Microsoft Exchange SAN certificate

I am trying to narrow down what I need to include in my new SAN certificate.    I have read several different opinions on what it should contain so need a little help.
We have an external domain and an internal domain.   My new Exchange environment will contain a new CAS Array with 2 CAS/HUB servers and then 4 mailbox servers with DAG.
I already know I need my FQDN for OWA/ActiveSync which will be the same name and I know I need and
But do I have to include the all the servers names (NETBIOS name and FQDN) as well as the CASARRAY?

Some clairification would be very helpful before I go buying my SAN certificate since I need to know how many Subject Alternative Names I will be using.

Thanks so much in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
First of all I want to confirm from are you using wildcard or simple domain certificate with UCC feature.?

You will need to add OWA DNS, Autodiscover DNS name those are published on internet, no need to add internal DNS name in SAN Certificate if you are using it for Public connectivity. Precautionary you can add CAS Array DNS name for the sake of Outlook connectivity which sometimes make issue but its even not mandatory.

If you are applying wildcard certificate then there is no majjor need of any SAN Name.

One more thing you can publish your all OWA and autodiscover (As public) records in Internal DNS to avoid any issue.
AMSsupportAuthor Commented:
I thought the recommendation from Microsoft is not to use a wildcard.   So I do not need to add each of the mail servers FQDN names?   We already have a SAN certificate but I am putting in a whole new Exchange environment but was afraid of the new servers names are not in the existing SAN and breaking something.   We do own a wild card certificate for our domain and it would be great if that is all I have to use but afraid to break existing environment if I change it over to use the wildcard.   OWA & Autodiscover are published externally and internally.  So I shouldn't use the mailbox server name as internal OWA, I should just use the same link internally as we do for external then?

Also will users have issues authenticating because the domain controller are a sub domain of our external domain?  I also already know that our wildcard does not work for this sub domain because I tried using it for an internal web site and it didn't like it.   Maybe that is why we were told we needed a SAN....

So sorry just a little confused and don't mean to be anal about this.  But building the new Exchange environment in the existing one and then will retire the old servers as we move mailboxes over to a more centralized Exchange org instead of having exchange servers all over the country.

Thanks again for your quick response.
Amit KumarCommented:
I have worked with multiple org. and we have used only wild card certificate without any issue, yes there is one issue that POP/IMAP doesnt work on wild card, they need exact DNS name certificate.

In Wildcard no need to add SAN names, still if you want to add so add OWA, Autodiscover URLs in SAN.

If some of users are in child domain and they have e-mail address with only root domain then that will not create any issue, you just do one thing mark our OWA authentication with "domain\UserName" so it will authenticate relevant domains. Also educate users that they enter username with their respective domains.
AMSsupportAuthor Commented:
Ok this is great information.   But you did say that wild card doesn't work for POP/IMAP and I do have MAC users as well so for that reason would I need to have a SAN certificate so they can their email through OWA?    I really appreciate your patience.   So if I understand you correctly I could replace my existing SAN certificate with our wild card certificate right now and everything so still work, OWA/ActiveSync/Outlook Anywhere which all use the same external DNS.   My concern is autodiscover.     We are using Forefront TMG as the front for OWA/ActiveSync/Outlook Anywhere right now but that will be switching over to Netscaler for load balancing and external access.

Again I appreciate your assistance.
Amit KumarCommented:
Yes! POP/IMAP does not work with wild card certificate, for MAC users I think if you use Outlook 2011 so it will work with Outlook anywhere feature.

Autodiscover will be published with same domain as OWA DNS, so there is no other configuration required.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.