Exchange 2010 Certificate Requirements
-
2012年2月6日 14:15
Hi,
I want to publish Exchange 2010 Outlook Anywhere and OWA using TMG how many public certificates do i need?
Can i use the single Wildcard certificate for Outlook Anywhere and OWA?
Do i need to generate any certificate request on the Exchange Servers to obtain Public certificate?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
全部回复
-
2012年2月6日 14:41
Hi,
Yes you can go with a wildcard cert, but i would still recommend a SAN/UC certificate
include your necessary names
mail.domain.com
autodiscover.domain.com
casarrayname.domain.com? -should not be included
Maybe you have any more needs, then include the names into the certificate as wellYes, you should create the request on the Exchange server
http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82- 已建议为答案 Simon_WuMicrosoft Contingent Staff, Moderator 2012年2月7日 5:53
- 已编辑 Jonas Andersson [MCITP] 2012年2月7日 12:19
- 已标记为答案 Simon_WuMicrosoft Contingent Staff, Moderator 2012年2月22日 8:26
-
2012年2月7日 2:48
One clarification pls. The CASArray name does NOT have to be on a certificate as we use RPC encryption for RPC Client Access (RCA). You may think that you need it since your design may point everything to the same URL mail.corp.com but it is not used for RCA.
Names that you want for the CAS Namespace design should be on the cert.
Also, the casarray name should NOT be in external DNS -- only internal DNS, this so that clients in Starbucks do not try and connect to it using RPC (should it exist in public DNS) which causes a slower start up experience.
Before you request this cert, please read this http://technet.microsoft.com/en-us/library/dd351198.aspx
Cheers, Rhoderick
-
2012年2月7日 12:22
You're right, casarray name shouldn't be included
If it's not the same name internally like the owa/rca etc. then it needs to be added but not because of cas array, because of other services are using the name, like owa
Thanks for the heads-up
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82
-
2012年2月8日 10:32
I have two MBX Servers & two HUB/CAS Servers so where should i create the certificate request, on which server?
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
2012年2月8日 20:51
Internet facing CASI have two MBX Servers & two HUB/CAS Servers so where should i create the certificate request, on which server?
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
2012年2月19日 17:28版主
Hello,
Is there any update on this thread?
Thanks,
Simon -
2012年2月20日 3:07
We are going for SAN Certificate from Digicert.
This SAN will be used for Exchange 2010, SharePoint & Lync.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
2012年3月25日 6:38
Hi,
We have purchased a SAN Certificate from GoDaddy.
This is UCC Certificate with 5 Domains.
Once i get the certificate, i will install it on the following servers, please correct me if i am wrong.
1 - CAS Servers.
2 - TMG Servers.
I already have internal certificate running on the Exchange & TMG so should i just delete that certificate?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
- 已编辑 Maqsood Mohammed 2012年3月26日 7:20
-
2012年4月1日 9:39
Hello Everyone,
I have purchased the UCC Certificate with 5 Domain from Godaddy, which i will install on the Exchagne CAS Servers and also import the same certificate on TMG for publishing.
But this Certificate contains only Public SANs.
Do i need a Private Certificate as well if someone wants to access the system with internal names?
Can i have both Private & Public Certificate at the same time on the Exchane System?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
2012年4月8日 8:21
Hi Guys,
Public Certificate from GoDaddy
I have purchased UCC Certificate for Exchange 2010 which contains only Public Domain Names for Exchange Access.
ex: email.abc.com, mobile.abc.com, smtp.abc.com
these are the SANs which will be used by mobile users and other branch office users over internet.
I have installed this certificate on TMG for Publishing Exchange Services.
Private Certificate from Internal CA
I have created a certificate which contains the internal SANs in the certificate and installed it on Exchange.
Now when the users are in the internal network they connect to exchange with private certificate and external users will be connecting through TMG with Public Certificate.
This way i have fulfilled the SSL / Certificate requirement for Exchange with minimal cost.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
2013年1月18日 18:36
Please be aware that Certificate Authorities are discontinuing issuing Certs with internal names. See http://www.digicert.com/internal-names.htm
You must configure your exchange CAS/HUB to not use internal server names, but instead you need to implement a DNS Split-Brain, or a "Pinpoint DNS". See http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html
-
2013年1月19日 14:35Thanks for the information.
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
.png)
.png){kind=spacer}
