none
TMG Exchange Certificate and subject alternative names

    Question

  • Apologies if this question has already been answered, but I've found conflicting information on the web to this question.

    I need to publish OWA for external users only (I'm not concerned with Outlook or Outlook anywhere). I have the following:

    Internal Exchange Server
    inner TMG 2010 publishing OWA for outer TMG
    outer TMG2010 with edge transport role publishing OWA for external users
    Hardware firewall in front of TMG 2010 with edge role, listening for http(s) & smtp traffic with a forwarder

    My internal domain name is contoso.local and external contoso.com. For the subject alternative names on the SSL cert, can I get away with just the public domain names?

    email.contoso.com
    autodiscover.contoso.com

    Do I need to enter the FQDN of my Exchange server or any of the TMG 2010 publishing servers?

    Thanks


    IT Support/Everything

    Thursday, December 13, 2012 11:13 AM

Answers

  • Hi,

    it doesn't matter if the certificate on the TMGs contains the internal FQDN of your Exchange Server. Mandatory is that the FQDN for which the certificate is issued is the same as the URL the user enters in his browser.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    • Marked as answer by Aetius2012 Wednesday, December 19, 2012 8:41 AM
    Tuesday, December 18, 2012 11:41 PM

All replies

  • Hi,

    it depends on where you use the certificate for publishing OWA. If you only install the certificate on your outer TMG then you need only the public names.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, December 13, 2012 11:52 AM
  • I only ever want my clients to connect to the outer TMG for OWA. In all the examples I've seen, publishing OWA from Exchange relies on a certificate. Can I just use the public names on my certificate, but still use it to encrypt traffic from outer TMG to inner TMG to Exchange?

    Would the alternative be to use a different cert for internal encryption?


    IT Support/Everything

    Thursday, December 13, 2012 6:00 PM
  • Hi,

    I always use a commercial certificate for OWA like Godaddy or Verisign because every browser trusts this certificate and you don't get any warnings. So I would order a san certificate for your outer TMG.

    For the inner TMG and the Exchange server you can use a private certificate from your own ca.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, December 13, 2012 6:16 PM
  • I don't have an internal CA, so I think I'll end up using a third party cert on the outer TMG and self signed certs on the inner TMG

    IT Support/Everything

    Thursday, December 13, 2012 6:38 PM
  • Hi,

    if you don't have an internal ca you can use a selfsigned certificate, but you have to make sure that all clients and servers trust this certificate.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Thursday, December 13, 2012 7:42 PM
  • Hi,

    Thank you for the post.

    You may also refer to this article: http://autodiscover.wordpress.com/2010/07/03/exchange-server-what-are-the-names-required-for-my-certificate/

    Regards,


    Nick Gu - MSFT

    Tuesday, December 18, 2012 4:54 AM
  • I managed to get this working in my lab:

    I used a self signed certificate for Internal-Exchange OWA

    Then imported this certificate into the inner and outer TMG servers for use with the OWA publishing rules.
    The only CN on the certificate was ExchangeServer.contoso.local - I believe putting the public OWA domain should work fine, I'd rather avoid exposing my internal server names to the world.

    If there's an issue with using the OWA cert for TMG SSL encryption and not including the Exchange server's internal name (I'm not using split brain DNS), then please let me know.

    Thanks


    IT Support/Everything

    Tuesday, December 18, 2012 11:26 PM
  • Hi,

    it doesn't matter if the certificate on the TMGs contains the internal FQDN of your Exchange Server. Mandatory is that the FQDN for which the certificate is issued is the same as the URL the user enters in his browser.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    • Marked as answer by Aetius2012 Wednesday, December 19, 2012 8:41 AM
    Tuesday, December 18, 2012 11:41 PM