We currently have our own (self signed )Certification Authority at mobile.companyname.com which we use for active sync and owa access. This resides on the owa.companyname.com (same public ip address)server which is the same physical machine and is in our DMZ behind the firewall. Our company is in the process of upgrading to Exchange 2007 which means the existing owa server will no longer be in the architecture, it will be replaced by the new Exchange 2007 hub transport/ Client Access Exchange server. Understanding that an 2007 Exchange server will create a self-signed cert for internal use and that a self-signed certificate can be used (though not best practices) for internet clients to connect for OWA and Active sync. 1.) My question is should I move the Certification Authority to the new exchange 2007 CA/HT server which will be NAT’ed (using the same outside IP address) or can I retain the current self-signed CA without an outside internet accessible IP address. ( I am thinking no) 2.) What happens to the existing (OWA and Mobile) clients when they try to reconnect after changes to the existing CertAuth/OWA machine. 3.) Does the certificate authority use the AD for issuing the (self-signed)certificates for active sync / windows mobile devices or does it require a NAT connection to the outside internet accessible by the clients? Existing Environment: Windows Cert machine is 2003 R2 SP2 (32 bit) issuing the self-signed cert for windows active sync on Exchange Front-end Enterprise edition version 6.5 (Build 7638.2 Service Pack 2) If we replace the cert it would reside on Windows 2008 R2 Standard (64-bit) (client access/Hub transport) Exchange 2007 SP2 machine. AK2

1.) My question is should I move the Certification Authority to the new exchange 2007 CA/HT server which will be NAT’ed (using the same outside IP address) or can I retain the current self-signed CA without an outside internet accessible IP address. ( I am thinking no) You can retain the CA in your local machine without a Public IP address. The first thing needs to clarify is that when client access OWA/ActiveSnyc, it does not connect to your Certification Authority (CA) server to authenticate the certificate that installed on IIS server. A self signed certificate by default cannot be trusted by any computers (Without the CA server itself)or devices. User Trusting CA means that CA certificate held in user's Trusted CAs store. If the certificate is not trusted, it will not work with ActiveSync. But OWA can still works. 2.) What happens to the existing (OWA and Mobile) clients when they try to reconnect after changes to the existing CertAuth/OWA machine. Supposes that you migrated to exchange 2007, moved all users to exchange 2007 mailbox server and change the mobile.companyname.com and OWA.companyname.com to new Exchange CAS server. 1. When the existing clients try to access OWA in Exchange 2007 CAS server, they will get the warning: “The security certificate was issued by a company you have not chosen to trust” “the name of the security certificate is invalid or does not match the name of the site”. But the client can continue to access the OWA by click the button. How to store a non public certificate on the user's Trusted CA store ======================================= 1. When you receive the warning, click View Certificate. 2. In detail tab, click Copy to file, save the certificate on a local drive. 3. Double click the certificate (*.cer) you just saved and click "Install Certificate". 4. Select "Place all certificates in the following store". 5. Click Browse, select "Trusted Root certificate Authorities". Click Ok to install. You can also use Using Group Policy to deploy this certificate for all users. More information, please refer the following article: http://technet.microsoft.com/en-us/library/cc770315(WS.10).aspx 2. When the existing clients try to access ActiveSnyc in Exchange 2007 CAS server, they will fail. As I said before, since we are using a non public certificate, it cannot be trusted by the mobile device. To resolve this problem, you need to install the new certificate to your mobile clients. 3.) Does the certificate authority use the AD for issuing the (self-signed)certificates for active sync / windows mobile devices or does it require a NAT connection to the outside internet accessible by the clients? Both internal and external users do not connect to CA when accessing OWA/ActiveSync. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

Hi AK2, How thing is going on?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT