• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 374
  • Last Modified:

installing exchange 2010 certificate just for webapp with two ssl certification

assume an exchange 2010 organization serving about 20 accepted domains

our external clients are not allowed to use outlook

they just use web browsers and outlook webapp

i have set records in our dns service provider for all accepted domains as email.accepteddomain.com

assume we have car.com and food.com and health.com accepted domains

external clients connect to email.food.com email.health.com and email.car.com

these addressess direct them to ex 2010 outlook webapp and so everything is ok

and now about certificates. right now we are using domain (internal 2008 r2 domain) certificates so definitely external clients get a warning on opening webpapp

i have not purchased any SAN certificate yet but i have two certificates from godaddy (currently unassigned to any web site)

now here is what i want to do :

1- i will go to my dns server (which iz zoneedit) and redirect all those webapp addresses to one

email.car.com --> email.company.com

email.food.com --> email.company.com

email.health.com --> email.company.com

and then i get two certs for email.company.com and autodiscover.company.com

so anybody from outside goes to those url's and is redirected to email.company.com and a cert is published for that (and i think autodiscover will be also used)

am i right ?

does this work ?

you know i cannot test it because once certs are issued you cannot change them and the money will be gone !:

and some more info :

1- we have just one site but three CAS, two edge and two HUB servers

2- i will just publish one owa address for all (just email.company.com). all the people will use it with their smtp address (their address in domain) or if needed, they will use their email@theiraccepteddomain.com

3- yes ! all mx records point to our two edge servers

4- i should again tell you that nobody uses outlook from outside. they all use OWA (i should give activesync service to some users but that is not my concern for now)

so with these information in hand, is just two cert enough ? (one for email.company.com and one for autodiscover.company.com)

and by the way, should these be installed in IIS ?! or in exchange server certificate

because owa is a website i think certs should be requested and installed in cas server IIS ! am i right ?

but on the other hand i have seen that all certs (including autodiscover, legacy, pop3s, activesync and.. are installed using the exchange management console)

i am somehow confused in this scenario ;(
thanks for your help
0
vadoodetm
Asked:
vadoodetm
  • 5
  • 4
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
You are wrong about the SSL certificates for a start - as you can get them rekeyed on the GoDaddy system.

However it isn't going to work for you unless you do a web redirect. That will have to be http://host.example.com to https://host.example.net - if you try and do anything else, like a CNAME then it isn't going to work.

For autodiscover, you will have to use SRV records. That will mean you can do without the autodiscover.example.com SSL certificate.
http://support.microsoft.com/kb/940881
One for each domain.

That way you will be able to use a single name SSL certificate externally.
That will also affect internal use, so you shoudl probably do the complete procedure for single host name certificate: http://exchange.sembee.info/2010/install/singlenamessl.asp

Do everything for SSL through Exchange. They will be installed in to IIS by Exchange.

Simon.
0
 
vadoodetmAuthor Commented:
First of all thanks Simon

So, are u sure about godaddy ? you mean if i get a certificate for 1stcompany.com and later i decide to use it for another domain like 2ndcompany.com, i can easily manage it with godaddy ? they revoke the first one and issue a second ?

and about the redirection ! it is not much of a work ! i can do it with my DNS service provider (ZoneEdit) or i can simply tell people to use https address

and lets go to the main part.

Ok ! note that my clients from outside never use outlook, just webapp
so i need only certificate for my https://myowaaddress ( i have set a dns named email for that so when people enter email.company.com they will see the OWA page)
and autodiscover records are set in my external dns provider

so, by these info, are certificates for autodiscover.company.com and email.company.com enough ? (and even as u said, it is not necessary to obtain one for autodiscover)
(by the way, it says SRV record usage is for outlook-not-joined-to-domain clients, but all external clients use outlook webapp only, does this make a differnece ?)

as i told you, i will redirect all other addresses like email.sub1.com or email.sub2.com (sub are other accepted domains) to email.company.com

and the second question
u say do everything through Exchange and it will install them on IIS.

i have internal CA (internal domain CA) for my inside clients (and thats why the externals get a warning on opening webapp cause it is not from a 3rd party trusted CA ! it is just an internal domain CA)
now you said put your certificate through exchange. here is my question :
am i allowed to use 2 Certificates on my exchange server ?!
and then force exchange to use the internal one for clients from inside and the other one for clients connecting from outside ?!

