locked
SAN Cert Question RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I purchased a san cert from digicert for my exchange migration. I have a couple quick questions.

    The old owa url is outlook.company.com. The new url will be webmail.company.com. Do I need the cert to contain the old(current)outlook.company.com name for the migration process?

    Also, we will be load balancing our cas servers. Is it enough to register only the VIP/cluster name on the cert or do I need to include the two cas server's internal hostname's as well? I am limited to 8 host names on the certificate (that is all that was purchased).

    Thanks

    Tuesday, November 9, 2010 4:06 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Scott,

    Per above discussion, Brian is right, and Your test is also right, that means what you describled are different situation, we could understand the issue as below:
    1. If the certificate would be used only for external users, you need publish the webmail.domain.com and the autodiscover.domain.com and the legacy.domain.com to the internet, so Brain is right. External users would not care whether your are using CAS array or not.
    2. If the certificate would be used for the internal users too, your test would be right.
    Some information for you:
    http://www.shudnow.net/2010/03/17/exchange-2010-rtm-high-availability-load-balancing-options/

    Regards!
    Gavin
    • Proposed as answer by Gavin-Zhang Monday, November 15, 2010 5:19 AM
    • Marked as answer by Gavin-Zhang Friday, November 19, 2010 10:08 AM
    Friday, November 12, 2010 7:32 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Yet in our environment our outlook 2007 and outlook 2010 clients connecting to the cas array through mapi (outlook client) are prompted with a cert dialogue unless we have a cert with the cas array name in it.
    Outlook 2007 and 2010 run Autodiscover at application launch to make sure the profile is still properly configured and to learn other things like the EWS/ECP URLs. Autodiscover uses HTTPS, so if you have an invalid SSL cert on the CAS servers for the Autodisover virtual directory ExternalURL you'll get prompted when Outlook launches.
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    • Proposed as answer by Gavin-Zhang Monday, November 15, 2010 5:19 AM
    • Marked as answer by Gavin-Zhang Friday, November 19, 2010 10:08 AM
    Friday, November 12, 2010 4:44 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You have up to 8 host names right?

    oldwebmail, newwebmail, cas1, cas2, autodiscover, smtp, mailboxsrv1, mailboxsrv2

    We set ours up similar, less the oldwebmail since we were not migrating from a previous exchange server.

    As I recall, you will want the two cas servers registered for your autodiscover internaluri setting.

    Digicert is unique too, if you change your mind, you can add/remove host names to the SAN cert and re-issue...

    Tuesday, November 9, 2010 4:18 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If weould be helpful if you told us the old version of Exchange you are coming from, if this is for a single datacenter, and what client versions are in use.

    A typical certificate when coexistence with legacy servers is necessary would have 3 names on it.

    • OWA URL
    • Legacy OWA URL
    • Autodiscover URL

    That doesn't take other things like multiple datacenter namespaces into consideration. There is almost never a need to have the CAS server names on the cert. You don't need the CAS Array name either since that is for RPC and not HTTPS.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 9, 2010 4:44 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    exchange 2007 with a mix of outlook 2003, 2007 clients, single site.

    we were going to include autodiscover.company.com, legacy.company.com, activesync.company.com, webmail.company.com, and casarray.internal.company.com

    Its interesting you mention that the casarray should not require cert. i remember in exchange 2007 that clients would try use encrypted communication against the server and would fail as no certificate existed. If we want to allow encryption going forward for more support with outlook 2010 should the cas array be specified in the certificate in that case?
    Tuesday, November 9, 2010 5:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks Dave. So you too included the cas servers. did you use only the individual hostnames or the cas as well (assuming you setup a cas array).
    Tuesday, November 9, 2010 5:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    yep, all three. cas1, cas2, casarrayname=VIPhostname=webmail.domain.com

    But Brian brings up an interesting point...unless you  named the casarray the same as the VIP hostname as we did.

    Tuesday, November 9, 2010 5:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Think of it like you were a client app. What address will be I connecting to, and does it use HTTPS? The CAS Array is not one of those as it is MAPI/RPC. The items you shoud be looking at would most likely be the External URL values of Autodiscover, ECP, OWA, OAB, EAS, EWS. 5 out of 6 of those will most likely be the same FQDN (so 1 cert entry) with a different Virtual Directory.

