Exchange 2010 CAS certificates
hi, i am not certificate expert, so please bear with me. i am trying to get certificates for our CAS array, OWA etc. the domains are: -mail.ourExternaldomain.com -legacy.ourExernaldomain.com -autodiscover.ourExternaldomain.com -casArray.ourInternaldomain.com -casServer.ourInternaldomain.com the problem is, ourInternaldomain.com eventually exists and owned by another company. what should I do? should I just use internal CA/certs for those namespace? do i really need cert for casArray.ourInternaldomain.com and casServer.ourInternaldomain.com, anyway? please shed some light. thanks.
July 15th, 2010 10:03am
Hi, By default Exchange 2010 comes with a built-in certificate which is not trusted. You need to obtain a third party trusted certificate for wider use. You can have different domain name on the certificate other than the internal domain. For complete understanding you may read the below article. http://technet.microsoft.com/en-us/library/aa998840.aspx Also watch this video to request and implement certificate from local CA. http://www.msexchange.org/articles_tutorials/videos/exchange-server-2010/video-certificate-wizard-Exchange-2010.html Regards, Tariq
July 15th, 2010 12:23pm
You don't have to use the internaldomain in the cert. You will need to create a DNS zone internal for your external domain namespace (split brain DNS). Update all CAS internal and external URLs to the externaldomain names. Then point the internal DNS zone for external namespace to the internal IPs of the Exchange server. Point the CASArray URL and DNS to one of the external domain names (probably mail.ourexternaldomain.com). And you only need legacy if you are supporting coexistence with Exch 2003. Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
July 15th, 2010 4:19pm
hi tim, are you suggesting the CAS array FQDN to be resolvable externally? is this a good practice? the reason i come into this issue is because i'm trying to keep CAS array FQDN to local. maybe my only option is to use my own PKI/CA for the internal namespace and 3rd party CA for the external? do i make any sense? :(
July 15th, 2010 4:57pm
The CAS Array FQDN can be the externdomain name (mail.). There is no issues with this. You are not going to be able to split up the certs as there is just one website to bind the cert to. If you do not have the option to add the internaldomain to the cert SAN, and you only have the option to use the externaldomain in the cert, then you are going to have to go this route. When you use split brain DNS, the CAS Array will resolve to the internal IP. The only thing that is referenced from the outside is the mail. and autodiscover. records. You just happen to be using the same name for the FQDN of the CAS array. It is actually much less complex to do it this way. Here is a good reference article: http://msexchangeteam.com/archive/2009/11/20/453272.aspx Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
July 15th, 2010 10:10pm
if cas array name = external domain (mail.), won't you run into this issue mentioned by Brian Day on this thread? (http://social.technet.microsoft.com/Forums/en/exchange2010/thread/144eecf0-1963-4768-a08a-7c06eb2a79f1) thanks for the link to the article. i have read the article and it uses different name outlook.contoso.com as the CAS array, in oppose to mail.contoso.com. so back to one of my original questions, do we actually need a certificate for outlook.contoso.com, do we need to include it in the SAN names? thanks again.
July 16th, 2010 1:55am
I guess I will let someone else chime in. I have done a 3 node DAG with a HLB for the CAS array. Pointed the CAS Array to mail.extdomain and only had mail.extdomain, autodiscover.extdomain and legacy.extdomain in my cert. Changed all InternalURLs and ExternalURLs to point to mail.extdomain and autodiscover.domain (depending on which URLs are being configured). Internal clients point to internal VIP of HLB. External DNS points to public IP that NATs to VIP of HLB. Everything works just fine. Anyone else want to chime in? Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
July 16th, 2010 5:23am
July 19th, 2010 3:57am
Tim’s design is one option for you, although Brian’s concern is possible if we publish the CAS array FQDN to the internet. If you also concern about it, then casArray.ourInternaldomain.com is required to be added, but casServer.ourInternaldomain.com doesn’t have to be addedJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact email@example.com
July 21st, 2010 12:59pm
thanks guys. i ended up using casArray.ourExternaldomain.com for array FQDN and place it on internal (split) DNS.
July 26th, 2010 7:15am