CERTIFICATES - Hybrid Exchange 2013 - Office 365 Migration

So, I have set up my Exchange 2013 CAS server which is to be used as my Office 365 Hybrid server for mailbox migrations.

My question is what all do I need to add to the SAN for this SSL Certificate?

We accept mail for numerous mail domains (28 total) which only 15% of my users use a different primary SMTP address. Everyone has the one main SMTP and SIP address, just those 15% are manually updated to use a different Primary SMTP address.

I know I need webmail.domainname.com, autodiscover.domainname.com, but do I need to have a SAN Certificate for ALL 28 domains or can I get away with using just the common (master) dominate that everyone has?

All our mail flow is being directed thru EOP already thru connectors.

Anyone got an Hybrid Server Certificates for Dummies advice for this non-expert?
Christian HansUndecided... Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
The only domains that you need to worry about are those where users have the domain as their PRIMARY email address. For those you need to cover Autodiscover only.
Everyone can use the same host name for everything else. If there are "politics" about using one of the names over the others, then register a generic name for everyone to use.

For Autodiscover, you have two, maybe three options (depending on what is available to you).

1. A UC (aka SAN) certificate, with the additional Autodiscover host names added to it. Could get expensive, and if you are likely to add additional names, then you would need to get the certificate reissued.
2. SRV records in each domain. Probably the preferred method, but does require the external DNS provider to support SRV records.
3. HTTP redirect site. This is where Autodiscover.example.com for each domain is pointed to another web site on the Exchange server. Requires a dedicated IP address and no binding to HTTPS because you are not using host headers at all. The traffic then hits that site and is redirected to the HTTPS site. That is what most hosted Exchange providers use as it does not require any additional setup. Downside is a redirect prompt to the clients.

If this is for an interim period, then option 2 and 3 would be the most cost effective as they can be done with a single name trusted SSL certificate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christian HansUndecided... Author Commented:
Thanks Sembee.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.