Announcement

Collapse
No announcement yet.

Advice on Certificates Exc 2010

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Advice on Certificates Exc 2010

    We have a single AD and host email for a number (at least 40+) of companies, and I need to determine whether I require a SAN certificate or a Wildcard certificate for my Exchange 2010 environment. We have two sites, a primary, and a DR, and require working SSL cert across both sites, for email, mobile and web services.

    I wondered if anyone could provide some advice on this, if you require any information please let me know.

  • #2
    Re: Advice on Certificates Exc 2010

    Exchange 2010 required a SAN certificate with (typically):
    mail.domain.com (for OWA / ActiveSync)
    autodiscover.domain.com
    servername (NetBIOS name)
    servername.domain.local (FQDN)

    You could add the other servers names, export the cert from one server and import it on the other

    Wildcard certificates are not suitable as they do not include the internal domain names:
    http://forums.petri.com/showthread.php?t=43634
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Advice on Certificates Exc 2010

      For Outlook to work correctly you need to cover autodiscover.
      Usually that means autodiscover.example.com - where example.com is the domain name after the @ sign in the email address.
      Now if you have 40 companies with their own email address, that is going to become very expensive.

      Therefore you will need to use another method for autodiscover for external clients, and I usually recommend SRV records.
      http://support.microsoft.com/kb/940881

      The common name would be the same name for everyone, so mail.example.com - and I would use that same host name for MX records, ActiveSync and Outlook Anywhere.

      If internal politics means that people would be upset if the name is actually one of the companies involved (ie so people think it is "their" server), then register a generic domain name and set up everything for that. The actual host name involved doesn't matter, as long as it is configured in Exchange and resolves correctly.

      You will need to have entries for both servers in the certificate so a ten name certificte will probably be required. You DO NOT have to include the RPC CAS Array. If you haven't got an RPC CAS Array then I would create one now, otherwise using your DR site becomes a lot more difficult. http://blog.sembee.co.uk/post/RPC-Cl...ess-Array.aspx

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Advice on Certificates Exc 2010

        I thought CAS arrays couldnt span multiple sites, so if the primary site fails, users will still need to be reconfigured?
        (or am I missing something blindingly obvious?)
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Advice on Certificates Exc 2010

          If you failover then you just change the DNS entry to point to the second site.
          Otherwise what would be the point?

          It is JUST a DNS entry (with a little extra bit in Exchange) and just needs to point to a valid CAS.

          Without the RPC CAS array, your clients cannot connect to the DR site without being touched, as DAG failover is just the database, the clients do not follow.
          30 seconds work can save you hours in the event of a problem.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Advice on Certificates Exc 2010

            Ah... makes sense
            I thought you could just change the external DNS (mail.domain.com) to point to the public IP for the second site, and a normal CAS server there would pick it up OK
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Advice on Certificates Exc 2010

              We have two seperate CAS arrays, one in each site. We intend to use a company - http://www.tzoha.com - to handle the switchover of the DNS from primary to failover.

              So from what you are saying, a SAN cert is of no use because of the number of email domains we are hosting would make its cost prohibative, and a wildcard certificate (what I was expecting to use) is of no good either as our internal Netbios name is not the same as our external domain name?

              I have uploaded a document to this post (I removed my companyname if thats ok) which I envisage being the design.
              Attached Files

              Comment


              • #8
                Re: Advice on Certificates Exc 2010

                Originally posted by Ossian View Post
                Ah... makes sense
                I thought you could just change the external DNS (mail.domain.com) to point to the public IP for the second site, and a normal CAS server there would pick it up OK
                The RPC CAS Array is for internal traffic only, nothing to do with external. Microsoft recommend that the RPC CAS Array does not resolve externally so that Outlook Anywhere connects in a timely manner.
                It is all down to the change of model of Outlook - all Outlook connections, internal or external connect through the CAS, so you need to have some way of connecting Outlook to the replacement CAS server.
                While you can have CAS on the same server as MBX, the CAS does not "belong" to any MBX server, hence the failover only protecting the database, not the client access.

                If you don't have the RPC CAS Array configured, then at the moment there is no way to get the clients updated automatically, it requires manually touching the machines. As such, all of my deployments have an RPC CAS Array whether it is a 10 user installation of 10,000 user. SBS 2011 is an exception.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Advice on Certificates Exc 2010

                  Originally posted by marcus2704 View Post
                  We have two seperate CAS arrays, one in each site. We intend to use a company - http://www.tzoha.com - to handle the switchover of the DNS from primary to failover.
                  An external provider will only switch over external DNS, although that isn't strictly necessary. With multiple DNS records for the MX record and autodiscover, it is possible to do most things completely automatically in the event of a problem. The only issue is dealing with the INTERNAL RPC CAS array DNS entry.


                  So from what you are saying, a SAN cert is of no use because of the number of email domains we are hosting would make its cost prohibative, and a wildcard certificate (what I was expecting to use) is of no good either as our internal Netbios name is not the same as our external domain name?

                  I have uploaded a document to this post (I removed my companyname if thats ok) which I envisage being the design.
                  That isn't what I said at all. A Unified Communications Certificate (aka SAN, Multiple Name) is what you need as that is the only way that you can cover the server names that are required. A wildcard certificate would be completely useless unless all users are using the same domain internally and externally.

                  What you need to decide is how you are going to cover the autodiscover requirement. You can buy a fifty name certificate if you like, it will be very expensive and a pain to manage. SRV records are the preferred method, the other way if your external DNS provider does not support them is the redirection method, but you will get prompts in Outlook which can confuse the end users.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment

                  Working...
                  X