I have been reading many posts here and what I find on the Internet. I am still a bit confused. Most situations are close to mine but I still am not 100% sure. I currently have: Single internet access with ISA 2006 (Not SP1 YET!) Multiple Exchange 2003 mailbox servers I have two sites with Exchange 2010 installed already side by side with Exchange 2003, and can send email to an from each site, and send all external email to HT at site with internet access. We publish OWA with a VeriSign cert for webmail.domain.com. We then direct this to our FE 2003 server. We currenlty do not require https from ISA back to the FE server. I know I will need to get a SAN cert with webmail.domain.com, autodiscover. But Webmail has different domain name than what is used on internal clients. How then do I create SAN cert with FQDN of internal servers? OWA= webmail.domain.com Internal domain= corporate.internal.com Also how do I create certs for clients internal to access the Exchange servers? Can I use a private cert for internal access, and the public cert for OWA? Tehn what about the redirect to legacy exchange mailboxes, This is where I am really confused!! I then Set up redirect to the legacy FE server. (Which I am still unsure how to change on the FE server) or do I create a DNS entry internally that points to the FE server? I need to then point ISA to the CAS where I have my single internet access point.

Hi That article can be helpful for you http://blogs.technet.com/b/exchange/archive/2009/12/17/isa-2006-sp1-configuration-with-exchange-2010.aspx In your case may be many different ways. "How then do I create SAN cert with FQDN of internal servers?" You can buy new certificate from public sellers or create new certificate from Microsoft CA. That certificate must contained necessary URL Internal OWA URL, External OWA URL, Autodiscover URL and also Legacy URL If you have different domain namespace between External DNS and Internal corporate domain you can implement Split DNS configuration http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/ "Can I use a private cert for internal access, and the public cert for OWA?" Microsoft recommend buy Public SAN certificate. It`s very useful and help you reduce cost for troubleshooting.

Sergey, Thank you very much. I appreciate you sharing the links. The shudnow.net link was eapecially helpful. I beleive this is my updated plan. I need to create a SAN or UC certificate with all my external service names on it. Webmail.domain.com, autodiscovery.domain.com, legacy.domain.com I then can replace the existing OWA listener with the is new cert. And redirect it to the CAS server here at Corporate. Create a new listener for legacy.domain.com for OWA mailboxes on 03 and direct it to the 03 Front End server. Then setup the 03 re-direct on the CAS server for legacy.brentw.com This should redirect anyone who has an 03 mailbox to hit the new listener on the ISA server and forward them to the 03 Front end server. That should be all I need for external OWA connectivity. If I am missing something please let me know! Since I dont have split DNS here I plan on using a private cert generated by an internal PKI. I believe I need to create a cert for every Exchange server I have? This will then correct the prompt I get with Outlook clients connecting to their mail servers. I am working on that now. I have no prior experience with certs. Any direction on this is much appreciated. I am not sure as of this writing if I use the server config - new excahgen cert wizard. Is this a self signed cert? how can I use this in GP? Do I need to then put these certs on the ISA server so it can connect back to each CAS? Or will all these services be proxied through the internet facing CAS, and use the private certs?