AXISHK
asked on
certificates for Exchange 2010
We have created two SAN certificates
Internal (service: IMAP, POP, UM, SMTP)
exdag.abc.com, ex01.abc.com, ex02.abc.com, mail.abc.com , autodiscover.abc.com
External (service: POP, IIS, SMTP)
mail.abc.com, autodiscover.abc.com
If we use the internal certificates within IIS service it always pops up for certificate warning message until we bind the IIS service on it. However, the external access to web mail will not work within the IIS service binding on the external certificate.
Currently, we have changed all the CAS to refer mail.abc.com in external URL. I was told that it can create an internal certificate for internal use a public certificate for external use. However, it doesn't work as expected. Any idea ? Can I make the internal certificate work without IIS binding ?
For this change, will the DAG work as expected ? In case the EX01 is down, will the EX02 take up the work actually as I have already changed all the CAS internal & external reference to mail.abc.com.
Great Thanks.
Internal (service: IMAP, POP, UM, SMTP)
exdag.abc.com, ex01.abc.com, ex02.abc.com, mail.abc.com , autodiscover.abc.com
External (service: POP, IIS, SMTP)
mail.abc.com, autodiscover.abc.com
If we use the internal certificates within IIS service it always pops up for certificate warning message until we bind the IIS service on it. However, the external access to web mail will not work within the IIS service binding on the external certificate.
Currently, we have changed all the CAS to refer mail.abc.com in external URL. I was told that it can create an internal certificate for internal use a public certificate for external use. However, it doesn't work as expected. Any idea ? Can I make the internal certificate work without IIS binding ?
For this change, will the DAG work as expected ? In case the EX01 is down, will the EX02 take up the work actually as I have already changed all the CAS internal & external reference to mail.abc.com.
Great Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As long as DNS and Exchange are setup correctly and the certificate is trusted it will work fine. You can use any name that you like.
Simon.
Simon.
ASKER
EXDAG is created when creating the DAG for both Exchange servers. EXDAG DNS record can update directly by Exchange if the other pair is down. Outlook is pointing to the server name EXDAG.
In case I change it to mail.abc.com, does it mean that I need to update the DNS manually ... the automatic failover feature in Outlook is lost.
Base on the URL, I can't fix out what I need to setup on my Exchange. Is there any further detail or example ? Tks
http://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
In case I change it to mail.abc.com, does it mean that I need to update the DNS manually ... the automatic failover feature in Outlook is lost.
Base on the URL, I can't fix out what I need to setup on my Exchange. Is there any further detail or example ? Tks
http://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
How your outlook is pointing to EXDAG (DAG \ Cluster virtual account if i am not wrong) ?
As long as outlook is able to connect to CAS array \ CAS server,You should be able to connect
Check below articles for more details
http://technicaljeditrials.info/2011/02/28/exchange-2010-multiple-owaecp-directories-part-1/
http://johnyassa.wordpress.com/tag/multiple-owa-ecp-virtual-directories/
Mahesh
As long as outlook is able to connect to CAS array \ CAS server,You should be able to connect
Check below articles for more details
http://technicaljeditrials.info/2011/02/28/exchange-2010-multiple-owaecp-directories-part-1/
http://johnyassa.wordpress.com/tag/multiple-owa-ecp-virtual-directories/
Mahesh
ASKER
I have changed to use the external certificate mail.ktl.com.hk internally. Have make this reference under Outlook Web App, Exchange Control Panel, Exchange ActiveSync, Offline Address Book Distribution.
When I start the outlook, it still pop for a server EX01 ? We have DAG group "EXDAG" with two physical servers named "EX01" & "EX02". In fact, the public certificate "mail.abc.com" is used to check "EX01". Any idea ?
Tks
eCert.png
eCert-1.png
When I start the outlook, it still pop for a server EX01 ? We have DAG group "EXDAG" with two physical servers named "EX01" & "EX02". In fact, the public certificate "mail.abc.com" is used to check "EX01". Any idea ?
Tks
eCert.png
eCert-1.png
The DAG name should not be used for anything else, such as Outlook connectivity.
The RPC CAS Array name should not be used for anything other than MAPI TCP traffic.
You should have a unique host name for both of those, neither of which needs to be in the SSL certificate. You should have another host name for SSL based services.
You cannot change all references in EMC. You have to make modifications via the Shell - see the article I posted above.
Simon.
The RPC CAS Array name should not be used for anything other than MAPI TCP traffic.
You should have a unique host name for both of those, neither of which needs to be in the SSL certificate. You should have another host name for SSL based services.
You cannot change all references in EMC. You have to make modifications via the Shell - see the article I posted above.
Simon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your DAG FQDN must be different than CAS array
DAG FQDN should not be used for outlook connectivity and both are not required in certificates.
Instead of struggling with having seperate names for internal and external, why don't you set internal and external URLs same and just use one public certificate for all, its easier and requires less configuration.
Only thing you need to setup split DNS so that external names can be resolved in private network with private IP
Simon already has provided you with required info with nice article in his earlier comment.
Mahesh
DAG FQDN should not be used for outlook connectivity and both are not required in certificates.
Instead of struggling with having seperate names for internal and external, why don't you set internal and external URLs same and just use one public certificate for all, its easier and requires less configuration.
Only thing you need to setup split DNS so that external names can be resolved in private network with private IP
Simon already has provided you with required info with nice article in his earlier comment.
Mahesh
ASKER
Yes, I have already used the public certificate for internal & external. And pop for that message... guessing I still miss something but I can't identify at this stage.
What problem exactly you are facing, if you could brief as appropriate please with any screen shots
Mahesh
Mahesh
Did you go through the article that I posted and checked everything? There a few that are easily missed, such as the setting on get-clientaccessserver
Simon.
Simon.
ASKER
Hi,
For identify "CAS-Server" is it talking about the actual host name, ie EX01 & EX02 in my case ?
Tks
Autodiscover URL:
Set-ClientAccessServer -Identity "CAS-Server" -AutodiscoverServiceIntern
Web Services URL :
Set-WebServicesVirtualDire
For identify "CAS-Server" is it talking about the actual host name, ie EX01 & EX02 in my case ?
Tks
Autodiscover URL:
Set-ClientAccessServer -Identity "CAS-Server" -AutodiscoverServiceIntern
Web Services URL :
Set-WebServicesVirtualDire
The reference is the actual name of the server.
If you do
get-clientaccessserver | select identity
then you will see what it is looking for.
Simon.
If you do
get-clientaccessserver | select identity
then you will see what it is looking for.
Simon.
ASKER
Tks
ASKER
Tks