodiscover, legacy, pop3s, activesync and.. are installed using the exchange management console)
i am somehow confused in this scenario ;(
thanks for your help
our external clients are not allowed to use outlook
they just use web browsers and outlook webapp
i have set records in our dns service provider for all accepted domains as email.accepteddomain.com
assume we have car.com and food.com and health.com accepted domains
external clients connect to email.food.com email.health.com and email.car.com
these addressess direct them to ex 2010 outlook webapp and so everything is ok
and now about certificates. right now we are using domain (internal 2008 r2 domain) certificates so definitely external clients get a warning on opening webpapp
i have not purchased any SAN certificate yet but i have two certificates from godaddy (currently unassigned to any web site)
now here is what i want to do :
1- i will go to my dns server (which iz zoneedit) and redirect all those webapp addresses to one
email.car.com --> email.company.com
email.food.com --> email.company.com
email.health.com --> email.company.com
and then i get two certs for email.company.com and autodiscover.company.com
so anybody from outside goes to those url's and is redirected to email.company.com and a cert is published for that (and i think autodiscover will be also used)
am i right ?
does this work ?
you know i cannot test it because once certs are issued you cannot change them and the money will be gone !:
and some more info :
1- we have just one site but three CAS, two edge and two HUB servers
2- i will just publish one owa address for all (just email.company.com). all the people will use it with their smtp address (their address in domain) or if needed, they will use their email@theiraccepteddomain.
3- yes ! all mx records point to our two edge servers
4- i should again tell you that nobody uses outlook from outside. they all use OWA (i should give activesync service to some users but that is not my concern for now)
so with these information in hand, is just two cert enough ? (one for email.company.com and one for autodiscover.company.com)
and by the way, should these be installed in IIS ?! or in exchange server certificate
because owa is a website i think certs should be requested and installed in cas server IIS ! am i right ?
but on the other hand i have seen that all certs (including autodiscover, legacy, pop3s, activesync and.. are installed using the exchange management console)
i am somehow confused in this scenario ;(
thanks for your help
ASKER
First of all thanks Simon
So, are u sure about godaddy ? you mean if i get a certificate for 1stcompany.com and later i decide to use it for another domain like 2ndcompany.com, i can easily manage it with godaddy ? they revoke the first one and issue a second ?
and about the redirection ! it is not much of a work ! i can do it with my DNS service provider (ZoneEdit) or i can simply tell people to use https address
and lets go to the main part.
Ok ! note that my clients from outside never use outlook, just webapp
so i need only certificate for my https://myowaaddress ( i have set a dns named email for that so when people enter email.company.com they will see the OWA page)
and autodiscover records are set in my external dns provider
so, by these info, are certificates for autodiscover.company.com and email.company.com enough ? (and even as u said, it is not necessary to obtain one for autodiscover)
(by the way, it says SRV record usage is for outlook-not-joined-to-doma
as i told you, i will redirect all other addresses like email.sub1.com or email.sub2.com (sub are other accepted domains) to email.company.com
and the second question
u say do everything through Exchange and it will install them on IIS.
i have internal CA (internal domain CA) for my inside clients (and thats why the externals get a warning on opening webapp cause it is not from a 3rd party trusted CA ! it is just an internal domain CA)
now you said put your certificate through exchange. here is my question :
am i allowed to use 2 Certificates on my exchange server ?!
and then force exchange to use the internal one for clients from inside and the other one for clients connecting from outside ?!
Thanks for your help
So, are u sure about godaddy ? you mean if i get a certificate for 1stcompany.com and later i decide to use it for another domain like 2ndcompany.com, i can easily manage it with godaddy ? they revoke the first one and issue a second ?
and about the redirection ! it is not much of a work ! i can do it with my DNS service provider (ZoneEdit) or i can simply tell people to use https address
and lets go to the main part.
