Good Morning,

I have read articles that say I should not need anything but the fqdn names of things like autodiscover.mycompany.com and mail.mycompany.com on the cert you install on the exchange server. I went that route and installed it on every exchange server but for some reason, the client gets prompted for credentials with this configuration.

When I create a cert with all the CAS/MB FQDN names ( ie. casmb01.mycompany.pvt) on the cert, they do not get prompted and the exhttp allows the outlook client to connect properly.

this is a 2007 to 2013 migration. I am testing just the connectivity and have not put the 2013 as the proxy yet.

The clients also have an internal host name .pvt in the cert so I would imagine this would be a problem for outlook anywhere unless they vpn in and trust the local CA.

Can I use only the autodiscover and mail .mycompany.com

does anyone else have this set up this was?

thanks

Paul

 

Here's what I would do:

If you are planning on allowing people to access Outlook Anywhere and Active Sync Externally

• Since you can only have 1 cert bound to IIS I would create the cert via a 3rd party CA.  They will only give you a cert for publicly accessible tlds. So on that cert you will need mail.company.com, autodiscover.company.com and legacy.company.com.  The legacy can really be anything you want, and is needed for OWA and  ActiveSync redirection.  Once I have the cert, I would change all the virtual directories to have their respective *.company.com addresses.  In order for this to work properly with DNS (internally you get an internal address) you will need to create a dns zone called mail.company.com and point that to your 2013 CAS servers and another one for legacy.company.com and point that to your 2007 Servers.

If you are not allowing any external access then you can just create whatever certs you want to via your internal CA.

thanks for the response.

yes - people will be accessing from outside.

We have dns set up for internal and external. 

I maybe missing something here.

I have assigned to the server ews, owa and such is a dns name of autodiscover.mycompany.com but the internal name is mycompany.net

We have dns records that will resolve to mycompany.com internally and externally. The names go to the vip of the hlb. 

The outlook clients should be able to handle the internal name as long as it resolves and is on the cert and I do not need the specific name of the servers on the cert. CAS and mailbox?

The if you do not have the namespace mail.company.net on the cert you will still get a cert error.  It doesn't matter whether mail.company.net resolves to mail.company.com, if you tell Exchange the internal namespace is mail.company.net, that's what it pushes down to Outlook and that;s the name it tries to verify against the cert.  If that name is not on the cert, verification fails.