locked
UAG, HLB, and Exchange... Oh My! RRS feed

  • Question

  • My question deals with certificates. I currently have a simple Exchange 2007 setup where my public SAN cert is on my Exchange server and I have my firewall allowing port 443 to that box. My new setup involves a new UAG server, a Hardware Load Balancer solution, and two new Exchange 2010 boxes. Where do my certs go and do I need public or internal CA?

    I am implementing a UAG to reverse proxy my public Exchange access, so I'm thinking a public SAN certificate goes on this box for sure, but my internal folks will be hitting the HLB to get to the Exchange 2010's and not need to hit the UAG at all, so my HLB need a public SAN cert as well to not get a certificate error?

    How would that naming go since I need the public to hit mail.domain.com via the UAG, but I also need internal users to hit mail.domain.com via the HLB without getting a certificate error?

    Wednesday, April 20, 2011 7:10 PM

Answers

  • I do have a internal CA in place already so I can generate in house certs, but I'm assuming that machines not joined to the domain will get a "Certificate Error:Navigation Blocked" page which I could live with if I had to. Split-brain DNS... you mean having external DNS records pointing to public IP addresses and internet DNS records for that same zone pointing to internal IP addresses?

    So in a nutshell, I will generate a SAN cert (eg. mail.domain.com, autodiscover.domain.com, etc...) for Exchange with a public CA and place it on my UAG for external access to OWA, ActiveSync, etc..., then I'll generate an internal cert (eg. mail.domain.com, autodiscover.domain.com, etc...) from my internal CA and place that on my HLB for my clients CAS access to both my Exchange servers. Does this sound correct?

     

    Machines not joined to you domain will probably not trust your Root CA unless you have imported it into their trusted roots cert store; this happens on domain joined machines automatically...so, yes non-domain joined machines will likely get errors (this is just standard SSL stuff though, not Exchange or UAG)

    Split brain DNS is like this: http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

    Yes, your statement on certs looks correct; the only omission is that the CAS servers will also probably need SAN certs from the internal CA. However, I am not totally familiar with HLB setup for Exchange CAS servers...UAG will assume it is communicating with the CAS servers over HTTPS.

    You may be better off using the built-in web farm load balancing feature in UAG rather than your HLB for external clients, but this is up to you...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Tankster Thursday, April 21, 2011 4:05 AM
    Thursday, April 21, 2011 12:56 AM

All replies

  • The best practice model would be to use certificates from an internal CA on Exchange and the HLB, then use public certs on the UAG server. This may require you to implement an internal CA, but the way Microsoft server platforms are going, this is no bad thing...

    If you want to use the same mail.domain.com URL internally and externally you will need to look into implementing a split-brain DNS setup. A public CA and an internal CA can both generate a certificate that uses the same common name (e.g. mail.domain.com).

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 20, 2011 11:23 PM
  • I do have a internal CA in place already so I can generate in house certs, but I'm assuming that machines not joined to the domain will get a "Certificate Error:Navigation Blocked" page which I could live with if I had to. Split-brain DNS... you mean having external DNS records pointing to public IP addresses and internet DNS records for that same zone pointing to internal IP addresses?

    So in a nutshell, I will generate a SAN cert (eg. mail.domain.com, autodiscover.domain.com, etc...) for Exchange with a public CA and place it on my UAG for external access to OWA, ActiveSync, etc..., then I'll generate an internal cert (eg. mail.domain.com, autodiscover.domain.com, etc...) from my internal CA and place that on my HLB for my clients CAS access to both my Exchange servers. Does this sound correct?

     

    Thursday, April 21, 2011 12:42 AM
  • I do have a internal CA in place already so I can generate in house certs, but I'm assuming that machines not joined to the domain will get a "Certificate Error:Navigation Blocked" page which I could live with if I had to. Split-brain DNS... you mean having external DNS records pointing to public IP addresses and internet DNS records for that same zone pointing to internal IP addresses?

    So in a nutshell, I will generate a SAN cert (eg. mail.domain.com, autodiscover.domain.com, etc...) for Exchange with a public CA and place it on my UAG for external access to OWA, ActiveSync, etc..., then I'll generate an internal cert (eg. mail.domain.com, autodiscover.domain.com, etc...) from my internal CA and place that on my HLB for my clients CAS access to both my Exchange servers. Does this sound correct?

     

    Machines not joined to you domain will probably not trust your Root CA unless you have imported it into their trusted roots cert store; this happens on domain joined machines automatically...so, yes non-domain joined machines will likely get errors (this is just standard SSL stuff though, not Exchange or UAG)

    Split brain DNS is like this: http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

    Yes, your statement on certs looks correct; the only omission is that the CAS servers will also probably need SAN certs from the internal CA. However, I am not totally familiar with HLB setup for Exchange CAS servers...UAG will assume it is communicating with the CAS servers over HTTPS.

    You may be better off using the built-in web farm load balancing feature in UAG rather than your HLB for external clients, but this is up to you...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Tankster Thursday, April 21, 2011 4:05 AM
    Thursday, April 21, 2011 12:56 AM
  • Ok, based on that Split-DNS article, I'm already doing this. I only currently have the one UAG server and I'm thinking I'll be ok with the Barracuda HLBs. After reading the deployment doc on the HLB, I will, like you said, create a cert on the CAS; but it referenced in creating a wildcard cert on each server. Retrieving that certificate, certificate chain, and private key and installing those onto the HLB. This way, SSL offloading can be done on the HLB.

    It's making a ton more sense to me now thanks to your insight.

    Thanks a bunch.

    Thursday, April 21, 2011 3:30 AM
  • No probs :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 21, 2011 7:13 AM