No announcement yet.

Exchange 2010 Internal Certificates

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2010 Internal Certificates


    I have searched the KBs and Google and not found a satisfactory answer to this:

    Exchange OWA in IIS wants to use SSL and hence a proper certificate will be bought and installed that matches the FQDN of OWA. No problem there.

    However, access to Exchange on the internal network; Outlook on the PC; is also a secured connection and we get certificate errors inside the office.

    Is there an easy way to turn of SSL for the internal access for Exchange?

    Thanks in advance.

  • #2
    Re: Exchange 2010 Internal Certificates

    Normal options are:
    Split DNS, so the external name is also available internally
    SAN certificate with the FQDN of the CAS server as well as the external name

    Moved to Exchange forum
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Exchange 2010 Internal Certificates

      You can't mix certificates being on or off depending on where you are. That is why Exchange uses SAN (Subject Alternative Name) aka UC (Unified Communications) certificates. You can include both internal and external names in the certificate.
      If you purchased a single name SSL certificate, while it is possible to configure Exchange to use that, using split DNS and a number of configuration changes, it is far easier to use the UC certificate.

      The certificate is for more than just OWA, EWS, Autodiscover, Exchange ActiveSync and Outlook Anywhere all use SSL. If you are on Outlook 2007 and higher that can also include the OAB distribution.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: Exchange 2010 Internal Certificates

        Thanks for the replies and sorry for the misplaced forum. Can you elaborate a little more on what you mean by split DNS? Obviously I am running internal DNS for the .local domain but external DNS is handled by my domain host.


        • #5
          Re: Exchange 2010 Internal Certificates

          Split DNS means you are using the same dns name space for internal and external accessible ressources. In that case you would have to provide a solution to enable access for the different forms. (much trivialized but Google will help further)

          As far as I understand your configuration you don't use split DNS, so you might stick with the answer from Sembee and use a UC certificate with different SANs.