viernes, 05 de junio de 2009 11:24I have an Exchange 2007 SP1 environment used to host services for multiple mail domains. I have to use autodiscover to setup client Outlook installations (due to OAB, simplicity etc), but I do not want to keep having to update / reinstall my server certificates every time a new domain needs to be added. Is there any way I can achieve this without the Outlook clients receiving Outlook cert security warnings?
My exchange domain is domain1.com and my cert contains entries for autodiscover.domain1.com, webmail.domain1.com etc. etc.
I now want to host email services for domain2.com and have set a DNS entry for autodiscover.domain2.com as a CNAME to point to autodiscover.domain1.com.
Autodiscover works fine for Outlook users of domain2.com and they are able to download the Offline Address Book etc etc, but they are prompted at least once each session that the certificate does not contain an entry for autodiscover.domain2.com. I was hoping that the use of a CNAME records to redirect autodiscover.domain2.com over to autodiscover.domain1.com would overcome the issue but it doesn't. Having to update my cert and then reimport into Exchange every time I add a new hosted domain is not a desirable option.
Many thanks if you can help.
(EDIT). Just to clarify, I cannot add any HTTP redirects etc to the customers domains, I can only add / modify DNS entries.
Todas las respuestas
viernes, 05 de junio de 2009 12:47Hi,
You can do something like that if you get separate public IP address for every new domain what you add to your system. Even in this case it will need more administration than exchanging cetificates.
The question is what type of certificates are you using? Certificate from a Public CA, own CA, or Self-Signed?
http://www.clamagent.org - Free Antivirus for Exchange
viernes, 05 de junio de 2009 12:52Thanks for the reply Zoltán. I am using a publicly issued UC cerificate (Entrust as root CA). It's not just the hassle of recreating / paying for an amended cert that concerns me, it's the need to remove / reinstall the cert each time a new domain is added. This will likely be several times per week and will mean services are unavailable for all users for at least a short period of time for each change. The cert request / removal / replace process is also open to errors / mistakes and I want to negate this as much as possible.
viernes, 05 de junio de 2009 15:59I've found another solution that has far more benefits than disadvantages. If you remove the autodiscover DNS entry from the clients domain and add an SRV record for _autodiscover._tcp.domain1.com on port 443 it works a treat. No cert errors, no need to change the cert for each customer etc etc.
The only issue is that many DNS providers do not let you create SRV records. I can live with that!
- Marcado como respuesta jwhitley viernes, 05 de junio de 2009 15:59
lunes, 13 de febrero de 2012 20:20
How is this working for you? Do you jsut create an SRV record for each domain and point it to a valid name on the cert? What clients have you tested this with?
lunes, 02 de abril de 2012 12:40