Just want to make sure my thought process for SAN cetificate is correct?
I will have 2 multirole installed Exchange 2010 servers behind a hardware load balancer solution with a single Exchange 2007 to maintain till I have all mailboxes moved. If I understand the certificate process, then I will create a SAN certificate from one of my 2010 servers with the following names mail.domain.com autodiscover.domain.com mail01.domain.com mail02.domain.com legacy.domain.com Again, as I understand this, and since I use a split-DNS setup as my internal DNS namespace is domain.local and a internal zone created for domain.com with records defined, I don't have to specify my internal names (i.e... mail01.domain.local, etc...) If I am wrong on this, please correct me. Also, since I use Digicert as my CA, I can use that same certificate on my other 2010 server, my hardware load balancer, and finally import that cert into my UAG server to publish OWA, ActiveSync, etc... to my Internet users needing access. If I'm missing any names to my SAN cert, please let me know and also if my thinking is off on the certificate process, please chime in. Thanks.
June 4th, 2011 7:25pm

Seriously you should consider getting rid of the multiple DNS setup for applications and going with a split-brain DNS. (You're using the word "split" confusingly.) A split-brain DNS has separate servers for the same address space for internal and external resolution. You don't have to change your AD, you can continue to use the .local for AD stuff. This will make your certificate process a whole lot easier. Otherwise, you might consider installing a TMG Server in your DMZ to publish Exchange services to the Internet, which not only gives you better security but also simplifies your certificate. If you do this, you can use a public certificate from Digicert with just the autodiscover, mail and legacy (if you still have legacy Exchange) SANs. On the inside, you can use a certificate issued from your enterprise CA (free!) with the following SANs: mail.domain.local (or .com if you take my split-brain DNS advice) mail01.domain.local mail02.domain.local legacy.domain.local mail mail01 mail02 With all those, you'd likely never have anyone ever get a certificate warning. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2011 7:49pm

Ok, maybe I'm missing something or did not offer enough info, because now you have me second guessing what I have been doing for a while. I have my internal AD DNS with a zone of domain.local and I have created another zone for domain.com so internal clients can resolve domain.com info to internal IP addresses without having to loop through the firewall. I do have external host records defined as well at my ISP as they host those DNS records for domain.com to resolve to the public IP addresses. It sounds to me like we are talking about the same thing, but correct me if I'm wrong. I do have a UAG server, as mentioned before, that replaces the need of TMG in this scenario and I still want to use trusted 3rd party CA as all of my internal clients might not be domain joined to automatically trust my Enterprise CA (which I do have). So knowing all of this, would the names I originally mentioned still be correct with maybe the addition of the host only (i.e. mail, mail01, mail02) ?
June 4th, 2011 8:22pm

What you've done in your first paragraph is great; that's a split-brain DNS. You didn't say that in your original post. As long as all users resolve using whatever.domain.com URLs, then you can use an externally-generated certificate both inside and outside. But I don't think an external authority will issue a certificate for the short names (mail, mail01, etc.) so if users enter mail in their browser, they'll get a certificate warning. They must enter mail.domain.com. It's an inconvenience, and only you can judge how inconvenient it is. What you have proposed will probably work pretty well.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 3:20pm

Hi, Your understanding are almost correct. Additionally, share with you a article with real world scenario about the Exchange certificate: http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx Thanks, Simon
June 6th, 2011 10:46pm

Ok, It's becoming a little clearer as we go. After a little more thought and reading, I can even negate the need of using the mail01.domain.com (or .local) mail02.domain.com (or .local) and their associated Netbios names for internal resolution as my clients will always hit the HLB which is virtual IP'd to the CAS array I will create on one of the Exchange 2010 boxes for both servers. So if I create a CAS array with the name mail.domain.com which will be a record I have in my internal domain.com zone and also based on the link Simon_Wu gave, I read where I could also change the SCP for my internal outlook users: set-clientaccessserver <servername> -autodiscoverserviceinternaluri: https://autodiscover.mydomain.com/autodiscover/autodiscover.xml "That way internal clients that are able to use the SCP and external clients will resolve to the same name that the cert was issued" -from blog post So with that logic and based on that blog posting, the names in my SAN cert would only be: mail.domain.com domain.com (I don't think this one is really needed either, but I included it as the blog referenced using it as well) autodiscover.domain.com legacy.domain.com Comments?
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 2:36am

I like having the individual machine names as SANs, but you're right that it isn't necessary especially if you're buying a public certificate and paying per SAN. I can't imagine why need domain.com as a SAN. Just to be clear you need legacy.domain.com only for coexistence, and you don't need that as a SAN on your Exchange server, only if you're using TMG or UAG with a single web listener for both Exchange 2010 and 2007. Otherwise, I believe you can install a plain single-name certificate for legacy.domain.com on the Exchange 2007 server.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
June 7th, 2011 3:17pm

Thanks guys, I think I have a pretty good handle on this now. Just trying to be very methodical in this process to cause as little downtime as possible.
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 12:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics