locked
How to Activate Exchange 2007 SP2 SCR Server with Self-Signed SAN Certificate RRS feed

  • Question

  • My organisation has an Exchange 2007 Standard with SP1 running on Windows Server 2003 Standard with SP2.  I’ll call it EXMAIL.  I am in the process of developing a second Exchange 2007 server, EXMAILBK, on Server 2003 Standard.  Both Exchange servers have the Hub Transport, Mailbox, and Client access roles installed.  The second server, EXMAILBK, is being prepared to serve as a standby continuous replication server.  At the moment, all mailboxes and public folders are only on the initial Exchange 2007 server, EXMAIL.

     

    My organisation has Windows Mobile 6.1 device users that use ActiveSync to synchronise e-mail with EXMAIL.  I created a self-signed SAN certificate for use with ActiveSync.  The certificate is installed on EXMAIL and on all of the mobile devices.  The subject name of the certificate follows the format of ABC.domainname.com.  One of the subject ALTERNATIVE names incorporated into the certificate is EXMAIL.  EXMAILBK is NOT one of the alternative names in the certificate.

     

    ABC.domainname.com is a publicly registered domain name that resolves to an outward facing IP address on our firewall.  A NAT rule on the firewall directs traffic to the IP address of EXMAIL.

     

    Once SCR is established, if I need to activate EXMAILBK into being the production server, would I simply be able to install the certificate on EXMAILBK and change the NAT rule to direct the traffic to its IP address in order for the mobile device to continue to synchronise mail as they previously had?  Even if that did work, would it be better to create and deploy a new self-signed SAN certificate that includes both EXMAIL and EXMAILBK as alternative names?  Am I correct in thinking that regardless of which certificate is used, the NAT rule would need to be changed to direct traffic the IP Address used by EXMAILBK?

    Tuesday, March 1, 2011 8:38 PM