Solved

certificates for Exchange 2010

Posted on 2013-12-11
16
242 Views
Last Modified: 2013-12-22
We have created two SAN certificates

Internal (service: IMAP, POP, UM, SMTP)
exdag.abc.com, ex01.abc.com, ex02.abc.com, mail.abc.com , autodiscover.abc.com

External (service: POP, IIS, SMTP)
mail.abc.com, autodiscover.abc.com

If we use the internal certificates within IIS service it always pops up for certificate warning message until we bind the IIS service on it. However, the external access to web mail will not work within the IIS service binding on the external certificate.

Currently, we have changed all the CAS to refer mail.abc.com in external URL. I was told that it can create an internal certificate for internal use a public certificate for external use. However, it doesn't work as expected. Any idea ? Can I make the internal certificate work without IIS binding ?

For this change, will the DAG work as expected ? In case the EX01 is down, will the EX02 take up the work actually as I have already changed all the CAS internal & external reference to mail.abc.com.  

Great Thanks.
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
16 Comments
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 200 total points
ID: 39713409
You cannot bind multiple SSL certificates to IIS service (Default web site) on CAS server.

If your have internal and external URLs are same (Split DNS), then you can use single external certificate for IIS and you don't require internal SSL certificate.

If you want to use seperate certificates with internal and external url, then  you need to create one more owa virtual directory

http://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx

Mahesh
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 300 total points
ID: 39713461
The simple way is to use the external host name internally and have one SSL certificate for everything. This is easily setup within Exchange and AD.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:AXISHK
ID: 39713468
We are using exdag.abc.com but if we change it to mail.abc.com, will it work as expected ?

Tks
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39713711
As long as DNS and Exchange are setup correctly and the certificate is trusted it will work fine. You can use any name that you like.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39714190
EXDAG is created when creating the DAG for both Exchange servers. EXDAG DNS record can update directly by Exchange if the other pair is down. Outlook is pointing to the server name EXDAG.

In case I change it to mail.abc.com, does it mean that I need to update the DNS manually ... the automatic failover feature in Outlook is lost.

Base on the URL, I can't fix out what I need to setup on my Exchange. Is there any further detail or example ?  Tks


http://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39715920
How your outlook is pointing to EXDAG (DAG \ Cluster virtual account if i am not wrong) ?

As long as outlook is able to connect to CAS array \ CAS server,You should be able to connect

Check below articles for more details
http://technicaljeditrials.info/2011/02/28/exchange-2010-multiple-owaecp-directories-part-1/
http://johnyassa.wordpress.com/tag/multiple-owa-ecp-virtual-directories/

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716080
I have changed to use the external certificate mail.ktl.com.hk internally. Have make this reference under Outlook Web App, Exchange Control Panel, Exchange ActiveSync, Offline Address Book Distribution.

When I start the outlook, it still pop for a server EX01 ? We have DAG group "EXDAG" with two physical servers named "EX01" & "EX02". In fact, the public certificate "mail.abc.com" is used to check "EX01". Any idea ?

Tks
eCert.png
eCert-1.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39716088
The DAG name should not be used for anything else, such as Outlook connectivity.
The RPC CAS Array name should not be used for anything other than MAPI TCP traffic.

You should have a unique host name for both of those, neither of which needs to be in the SSL certificate. You should have another host name for SSL based services.

You cannot change all references in EMC. You have to make modifications via the Shell - see the article I posted above.

Simon.
0
 

Assisted Solution

by:AXISHK
AXISHK earned 0 total points
ID: 39716106
Are u talking about the link "http://semb.ee/hostnames" ??

"You should have a unique host name for both of those, neither of which needs to be in the SSL certificate. You should have another host name for SSL based services."

What do you mean ? Sorry for that ...
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39716132
Your DAG FQDN must be different than CAS array
DAG FQDN should not be used for outlook connectivity and both are not required in certificates.

Instead of struggling with having seperate names for internal and external, why don't you set internal and external URLs same and just use one public certificate for all, its easier and requires less configuration.
Only thing you need to setup split DNS so that external names can be resolved in private network with private IP

Simon already has provided you with required info with nice article in his earlier comment.

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716216
Yes, I have already used the public certificate for internal & external. And pop for that message... guessing I still miss something but I can't identify at this stage.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39716494
What problem exactly you are facing, if you could brief as appropriate please with any screen shots

Mahesh
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39716856
Did you go through the article that I posted and checked everything? There a few that are easily missed, such as the setting on get-clientaccessserver

Simon.
0
 

Author Comment

by:AXISHK
ID: 39720616
Hi,
For identify "CAS-Server" is it talking about the actual host name, ie EX01 & EX02 in my case ?

Tks


Autodiscover URL:
Set-ClientAccessServer -Identity "CAS-Server" -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml

Web Services URL :
Set-WebServicesVirtualDirectory -Identity "CAS-Server\EWS (Default Web Site)" -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.example.net/ews/exchange.asmx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39721243
The reference is the actual name of the server.
If you do

get-clientaccessserver | select identity

then you will see what it is looking for.

Simon.
0
 

Author Closing Comment

by:AXISHK
ID: 39734485
Tks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question