locked
Bind IIS on E2K7 Server using Self-Signed Certificates RRS feed

  • Question

  • E2K7 SP2 RU4 / W2K8 SP2   Coexistence E2K3/E2K7   why because our old CRM app would not allow us to go native.

    MS Recommendation is to use Public CA's for Exchange if you want to allow our clients to access Exchange outside our corporate firewall.  Otherwise for Internal access you can use self-signed.  

    I use self-signed because we offload our SSL and clients access OWA and EAS pass through our SSL boxes all of which have Public CA's....

    However, we will be deploying MS Dynamics CRM and the CRM email Connector will be installed. CRM FAQ will not accept Self-Signed.

    I do not want to replace my Self-Signed certificates, I believe that I only need to Bind my IIS on my E2K7 Server and this would fullfill CRM's signed certificate requirement.

    What this would mean is using a wildcard cert because I do not need a SAN?UC certificate.

    I need some assistance on how to do this and I have multiple domains involved.

    Can anyone make a suggestion point me to white papers? (and of course my company wants this done in 8 days)   so please any assistance would be wonderful.

    many thanks

     

    Thursday, October 13, 2011 7:30 PM

Answers

  • If this certificate is for internal use only and all of your clients are members of the domain, then you can do this with a standard single name SSL certificate, as long as you aren't using unified messaging.
    You simply need to ensure that the name on the SSL certificate resolves internally and all URLs in Exchange are configured to use that instead of the server's real name.

    The fact that you have multiple SMTP emails doesn't matter internally because the clients are not doing DNS lookups for autodiscover etc, they get that information from the domain.

    Using Exchange 2007 with a single name SSL certificate is heavily documented on many sites.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by -ee Friday, October 14, 2011 12:52 PM
    • Unmarked as answer by -ee Friday, October 14, 2011 12:59 PM
    • Marked as answer by -ee Friday, October 14, 2011 6:05 PM
    Thursday, October 13, 2011 10:33 PM
  • If you are using UM then you have no option but to use a Unified Communications certificate. Not that UC (aka SAN) certificates are that expensive. Less than $80/year at http://certificatesforexchange.com/

     

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by -ee Friday, October 14, 2011 6:04 PM
    Friday, October 14, 2011 4:05 PM

All replies

  • If this certificate is for internal use only and all of your clients are members of the domain, then you can do this with a standard single name SSL certificate, as long as you aren't using unified messaging.
    You simply need to ensure that the name on the SSL certificate resolves internally and all URLs in Exchange are configured to use that instead of the server's real name.

    The fact that you have multiple SMTP emails doesn't matter internally because the clients are not doing DNS lookups for autodiscover etc, they get that information from the domain.

    Using Exchange 2007 with a single name SSL certificate is heavily documented on many sites.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by -ee Friday, October 14, 2011 12:52 PM
    • Unmarked as answer by -ee Friday, October 14, 2011 12:59 PM
    • Marked as answer by -ee Friday, October 14, 2011 6:05 PM
    Thursday, October 13, 2011 10:33 PM
  • Hello,

     

    Please note one web site can only bind one certificate. MS recommend the SAN certificate for Exchange. I’d like to share with you an article and you will see a real-world scenarios before generating the certificate request:

     

    http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

     

    If you have further questions, feel free to let me know.

     

    Simon Wu

    Exchange Forum Support

     

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

     

    Friday, October 14, 2011 9:20 AM
    Moderator
  • Simon

    Thank you for responding but since you said standard single name SSL certificate  as long as you are not using unified messaging.    So if we were using unified messaging which certificate could we use.

     

    many thanks

    Friday, October 14, 2011 1:03 PM
  • If you are using UM then you have no option but to use a Unified Communications certificate. Not that UC (aka SAN) certificates are that expensive. Less than $80/year at http://certificatesforexchange.com/

     

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by -ee Friday, October 14, 2011 6:04 PM
    Friday, October 14, 2011 4:05 PM