HI, Have a production Exchange 2007. The Certificate is created with all names inside webmail, Autodicover - all is working fine. Question: I add a new CAS server. Do I need to include the new CAS name on the cert ? Everytime we add a CAS server we should modify cert ??

Are the CAS servers in an array/load balanced or are they stand-alone?

Is Exchange 2007 (no array). They are stand-alone.

If they are stand alone, then each Client Access server will of course need a certificate with a subject name that represents it. Since webmail and autodiscover already point to the original CAS, how do you plan to make this 2nd server available for that functionality?

If you have 2 CAS servers in a non-array sounds like you would be manually redirecting traffic if one server fails. I'd probably recommend setting up an array. Regardless, your best bet on the certificate is to add the server name as a Subject Alternative Name in a new cert. Or alternately you can create a single cert for both CAS servers and put the server name of each server as SAN's within the single cert and apply that cert to both CAS servers. I'd still say setting up an Array is the way to go though so you can maximize your uptime and simplify your configuration. Jorge R. Diaz PMP, CCNA, MCSE, MCSA Sr. Microsoft Consultant Planet Technologies, Inc.

I already have a SAN cert. Currently I have 3 CAS servers and they are all on the SAN cert. I'm adding a 4 CAS. Do I need to generate a new Cert and add the new CAS server ?? Everytime I add a CAS I will have to generate new Cert??

You'll of course need a certificate for the new CAS, yes. But you havent answered the original question. Why do you need a SAN cert for 4 CAS if they are not load-balanced somehow? What do you do in the event one of those servers goes down?

There is a Reverse Proxy in front of CAS. That does some the load balancing of the CAS. Now, CAS Array i think is new in E2K10. How can you do an Array in E2K7 ?

Ok, so the reverse proxy will be the single namespace that external users connect to? And if one of the CAS is down it will route connections to a running CAS? If so, then yes, you'll need identical certs on all the CAS. Depending on how you have things setup for internal users, you may or may not need to add the individual names of each CAS plus the other UCC/SAN names you are already using. I was using array in the generic sense.

Exactly. Thanks Andy. I know that since i have Webmail.domain.com already on the cert if I load the current cert to the new CAS external users will work fine. The problem is if somehow internally exchange will use CAS FQDN cas4.domain.local it will be presented with the cert prompt. Any way to fix that without generating and loading a new cert on all CAS again. Never liked this operation :) How do you guys do it ? Specially for E2K10 that will need more CAS do we have to load 20 names on the cert ? Every time a new CAS is added generate a new cert and load it from scratch on all of them...a lot of work...

Using a load balancer internally will allow you to get around that. Then you could set the -AutodiscoverServiceInternalUri and internalURLs of all the virtual directories to the same FQDN allowing a single static certificate with the same base SAN names.

hmmm great idea. What if I configure the InterlURL and ExternalURL to my external webmail.domain.com on all cas server ? Does it make sense ? So use the External Load Balancer for both Internal and External.

In theory you could do that, but only if the routing and DNS works.etc...