Hi Everyone, I am going to be implementing a CAS this weekend and had a few questions in regards to certificates and ISA. This will be the first Exchange 2010 server introduced into our environment. We are currently running 2003 with multiple mailbox, front-end, and bridgehead servers. We are also running an ISA 2006 server to handle two-factor authentication to webmail. We are currently running an externally-signed wildcard certificate on our ISA server and an internally-signed (ADCS Enterprise CA) wildcard certificate for webmail. Would this strategy still work okay? I have read a number of posts where "SAN" or "UC" certs were recommended over wildcard certs due to having different internal and external domains (webmail.company.local versus webmail.company.com), but in my situation the ISA server will be acting as a "Go Between" and the only cert the user will see logging in to webmail will be the externally-signed wilcard cert, and ISA will create its own connection back to the CAS with the internally-signed wildcard cert. Does that make sense? I'm just trying to save time and complexity (well, complexity beyond already having an ISA server thrown into the mix). Also, for what it's worth, I will be adding additional CASs later on to create an array (load-balanced by something like a NetScaler), if that makes a difference. Thanks in advance!

Any updates on this?JAUCG

Hi JAUCG, Thank you for the links. We're actually putting in the first CAS of the pilot project tonight. :) I'll reply again later on or sometime tomorrow.

We ended up running into an issue with our DR site, which is where we were testing the ISA configuration before making the changes to the corporate server; the Internet connection died. :( we're hopefully going to try again this week. I'll let you know how she does. Thanks again.

Sure, no problem. Just keep us in the loop if we can provide any assistance.JAUCG

Hi JAUCG, No, not yet. We were notcing that our ISA server is giving a ton of denial errors to ActiveSync users (Statuses 64, 10022, 1460, 1236, 1790, 10053, 10054) that my boss wanted to remediate before introducing another layer of complexity.

Try to import the public certificate for one of the test user manually in trusted root certificate then try to access the owa in the DR site...Also check if it work internally ...if not repeat the same in the for internal ca published in Trusted root certificate... Check out the certificate service is assigned properly for the exchange servers and binding is set properly in Inetmgr.. Exchange Queries

Thanks, Steve. One of the other members of my team looked at it (gave it another "set of eyes") and completely re-configured the ISA rules and it was working after that (for OWA, anyway), so I think we're okay there. Since RU1 is out, and since we haven't gone anywhere near "Live" yet, I may just go ahead and update all of the servers I have set up so far. I ended up looking up the Exchange Blog and read this link regarding the newest RU and an issue it created for CAS-to-CAS proxying(http://blogs.technet.com/b/exchange/archive/2012/02/17/exchange-2010-sp2-ru1-and-cas-to-cas-proxy-incompatibility.aspx). Now, since 2010 doesn't "Proxy" to 2003 Front-End (does complete redirection), I figure this won't affect OWA, but will this have an effect on ActiveSync? I know that ActiveSync uses RPC-proxy for 2003 mailboxes, and while CAS-proxy is different, I just want to make sure. Lastly, when I go ahead and apply this update, what all "prep" work needs to be done before installing an Exchange patch these days? Having moved to a new organization, I haven't done one in almost a year now. I remember that it was "Good Practice" to disable the "Check for publisher's certificate revocation" in IE (or via reg-hack); is that still the case? I know to run "StartDagServerMaintenance.ps1" if your MB servers are in a DAG and to disable any "Exchange-Aware" applications (AV, backup, etc), but is there anything else? Should one stop the Exchange services? Thanks again, everyone!