Ok ! note that my clients from outside never use outlook, just webapp
so i need only certificate for my https://myowaaddress ( i have set a dns named email for that so when people enter email.company.com they will see the OWA page)
and autodiscover records are set in my external dns provider
so, by these info, are certificates for autodiscover.company.com and email.company.com enough ? (and even as u said, it is not necessary to obtain one for autodiscover)
(by the way, it says SRV record usage is for outlook-not-joined-to-doma
as i told you, i will redirect all other addresses like email.sub1.com or email.sub2.com (sub are other accepted domains) to email.company.com
and the second question
u say do everything through Exchange and it will install them on IIS.
i have internal CA (internal domain CA) for my inside clients (and thats why the externals get a warning on opening webapp cause it is not from a 3rd party trusted CA ! it is just an internal domain CA)
now you said put your certificate through exchange. here is my question :
am i allowed to use 2 Certificates on my exchange server ?!
and then force exchange to use the internal one for clients from inside and the other one for clients connecting from outside ?!
Thanks for your help
If you don't have anyone from external using Outlook then you don't need Autodiscover at all. Autodiscover can work inside on domain clients using any URL in the SSL certificate.
You cannot have two SSL certificates on the same virtual server in IIS. That is why we usually use SAN/UC certificates, as it allows an internal and external name on the same SSL certifificate. However internal names on commercial certificates are not going to be allwoed soon, so a split DNS system with the same host name internally and externally is the way forward. Also makes training staff easier as you just tell them one URL.
Simon.
You cannot have two SSL certificates on the same virtual server in IIS. That is why we usually use SAN/UC certificates, as it allows an internal and external name on the same SSL certifificate. However internal names on commercial certificates are not going to be allwoed soon, so a split DNS system with the same host name internally and externally is the way forward. Also makes training staff easier as you just tell them one URL.
Simon.
ASKER
Thanks Simon
So can i know your final suggestion ?
getting a SAN certificate ?
in summary what i want is this :
an internal CA for internal clients (outlook or webapp) so they do not get a cert warning (the same as it is working now)
and a cert for external clients from digicert or godaddy or ... so they can also connect without warning using webapp
i wish exchange had this ability to use a cert for some clients and another for some other clients ! i also wish to get cert for some of my accepted domains but not for all of them and AFAIK exchange does not have ability to say ok use this cert for these domains and that cert for those, ... anyway
i am waiting for your suggestion for my condition (also consider that i have a couple of standard (not UC) certs from godaddy in my hand
and i should add that i have bought the domain name for my internal domain in world wide web. i mean my internal name is for example test.com and i also own the test.com domain name on internet (clients from outside use email.test.com)
So can i know your final suggestion ?
getting a SAN certificate ?
in summary what i want is this :
an internal CA for internal clients (outlook or webapp) so they do not get a cert warning (the same as it is working now)
and a cert for external clients from digicert or godaddy or ... so they can also connect without warning using webapp
i wish exchange had this ability to use a cert for some clients and another for some other clients ! i also wish to get cert for some of my accepted domains but not for all of them and AFAIK exchange does not have ability to say ok use this cert for these domains and that cert for those, ... anyway
i am waiting for your suggestion for my condition (also consider that i have a couple of standard (not UC) certs from godaddy in my hand
and i should add that i have bought the domain name for my internal domain in world wide web. i mean my internal name is for example test.com and i also own the test.com domain name on internet (clients from outside use email.test.com)
The issue with SSL certificates isn't Exchange - it is the web server. IIS, Apache, whatever, they all work in the same way. One certificate one host name, one IP address.
The only way that you can have different certificates for different people would be with two web sites. That will require two IP addresses. However that adds in additional complexity as certain things have to run in the default web site to work correctly. Outlook Anywhere has to be in the default web site, but the internal name of the Exchange server also needs to resolve to the default web site for ActiveSync and others to work.
The easiest solution would be a SAN/UC certificate. That will allow you to put both the internal and external names in to the same certificate. Then use SRV records for the autodiscover arrangements for external users.
Simon.
