Exchange 2010 Certificate Requirements
-
6 februarie 2012 14:15
Hi,
I want to publish Exchange 2010 Outlook Anywhere and OWA using TMG how many public certificates do i need?
Can i use the single Wildcard certificate for Outlook Anywhere and OWA?
Do i need to generate any certificate request on the Exchange Servers to obtain Public certificate?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
Toate mesajele
-
6 februarie 2012 14:41
Hi,
Yes you can go with a wildcard cert, but i would still recommend a SAN/UC certificate
include your necessary names
mail.domain.com
autodiscover.domain.com
casarrayname.domain.com? -should not be included
Maybe you have any more needs, then include the names into the certificate as wellYes, you should create the request on the Exchange server
http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82- Propus ca răspuns de Simon_WuMicrosoft Contingent Staff, Moderator 7 februarie 2012 05:53
- Editat de Jonas Andersson [MCITP] 7 februarie 2012 12:19
- Marcat ca răspuns de Simon_WuMicrosoft Contingent Staff, Moderator 22 februarie 2012 08:26
-
7 februarie 2012 02:48
One clarification pls. The CASArray name does NOT have to be on a certificate as we use RPC encryption for RPC Client Access (RCA). You may think that you need it since your design may point everything to the same URL mail.corp.com but it is not used for RCA.
Names that you want for the CAS Namespace design should be on the cert.
Also, the casarray name should NOT be in external DNS -- only internal DNS, this so that clients in Starbucks do not try and connect to it using RPC (should it exist in public DNS) which causes a slower start up experience.
Before you request this cert, please read this http://technet.microsoft.com/en-us/library/dd351198.aspx
Cheers, Rhoderick
-
7 februarie 2012 12:22
You're right, casarray name shouldn't be included
If it's not the same name internally like the owa/rca etc. then it needs to be added but not because of cas array, because of other services are using the name, like owa
Thanks for the heads-up
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82
-
8 februarie 2012 10:32
I have two MBX Servers & two HUB/CAS Servers so where should i create the certificate request, on which server?
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
8 februarie 2012 20:51
Internet facing CASI have two MBX Servers & two HUB/CAS Servers so where should i create the certificate request, on which server?
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
19 februarie 2012 17:28Moderator
Hello,
Is there any update on this thread?
Thanks,
Simon -
20 februarie 2012 03:07
We are going for SAN Certificate from Digicert.
This SAN will be used for Exchange 2010, SharePoint & Lync.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
25 martie 2012 06:38
Hi,
We have purchased a SAN Certificate from GoDaddy.
This is UCC Certificate with 5 Domains.
Once i get the certificate, i will install it on the following servers, please correct me if i am wrong.
1 - CAS Servers.
2 - TMG Servers.
I already have internal certificate running on the Exchange & TMG so should i just delete that certificate?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
- Editat de Maqsood Mohammed 26 martie 2012 07:20
-
1 aprilie 2012 09:39
Hello Everyone,
I have purchased the UCC Certificate with 5 Domain from Godaddy, which i will install on the Exchagne CAS Servers and also import the same certificate on TMG for publishing.
But this Certificate contains only Public SANs.
Do i need a Private Certificate as well if someone wants to access the system with internal names?
Can i have both Private & Public Certificate at the same time on the Exchane System?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
8 aprilie 2012 08:21
Hi Guys,
Public Certificate from GoDaddy
I have purchased UCC Certificate for Exchange 2010 which contains only Public Domain Names for Exchange Access.
ex: email.abc.com, mobile.abc.com, smtp.abc.com
these are the SANs which will be used by mobile users and other branch office users over internet.
I have installed this certificate on TMG for Publishing Exchange Services.
Private Certificate from Internal CA
I have created a certificate which contains the internal SANs in the certificate and installed it on Exchange.
Now when the users are in the internal network they connect to exchange with private certificate and external users will be connecting through TMG with Public Certificate.
This way i have fulfilled the SSL / Certificate requirement for Exchange with minimal cost.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
18 ianuarie 2013 18:36
Please be aware that Certificate Authorities are discontinuing issuing Certs with internal names. See http://www.digicert.com/internal-names.htm
You must configure your exchange CAS/HUB to not use internal server names, but instead you need to implement a DNS Split-Brain, or a "Pinpoint DNS". See http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html
-
19 ianuarie 2013 14:35Thanks for the information.
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
.png)
