Hi, If I access externaly by webmail.contoso.com that VIP to internal CAS Array NLB casnlb.contoso.com, what SAN's I need to include to the cert.? Should I added all following to the SAN's for the cert.? cashub1 cashub2 cashub1.contoso.com cashub2.contoso.com casnlb.contoso.com webmail.contoso.com autodiscover.contoso.com or just the following: webmail.contoso.com casnlb.contoso.com autodiscover.contoso.com You might want to refer following for futher information ********************************************************* Get-WebServicesVirtualDirectory | FT Identity,*url Identity InternalNLBBypassUr InternalUrl ExternalUrl l -------- ------------------- ----------- ----------- CASHUB1\EWS (... https://cashub1... https://casnlb... CASHUB2\EWS (... https://cashub2... https://casnlb... Get-ClientAccessServer | FT Name,AutodiscoverServerInternalUri Name AutodiscoverServerInternalUri ---- ----------------------------- CASHUB1 CASHUB2 Test E-mail AutoConfiguration (XML) <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>User</DisplayName> <LegacyDN>/o=contoso /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=User</LegacyDN> <DeploymentId>84d817ae-bd6f-4381-a155-fbbd86974ec2</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>EXCHCCR.contoso.com</Server> <ServerDN>/o=contoso /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHCCR</ServerDN> <ServerVersion>720180F0</ServerVersion> <MdbDN>/o=contoso /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHCCR/cn=Microsoft Private MDB</MdbDN> <PublicFolderServer>EXCHCCR.contoso.com</PublicFolderServer> <AD>dc2.contoso.com</AD> <ASUrl>https://casnlb.contoso.com/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://casnlb.contoso.com/EWS/Exchange.asmx</EwsUrl> <OOFUrl>https://casnlb.contoso.com/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://casnlb.contoso.com/UnifiedMessaging/Service.asmx</UMUrl> <OABUrl>http://casnlb.contoso.com/OAB/688cadf0-644e-412a-ad4b-8719d6ca5f7d/</OABUrl> </Protocol> <Protocol> <Type>EXPR</Type> <Server>autodiscover.contoso.com</Server> <SSL>On</SSL> <AuthPackage>Ntlm</AuthPackage> </Protocol> <Protocol> <Type>WEB</Type> <Internal> <OWAUrl AuthenticationMethod="Basic, Fba">https://cashub1.contoso.com/owa</OWAUrl> <OWAUrl AuthenticationMethod="Basic, Fba">https://cashub2.contoso.com/owa</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://casnlb.contoso.com/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover>

You don't include the RPC CAS Array in the SSL certificate, because nothing externally or internally should be using that URL for web traffic. The RPC CAS Array should be exclusively internal, and exclusive to RPC traffic on TCP. Thus the minimum you would have would be mail.example.com (common name, usually the SMTP MX record name, Outlook Anywhere, ActiveSync name etc) autodiscover.example.com If you are co-existing with Exchange 2007, then you would also have legacy.example.com in there as well. With the changes to SSL certificates coming soon, putting the internal names in the certificate is being discouraged. Therefore if you are going to use a load balancer of some kind, use split DNS to have autodiscover and the common name resolve internally to the load balancer and adjust all URLs in Exchange to use those names rather than the actual host names of the servers. That is it, nice and simple. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

You don't include the RPC CAS Array in the SSL certificate, because nothing externally or internally should be using that URL for web traffic. The RPC CAS Array should be exclusively internal, and exclusive to RPC traffic on TCP. Thus the minimum you would have would be mail.example.com (common name, usually the SMTP MX record name, Outlook Anywhere, ActiveSync name etc) autodiscover.example.com If you are co-existing with Exchange 2007, then you would also have legacy.example.com in there as well. With the changes to SSL certificates coming soon, putting the internal names in the certificate is being discouraged. Therefore if you are going to use a load balancer of some kind, use split DNS to have autodiscover and the common name resolve internally to the load balancer and adjust all URLs in Exchange to use those names rather than the actual host names of the servers. That is it, nice and simple. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

If we using the owa webmail.contoso.com that virtual IP to internal CAS Array NLB casnlb.contoso.com for the access in this case. Do we required the following: cashub1 cashub2 cashub1.contoso.com cashub2.contoso.com

If we using the owa webmail.contoso.com that virtual IP to internal CAS Array NLB casnlb.contoso.com for the access in this case. Do we required the following: cashub1 cashub2 cashub1.contoso.com cashub2.contoso.com

hi, Only the urls that are used by the clients (via HTTPS) are needed on the SAN cert. Since a CAS array is MAPI only and doesnt use SSL, it shouldnt be part of the SAN cert. Below are the Microsoft recommendations around this topic. The CAS array url should be different to OWA, EAS, OA and EWS urls. Split-DNS is used (A general recommendation, not related to the CAS array issue though)You should use a url that isnt resolvable from the internet as your CAS array. hope can help you thanks,CastinLu TechNet Community Support

hi, Only the urls that are used by the clients (via HTTPS) are needed on the SAN cert. Since a CAS array is MAPI only and doesnt use SSL, it shouldnt be part of the SAN cert. Below are the Microsoft recommendations around this topic. The CAS array url should be different to OWA, EAS, OA and EWS urls. Split-DNS is used (A general recommendation, not related to the CAS array issue though)You should use a url that isnt resolvable from the internet as your CAS array. hope can help you thanks,CastinLu TechNet Community Support

Hi, If we using the Split-DNS, do we need to include netbios name to the SAN for each CAS server? For this case, as following: cashub1 cashub2 If we not include netbios to the SAN, will there any issue?

Hi, If we using the Split-DNS, do we need to include netbios name to the SAN for each CAS server? For this case, as following: cashub1 cashub2 If we not include netbios to the SAN, will there any issue?

As long as you change all of the internal URLs inside Exchange, then you do not need to include the NETBIOS names in the SSL certificate. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

As long as you change all of the internal URLs inside Exchange, then you do not need to include the NETBIOS names in the SSL certificate. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Do you have complete shell command to update, check or verify all internal URL for me reference on this? What if internal URL is empty?

Do you have complete shell command to update, check or verify all internal URL for me reference on this? What if internal URL is empty?

Hi, Anyone know the impact of replace a new SAN cert? 1) Will there any impact existing ActiveSync connection? 2) Any services to restart for this?

Hi, Anyone know the impact of replace a new SAN cert? 1) Will there any impact existing ActiveSync connection? 2) Any services to restart for this?

If the names used externally are the same, then there will be no impact on ActiveSync. However you should run IISRESET to restart IIS to get the new certificate to take full effect. Internal URLs cannot be empty for Exchange to work correctly. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

If the names used externally are the same, then there will be no impact on ActiveSync. However you should run IISRESET to restart IIS to get the new certificate to take full effect. Internal URLs cannot be empty for Exchange to work correctly. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.