    Unless you have very interesting requirements, there shouldn't be a need to create individual namspace for ActiveSync either as I see listed above.

    Also if your CAS Array and the VIP of the load balancer are the same name, that also does not mean you need it on the cert. What matters is the URL the client points to.

    The VIP of the load balancer could be 192.168.0.1, and DNS has an A record for outlook.contoso.com pointing to that IP  to be used for MAPI/RPC sessions. There is no reason why you can't also have an A record in DNS for webmail.contoso.com also pointing to 192.168.0.1, and another A record in DNS for autodiscover.contoso.com also pointing to 192.168.0.1. In that example you only need webmail.contoso.com and autodiscover.contoso.com on the cert because those are the only two namespaces clients will be connecting to via  TCP 443/HTTPS.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 9, 2010 6:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Here is the thing. This morning during testing I was receiving the cert error when connecting from an outlook 2007 client to the casarray. I set encryption $false on the cas servers and then turned off encryption in the outlook user profile. i still received the cert alert when connecting to the rpc service.

    I renewed my cert with the name of the casarray, and both cas servers and that cleared the problem.

    I guess what I am confused of is under what situation would you not require the cas servers in the cert? Is that when under the assumption that cas and client RPC traffic is set to NOT encrypted and the outlook clients are updated to reflect that change?

    We faced a similiar situation when we rolled out exchange 2007. We ended up disabling encryption on the cas server and using gpo to turn off the encryption requirement for outlook 2007 clients. I would however rather run with microsoft's recommendations for this new environment.
    Wednesday, November 10, 2010 5:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Scott, looks like your testing answered the question ;-) As I recollect,  in our test environment we ran across the same issue you described here, and it prompted our decision to add the cas host names to the san cert when we went to production. 
    Wednesday, November 10, 2010 5:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Does seem that way David. Thanks for help.

    Would be interested to hear on Brian's scenario still.
    Thursday, November 11, 2010 1:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Scott,

    Per above discussion, Brian is right, and Your test is also right, that means what you describled are different situation, we could understand the issue as below:
    1. If the certificate would be used only for external users, you need publish the webmail.domain.com and the autodiscover.domain.com and the legacy.domain.com to the internet, so Brain is right. External users would not care whether your are using CAS array or not.
    2. If the certificate would be used for the internal users too, your test would be right.
    Some information for you:
    http://www.shudnow.net/2010/03/17/exchange-2010-rtm-high-availability-load-balancing-options/

    Regards!
    Gavin
    • Proposed as answer by Gavin-Zhang Monday, November 15, 2010 5:19 AM
    • Marked as answer by Gavin-Zhang Friday, November 19, 2010 10:08 AM
    Friday, November 12, 2010 7:32 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks Gavin. Guess my confusion comes from the aspect of Brian mentioning that a cert is not required for mapi connections. Yet in our environment our outlook 2007 and outlook 2010 clients connecting to the cas array through mapi (outlook client) are prompted with a cert dialogue unless we have a cert with the cas array name in it. The only way I know to by-pass that is to disable encryption on the cas servers and remove the default secure client connections in the outlook client profiles.

    Is that the scenario that is being referred to? I dont mean to sound dunce I just want to ensure I fully understand and that the environment is ocnfigured correctly from day one.
    Friday, November 12, 2010 4:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Yet in our environment our outlook 2007 and outlook 2010 clients connecting to the cas array through mapi (outlook client) are prompted with a cert dialogue unless we have a cert with the cas array name in it.
    Outlook 2007 and 2010 run Autodiscover at application launch to make sure the profile is still properly configured and to learn other things like the EWS/ECP URLs. Autodiscover uses HTTPS, so if you have an invalid SSL cert on the CAS servers for the Autodisover virtual directory ExternalURL you'll get prompted when Outlook launches.
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    • Proposed as answer by Gavin-Zhang Monday, November 15, 2010 5:19 AM
    • Marked as answer by Gavin-Zhang Friday, November 19, 2010 10:08 AM
    Friday, November 12, 2010 4:44 PM