Solved

Multiple UCC SSL certificates on MS Exchange 2010

Posted on 2014-10-23
11
182 Views
Last Modified: 2014-12-25
I have an  Exchange 2010 server that is currently hosting one authoritative domain. For this domain we also have a UCC SSL certificate.  I want to add another authoritative domain.  How can I add a second UCC SSL certificate so the each domain can use their own secured website to access the Exchange server?
0
Comment
Question by:David Barman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 4

Expert Comment

by:Sabi Goraya
ID: 40400877
Unless the exchnage is in hosted mode you will have to use the primary domain SSL.

The reason why i say that is because for authentication purposes you still have to use the local domain credentials anyway.

Also it depends on the scenario which meets our requirement.

The SSL is associated with the IIS directory which can only have one certificate associated with it.
0
 

Author Comment

by:David Barman
ID: 40400894
I am not familiar with hosted mode. Can you explain?

IIS is limited to one certificate?
0
 
LVL 4

Expert Comment

by:Sabi Goraya
ID: 40401014
Sorry What i meant was one SSL for Exchange to use with IIS

We offer similar solution to our clients where we host few domains.

What i have done is created  a domain called hosted.local and all the clients can use the same domain for authentication and a SSL certificate for a domain that i created called hosted.sbc.com

By creating a separate database for Hosted i am able to isolate them from the address list for internal business.

Does that work for you?

Can you advise if the second domain is for external client that you are adding or for internal use only?

Sorry for amateur answers as i am trying to figure out what you are trying to achieve and what your limitations or security concerns are ?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40401224
The whole point of having a UCC certificate is to allow different domains to be listed on the certificate.
Therefore if you have mail.example.com as the common name, you can add mail.example.net as an additional name. Users can browse to mail.example.net and get connected without any errors.
Only if they open the SSL certificate properties would they see the common name.

However, even if you were to put a second certificate on to the server, you are not going to be able to hide the common name. You have to configure URLs within Exchange which will correct the browser or device to use the preferred name. Even if you add an additional IIS web site, or server, if they are in the same Exchange org, it is one URL for all users.

What you haven't said is what connection this second domain is to your business.
If it is just an additional subsidiary, then you are fine. If it is a client then you are breaking the terms of your licence agreement. You would need to be on a Microsoft licence scheme for hosting providers.

Simon.
0
 

Author Comment

by:David Barman
ID: 40401860
It's for a sister company that we acquired.
0
 

Author Comment

by:David Barman
ID: 40401861
Is it possible to keep the GALs separate by using different databases?
0
 

Author Comment

by:David Barman
ID: 40401865
If I added the other domain name to the certificate, will that allow them to use their domain to access the server either via owa, activesync, or Outlook via rcp over https?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40401872
If you add their domain to the certificate, they will initially use their own name. However it will be corrected to the name as configured on the URLs within Exchange by Autodiscover. It isn't possible to have different URLs for different users unless the servers are separate and in separate active directory sites.

Databases don't separate the GALs. You need to look at Address Book Policies.

Simon.
0
 

Author Comment

by:David Barman
ID: 40401881
But the url will automatically change?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40403162
Yes, it will.
That is done by Exchange and Autodiscover automatically. Nothing you can do to stop that.

Simon.
0
 

Author Closing Comment

by:David Barman
ID: 40517594
Thank you
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question