locked
New CAS role ... how to avoid security alert RRS feed

  • Question

  • Hello, I'm about to setup a new CAS server for an existing Exchange 2007 setup (actually, the server will hold all Mailbox, Transport and CAS). I need to be 100% certain that users do not get that Security Alert in Outlook pertaining to the SSL cert. I believe the default cert installed by Exchange will not generate the alert, though I'm not 100% on that.

    After installation, I need to change the cert to something that will be trusted externally on ActiveSync and OWA clients. I need to know how to make this switch without triggering the alert (whenever I have done this particular task in the past, I have gotten the alert). I have been specifically instructed to avoid triggering this alert, so I really need to be 100% on this.

    any advice would be greatly appreciated.

    Thank you

    Sunday, February 26, 2012 4:37 PM

Answers

  • You need to get a SAN cert with the following subject names:

    mail.contoso.com
    contoso.com
    contoso.local
    autodiscover.contoso.com
    Server01.contoso.local
    Server01

    The netbios names are optionally but some people include eveything such as myself. You need to generate the request on the Exchange server, once you get the request back from the third party CA you need to import it and then bind it to your Exchange services. The article below goes over the steps in detail.

    More on Exchange 2007 Certificates -with Real World Experience

    http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Sunday, February 26, 2012 4:50 PM
  • If you don't get server01.contosol.local then you will have to do the workaround in the KB sukh mentioned. You need to generate the cert request from the exchange mgmt shell as IIS cert req can't generate multi subject names.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Sunday, February 26, 2012 9:11 PM

All replies

  • You need to get a SAN cert with the following subject names:

    mail.contoso.com
    contoso.com
    contoso.local
    autodiscover.contoso.com
    Server01.contoso.local
    Server01

    The netbios names are optionally but some people include eveything such as myself. You need to generate the request on the Exchange server, once you get the request back from the third party CA you need to import it and then bind it to your Exchange services. The article below goes over the steps in detail.

    More on Exchange 2007 Certificates -with Real World Experience

    http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Sunday, February 26, 2012 4:50 PM
  • Thanks for the response. Just to clarify, if I follow the SAN method outlined in the link you provided, there will be no security alert messages in outlook. Is that correct? My typical way of doing this in the past was to get a cert (say from godaddy); generate the signing request through IIS; apply it through IIS and then run the "Set-ClientAccessServer, Set-WebServicesVirtualDirectory, and Set-ActiveSyncVirtualDirectory" commands to repoint to the new name (say mail.contoso.com). This would generally result in the alert popping up at least for some people.

    I'm now thinking that I was going wrong with the "set-ClientAccessServer" method as the autodiscover address would change. So, if I got a multidomain cert from godaddy that included mail.contoso.com and autodiscover.contoso.com I should be good, right? Or would I need server01.contoso.local as well?

    thanks again


    Sunday, February 26, 2012 5:46 PM
  • You dont need server01.contoso.local, you can just have mail.contoso.com and autodiscover.contoso.com and change your URL so they point to the same name.  That should stop the prompts.

    http://support.microsoft.com/kb/940726


    Sukh

    Sunday, February 26, 2012 6:53 PM
  • If you don't get server01.contosol.local then you will have to do the workaround in the KB sukh mentioned. You need to generate the cert request from the exchange mgmt shell as IIS cert req can't generate multi subject names.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Sunday, February 26, 2012 9:11 PM