Exchange 2010 Certificate Requirements / autodiscover / Best Practice

I am renewing the SSL certificate for an Exchange 2010 server (running on SBS 2011).

I have been trying to decide whether a single-name SSL certificate would be suitable, or whether we have to go for a Unified Communications certificate.

I am particularly concerned about Outlook / Autodiscover issues. I believe there is a workaround for making a single-name cert work.

I can't find any Microsoft documentation that specifically says what is required / best practice.  I would really like to see exactly what MS say about this requirement.
gbi3qAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
When you are working with Exchange a UCC cert is the most appropriate method. You only need 2 DNS SAN names for it.
- mail.domain.com
- autodiscover.domain.com

I would stay on this path as it will make thing easier for connecting your devices without any certificate issues.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gbi3qAuthor Commented:
Hi Will

Thanks for the info. I have seen a number of people recommending the UCC route.

However, this issue is going to come up more and more for our customers. My boss likes to have MS Best Practice info to back up what we are telling / selling to them.

I have Googled fairly extensively and trawled through TechNet to no avail. Do you have any other ideas?

Thanks
Will SzymkowskiSenior Solution ArchitectCommented:
Take a look at the below TechNet which illustrates best practice which states SAN certificate is a Best Practice.

https://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx#digitalcertificatesandproxying

Look under Digital Certs Best Practice.

Will.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Simon Butler (Sembee)ConsultantCommented:
I don't think there is such a thing as best practise on this element.
Microsoft have provided three solutions for Autodiscover:

- hostname route - Autodiscover.example.com
- SRV records
- HTTP redirect

I am with Will on this though, I usually use the UC certificate route and include Autodiscover.example.com on the certificate. I find that is most reliable and means you don't get caught in an ISP putting wildcards in the domain screwing up Autodiscover.

Lots of questions on this site about why SRV records do not work or end users getting prompts from a random web site and it is usually because Autodiscover.example.com resolves to an external address and the web host is using a control panel which uses Autodiscover for its own purposes.
For SRV records to work you need to ensure Autodiscover.example.com doesn't resolve.
For the HTTP redirect option you need two IP addresses for the Exchange server.
When you can get a UC type certificate for $80/year, (certificatesforexchange.com) have three additional names to use to secure other services and generally a more reliable configuration, it seems daft not to.

Simon.
Peter HutchisonSenior Network Systems SpecialistCommented:
Try this article, in particular the section headed 'IIS':
https://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
Will SzymkowskiSenior Solution ArchitectCommented:
Peter I already provided that link. It goes to the same site in my ID: 40791395 post.

This link does reference Exchange 2013 but the same concept applies.

Will.
Peter HutchisonSenior Network Systems SpecialistCommented:
Just as a note, when we also installed Hub Transport role on your Exchange CAS servers and they can use TLS over SMTP which seems to use the FQDN of the server names. So its an idea to add all the CAS/SMTP server FQDNs to the SAN but if you have your own Domain CA, you could use them instead.

If using Office 365 you will need a separate certificate for communicating with Microsoft's Forefront Protection SMTP
servers and that requires a certificate to use to communicate from on Premise Exchange servers to Office 365.

Finally, if using the MRS service to migrate mailboxes between Exchange and Office 365 you need a secure connection. We found that the MRS service did not like our load balanced CAS server setup and had to use a different name to use just one CAS server and that name also needed to be added to SAN list on certificate.
gbi3qAuthor Commented:
Thanks to all users for your advice.

It is a shame that the documents all seem to refer to Exchange 2013, and they don't specifically mention UCC.

I will try to persuade the power that be that the information is sufficient.
Will SzymkowskiSenior Solution ArchitectCommented:
SAN and UCC is used interchangably. UCC uses SAN names within it. Some people call is a SAN cert some call it a UCC. Microsoft updates their TechNets with the most recent version of the product if the process has not changed.

Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.