Thanks for your help
0
 
Simon Butler (Sembee)ConsultantCommented:
If you don't have anyone from external using Outlook then you don't need Autodiscover at all. Autodiscover can work inside on domain clients using any URL in the SSL certificate.

You cannot have two SSL certificates on the same virtual server in IIS. That is why we usually use SAN/UC certificates, as it allows an internal and external name on the same SSL certifificate. However internal names on commercial certificates are not going to be allwoed soon, so a split DNS system with the same host name internally and externally is the way forward. Also makes training staff easier as you just tell them one URL.

Simon.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
vadoodetmAuthor Commented:
Thanks Simon
So can i know your final suggestion ?
getting a SAN certificate ?
in summary what i want is this :
an internal CA for internal clients (outlook or webapp) so they do not get a cert warning (the same as it is working now)
and a cert for external clients from digicert or godaddy or ... so they can also connect without warning using webapp
i wish exchange had this ability to use a cert for some clients and another for some other clients ! i also wish to get cert for some of my accepted domains but not for all of them and AFAIK exchange does not have ability to say ok use this cert for these domains and that cert for those, ... anyway
i am waiting for your suggestion for my condition (also consider that i have a couple of standard (not UC) certs from godaddy in my hand
and i should add that i have bought the domain name for my internal domain in world wide web. i mean my internal name is for example test.com and i also own the test.com domain name on internet (clients from outside use email.test.com)
0
 
Simon Butler (Sembee)ConsultantCommented:
The issue with SSL certificates isn't Exchange - it is the web server. IIS, Apache, whatever, they all work in the same way. One certificate one host name, one IP address.

The only way that you can have different certificates for different people would be with two web sites. That will require two IP addresses. However that adds in additional complexity as certain things have to run in the default web site to work correctly. Outlook Anywhere has to be in the default web site, but the internal name of the Exchange server also needs to resolve to the default web site for ActiveSync and others to work.

The easiest solution would be a SAN/UC certificate. That will allow you to put both the internal and external names in to the same certificate. Then use SRV records for the autodiscover arrangements for external users.

Simon.
0
 
vadoodetmAuthor Commented:
Thanks Simon ! Thanks so much !
now can you please help me with this
i have about 20 accepted domains and the scenario and topology which i described before
So, we have external webapp clients connecting to just one address (email.company.com) (and if they use email.sub1.com the zoneedit dns service will redirect them to https://email.company.com)
internal clients also use the same address for webapp or use outlook (and the domain name is company.com - our internal domain 2008 i mean)

so with these in hand, is a 5-pack SAN cert enough ? i will put these in that :
email.company.com
mycasserver.company.com (internal address of server. of course i should mention that we have two cas servers " mycasserver01 and mycasserver02 which are in a cas array)
autodiscover.company.com (maybe we give clients outlook access from outside)
activesync.company.com (we have some iphones out of the company and i think this is necessary for them)

Again please note that we have so many accepted domains but the condition and the design in my mind is what i told you above (all requests are redirected to email.company.com)
so am i right here ?
0
 
Simon Butler (Sembee)ConsultantCommented:
That is what the SRV records are for - so that you don't have to cover all of the domain in the certificate.

Use the same host name for all domains for:

OWA
MX Records
Outlook Anywhere
ActiveSync

The SRV records direct autodiscover to the certificate.
Internally, all clients use the same host name for autodiscover, which is configured on set-clientaccessserver as the value of AutodiscoverServiceInternalURI.

Don't overcomplicate matters.

Simon.
0
 
vadoodetmAuthor Commented:
SRV Record is ok inside domain
but my external dns provider does not provide me with these types of records
it just gives me a table which i can have an entry and a related ip to that (in zoneedit you can also have a redirect url instead of ip) but no srv records
so i am still a bit confused about my suggestion in the previous post :)
is a 5-cert pack from a third party enough for my situation ?
0
 
Simon Butler (Sembee)ConsultantCommented:
If you cannot setup SRV records then I see it that you have three options.

1. Move DNS providers to someone who does. I personally use Nettica and can use SRV records with them. Not supporting SRV records is going to be limiting these days, more and more services are using them. I was sure that zoneedit does support SRV records.

2. Get an SSL certificate with more slots so that you can use autodiscover for each host name.

3. Configure the redirection method. This has to be done carefully and will generate prompts on the users. Start with this page at Technet: http://technet.microsoft.com/en-us/library/ee633470.aspx then follow the link at the bottom for the redirection configuration instructions. I don't think you will be using the redirect option in the DNS provider.

Simon.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now