Hello all - Currently upgrading Exchange 2003 to 2010. I currently have installed a CAS/HUB roles in an NLB environment on two nodes. The Exchange 2003 external OWA URL is 'OWA.domain.com'. My initial question is how many SAN names will I need on the UCC cert for the NLB config? The NLB cluster is named 'xyz.corp.domain.com' The NLB member names are 'abc.corp.domain.com' and 'def.corp.domain.com'. Will I need to add the member node FQDN's in the SSL UCC certificate request or only the NLB cluster FQDN name? Should the SSL cert look like the following: Common Name: owa.domain.com SAN Names: imap.domain.com, pop.domain.com, smtp.domain.com, autodiscover.domain.com, legacyowa.domain.com, domain.com, xyz.corp.domain.com, abc.corp.domain.com, def.corp.domain.com Thanks for your input, CW

Hey, My NLB is only registered in Exchange cert with one internal and one external address. So mine is webmail.domain.com, outlook.domain.local, legacy.domain.com, autodiscover.domain.com. I notice you have imap, pop and smtp as well so you need to add those. I followed the following guide to only have one internal name: http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ /MartinExchange is a passion not just a collaboration software.

Thanks Martin - I followed your advice and created the cert with OWA entry, CAS Array name, autodiscover, Legacy entry, pop and imap. After applying the cert, OWA and legacy OWA seem to work fine. When I open Outlook 2007 and run a 'Test Email Autoconfiguration' i immediately get two ssl security Alerts. The first alert states that 'The name on the security certificate is invalid or does not match the name of the site'. At the top of the alert it clearly indicates the FQDN of one of the CASArray node members ie. ABC.corp.domain.com The second alert is identical, but indicates the FQDN of the other CASArray node member is DEF.corp.domain.com. Obviously the NLB CASArray is responding directly to clients with their individual FQDN's instead of the CASArray name that is on the certificate. Based on what I have read and your reply, the individual FQDN's of the CASArray should not need to be SAN's on the UCC certificate, but this error is stating otherwise. What am I missing? Thanks for anyone's input.

bump

Hi, It seems as though you are missing one of the configuration changes so as you write you are connecting to the indidual server and not the DNS name of the NLB. Did you follow the guide from Elan Shudnow? Did you follow any other guides? I have the setup running where I am at the moment, so please let me know what steps you took to create the NLB. /MartinExchange is a passion not just a collaboration software.

Martin - I had fat fingered the entry when following the article. Thanks much for the link - did the trick!

You are welcome :)Exchange is a passion not just a collaboration software.