Announcement

Collapse
No announcement yet.

ActiveSync and a local Certificate Authority

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ActiveSync and a local Certificate Authority

    Hello,

    If i would like to provide ActiveSync for all the users in my network,

    1- should I use a public certificate (maybe a non-expensive one) or a private certificate from a private CA ? ,

    and,

    2- , Do I need a public dns record called "autodiscover.mydomain.com" ?

    thanks in advance.


    -
    Madrid (Spain).

  • #2
    IMHO the pain of trying to use a local CA and deploy the certificates to clients (mobile devices in particular) FAR outweighs the cost of a public UC (SAN) certificate - about $75 per year from e.g. www.certificatesforexchange.com (other providers are available). Using a public CA reduces the task to about an hours work, the most difficult bit being validating the public domain if you don't control it.

    Again for external clients, a public autodiscover A record is required unless you use SRV records (see http://blogs.technet.com/b/rmilne/ar...b-service.aspx). the A record takes minutes to set up.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      IME using a public certificate is easier, it's only worth using an internal CA if you already have one or have the requirement for one (E.g. if you are using EFS or SSL VPNs or Direct Access etc)
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        I see. thanks both.

        I am seeing even certificates for $9 US per year, but I think this is not a SAN certificate.

        Thanks.
        -
        Madrid (Spain).

        Comment


        • #5
          It's possible to use a single name certificate for everything, IIRC you need to run a few powershell commands to change the names on some of the virtual directories for this to work correctly.

          I've done it in the past, for example I had a customer whose cert expired when they were on Exchange 2003 and they renewed for 2 years. 6 months later they upgraded their network and included Exchange 2010, so I ran the powershell commands rather than purchasing a new certificate when the old one still had 18 months to run.

          Here's the thread where I asked the original question:-
          https://www.petri.com/forums/forum/m...te-the-profile
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            The SSL certificate you put on to the server is used for everything - not just ActiveSync, but also Outlook Anywhere and OWA. Therefore unless you have control over 100% of the clients accessing Exchange by any means, use a public certificate.
            Autodiscover isn't mandatory for ActiveSync - it can be useful to have, but Autodiscover on mobile is very hit and miss. For any other client types, it is a requirement. My preference is to use a SAN/UC type certificate, as it makes life a lot easier.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Thanks a lot !!

              From what I am reading, the certificate (for activesync, anywhere, owa...) has to have these names:

              common name:
              mail.yourdomain.com (not necessarily "mail" but tpyically, or "webmail")

              Subject alternative names:
              1. autodiscover.yourdomain.com
              2. Server's FQDN, for instance: cas-hub-1.yourdomain.com
              3. netbios name, for instance: cas-hub-1

              I did not know that even the netbios name was necessary, nor the fqdn of the server.

              -
              Madrid (Spain).

              Comment


              • #8
                IIRC 2 and 3 are not required, in fact you may not be able to get a public certificate using internal names
                Sembee will no doubt have the full details, but IIRC there was a change in SSL certificates issued after a certain date to only allow publically resolvable names
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  It depends on your setup. I always configure the internal and external URLs to be the same so getting the internal FQDN isn't necessary. But I have seen setups where the internal and external are different.

                  For larger deployments, where you have a layer7 load balancer, some also split up the different vdirs to have different names (owa., oab, ews., etc) so they add those to the SAN of the cert.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    SSL certificates will not be issued with internal names on them - so NETBIOS and any FQDN that uses something like example.local.
                    That applies to all certificates that expire after November 2015 - so it is likely that is all certificates going forwards.

                    The way to do it now is use split DNS with the same host name used externally and internally. Therefore you only need two host names on the certificate - mail.example.com and Autodiscover.example.com (single server installation presumed).

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Thanks a lot , very informative !!
                      -
                      Madrid (Spain).

                      Comment

                      Working...
                      X