The only way that you can have different certificates for different people would be with two web sites. That will require two IP addresses. However that adds in additional complexity as certain things have to run in the default web site to work correctly. Outlook Anywhere has to be in the default web site, but the internal name of the Exchange server also needs to resolve to the default web site for ActiveSync and others to work.
The easiest solution would be a SAN/UC certificate. That will allow you to put both the internal and external names in to the same certificate. Then use SRV records for the autodiscover arrangements for external users.
Simon.
ASKER
Thanks Simon ! Thanks so much !
now can you please help me with this
i have about 20 accepted domains and the scenario and topology which i described before
So, we have external webapp clients connecting to just one address (email.company.com) (and if they use email.sub1.com the zoneedit dns service will redirect them to https://email.company.com)
internal clients also use the same address for webapp or use outlook (and the domain name is company.com - our internal domain 2008 i mean)
so with these in hand, is a 5-pack SAN cert enough ? i will put these in that :
email.company.com
mycasserver.company.com (internal address of server. of course i should mention that we have two cas servers " mycasserver01 and mycasserver02 which are in a cas array)
autodiscover.company.com (maybe we give clients outlook access from outside)
activesync.company.com (we have some iphones out of the company and i think this is necessary for them)
Again please note that we have so many accepted domains but the condition and the design in my mind is what i told you above (all requests are redirected to email.company.com)
so am i right here ?
now can you please help me with this
i have about 20 accepted domains and the scenario and topology which i described before
So, we have external webapp clients connecting to just one address (email.company.com) (and if they use email.sub1.com the zoneedit dns service will redirect them to https://email.company.com)
internal clients also use the same address for webapp or use outlook (and the domain name is company.com - our internal domain 2008 i mean)
so with these in hand, is a 5-pack SAN cert enough ? i will put these in that :
email.company.com
mycasserver.company.com (internal address of server. of course i should mention that we have two cas servers " mycasserver01 and mycasserver02 which are in a cas array)
autodiscover.company.com (maybe we give clients outlook access from outside)
activesync.company.com (we have some iphones out of the company and i think this is necessary for them)
Again please note that we have so many accepted domains but the condition and the design in my mind is what i told you above (all requests are redirected to email.company.com)
so am i right here ?
That is what the SRV records are for - so that you don't have to cover all of the domain in the certificate.
Use the same host name for all domains for:
The SRV records direct autodiscover to the certificate.
Internally, all clients use the same host name for autodiscover, which is configured on set-clientaccessserver as the value of AutodiscoverServiceInterna
Don't overcomplicate matters.
Simon.
Use the same host name for all domains for:
OWA
MX Records
Outlook Anywhere
ActiveSync
The SRV records direct autodiscover to the certificate.
Internally, all clients use the same host name for autodiscover, which is configured on set-clientaccessserver as the value of AutodiscoverServiceInterna
Don't overcomplicate matters.
Simon.
ASKER
SRV Record is ok inside domain
but my external dns provider does not provide me with these types of records
it just gives me a table which i can have an entry and a related ip to that (in zoneedit you can also have a redirect url instead of ip) but no srv records
so i am still a bit confused about my suggestion in the previous post :)
is a 5-cert pack from a third party enough for my situation ?
but my external dns provider does not provide me with these types of records
it just gives me a table which i can have an entry and a related ip to that (in zoneedit you can also have a redirect url instead of ip) but no srv records
so i am still a bit confused about my suggestion in the previous post :)
is a 5-cert pack from a third party enough for my situation ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
However it isn't going to work for you unless you do a web redirect. That will have to be http://host.example.com to https://host.example.net - if you try and do anything else, like a CNAME then it isn't going to work.
For autodiscover, you will have to use SRV records. That will mean you can do without the autodiscover.example.com SSL certificate.
http://support.microsoft.com/kb/940881
One for each domain.
That way you will be able to use a single name SSL certificate externally.
That will also affect internal use, so you shoudl probably do the complete procedure for single host name certificate: http://exchange.sembee.info/2010/install/singlenamessl.asp
Do everything for SSL through Exchange. They will be installed in to IIS by Exchange.
Simon.