More help on certificates
first, let me say, this forum has a ton of knowledge.........so appreciated. So i've read a bunch of articles on creating certificates for Exchange 2007......I thought I was getting it until I got to an article on technet about ISA 2006 and started to get confused again.....maybe someone can help me out. The line that I am confused about is.. "For Internet Security and Acceleration (ISA) Server to handle SSL connections to Exchange2007, you must include the certificate's own subject name as the first SAN entry when you request a certificate to be used on multiple servers or with multiple host names. " I really don't get it....probably because I'm still very new to Exchange but hopefully someone can lend some knowledge.......What I'm trying to accomplish is setting up an Exchange Org in a home lab....this is what I plan to setup... Split DNS Domain Name - myhomedomain.com 1 MB Server: MHD-MB-01(server name) 1 Client Access/Hub transport server: MHD-CAS-01(server name) 1 Edge Transport Server: MHD-ET-01(computer name, stand alone) 1 ISA 2006(service pack 1) server I would like my owa, outlook anywhere and active-sync users to use the external name of mobile.myhomedomain.com I understand that I also need a certificate with autodiscover.myhomedomain.com. When I generate a SAN Request, from what I think i understand I need to request it with the "mobile.my..." first, like this? mobile.myhomedomain.com autodiscover.myhomedomain.com MHD-CAS-01 myhomedomain.com MHD-CAS-01.myhomedomain.com Is this true? Even when using ISA 2006? If I'm completely off, can someone show me what the New-ExchangeCertificate should look like? Also please note, I am only using this in a home lab......trying to work my way to a career as an Exchange Administrator......I see that SAN Certificates are pricey, but I'm trying to mimic a real world way of doing this......and I dont know any other way. Thanks so much.
August 17th, 2008 5:05am

Don't feel bad if certificates for E2K7 are a bit fuzzy for you. They are fuzzy for most of us, I think. Maybe the way E2K7 now does certificates was necessary for the functionality, but they sure could have put a GUI around the darned thing! First of all, here is a very good reference for you on the cmdlets and some background. http://technet.microsoft.com/en-us/library/aa998840(EXCHG.80).aspx I'm going to assume that your city/state/country is Honolulu/Hawaii/US and that the primary "public facing" name of your Exchange server would be mobile.myhomedomain.com (that is what you would use for OWA and ActiveSync clients.) I used the Wizard at Digicert to generate this request, by the way. https://www.digicert.com/easy-csr/exchange2007.htm New-ExchangeCertificate -GenerateRequest -Path c:\mobile_myhomedomain_com.csr -KeySize 1024 -SubjectName "c=US, s=Hawaii, l=Honolulu, o=My Home Domain, ou=IT Department, cn=mobile.myhomedomain.com" -DomainName autodiscover.myhomedomain.com, MHD-CAS-01, myhomedomain.com, MHD-CAS-01.myhomedomain.com -PrivateKeyExportable $True This will generate a certificate request (CSR) file in the root of the c:\ drive.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2008 9:09am

Jim, Thanks so much for the quick reply......a few years back, i started learning Exchange 2003, and I read your book Microsoft Exchange Server 2003 24Seven....was a really great read and really helped me plow through the Exchange 2003 MCP exam.....but do to some personal issues, never was able to take it further. I also read your Exchange 2007 Implementation and Administration from start to finish, another great read. I keep checking for info about a possible Exchange 2007 Advanced Administration book. If i wanted all users internal and external to hit my owa site as https://mobile.myhomedomain.com, do I need my "mhd-cas-01" name in a certificate? Instead of getting a SAN, can't I just buy 2 single certificates, 1 for autodiscover.myhomedomain.com and the other for mobile.myhomedomain.com? Thanks again
August 17th, 2008 6:51pm

Hi, thanks for the nice comments on the books. I am currently working on a 2nd edition for the Mastering Exchange Server 2007 book. I am not sure if the publisher is interested in an Advanced Administration book at this point or not. I have pitched it to them, but they feel like the 2nd edition is more important right now. Too bad, because the Advanced Administration would be more interesting to write. You are correct that you could just purchase a couple of regular certs and use separate ones for separate tasks. The Exchange Team has a good blog entry about this: http://msexchangeteam.com/archive/2007/04/30/438249.aspx I thought one of the Exchange MVPs had written some step-by-step instructions on this, but I can't find them anymore. Here are a couple of other useful URLs, though, including a good one by MVP Simon Bulter. http://www.exchangeninjas.com/CasCertMethod2 http://www.sembee.co.uk/archive/2007/01/21/34.aspx
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2008 6:18am

Jim, Thanks for the info....I appreciate it. I will check those links out I will have to send a message to the publisher......i've been waiting for that book since i started my Exch 2007 studies for after I got through all the basics. Thanks Again, Mike
August 18th, 2008 6:56am

Hi, Please understand that ISA Server 2004 cannot process certificate SAN attributes at all. The Subject of the certificate installed at the published server must match the published hostname used in the Web Publishing rule. ISA Server 2006 is able to use either the Subject or the first SAN entry. Thus, "For Internet Security and Acceleration (ISA) Server to handle SSL connections to Exchange 2007, you must include the certificate's own subject name as the first SAN entry when you request a certificate to be used on multiple servers or with multiple host names." For more detailed information: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx Mike
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2008 6:24am

ISA 2006 SP1 doessupport multiple SAN attributes. I just finished configuring a system with 1 public IP address and 1 certificate that supported OWA, Outlook Anywhere, and ActiveSync. See the below link that contains the release notes for ISA 2006 SP1. http://www.isaserver.org/tutorials/ISA-Server-2006-Service-Pack1-New-features-enhancements.html
August 20th, 2008 12:53am

quick follow up........ for my home test lab, although i'd love to get a SAN(UC) certificate, they are just too pricey.....but at the same time, I do want everything to work correctly.....I have 1 true public IP, isthe followingpossible... My CAS IP is 192.168.0.55 Can Ibuy 2 single certificates, 1 for mail.myowndomain.com(for all my service urls)and the other for autodiscover.myowndomain.com create an IIS virtual server for Autodiscover and set the ip to 192.168.0.57 and set the default virtual server to 192.168.0.59??
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2008 12:54am

With those certificate, is it a must have to make exchange works? Basically I just don't know what is the certificate and what it use for. Sorry Skeemz for asking my question in your thread. I'm so new to exchange. Thank you. enz
September 12th, 2008 2:38am

Hello everyone........I recently purchased 2 certificates from GoDaddy......1 for mobile.myowndomain.com and the other for autodiscover.myowndomain.com, I have installed them both, and OWA is working fine..........BUT I have problem... Since this is a home lab, I have a linksys router......so the configuration only allows you to forward port 443 to 1 ip address.......here are the details CAS Server IP 192.168.0.60 IIS Default Web Site (owa, oab, etc) 192.168.0.61 Autodiscover Web site - 192.168.0.62 If I set my router to forward https(443) traffic to 192.168.0.61 OWA works fine........but now my external clients won't be able to contact my autodiscover website correct? Any way around it? Can I set my autodiscover website to use port 4443(instead of 443) and then configure my AutoDiscoverServiceInternalUri to "https://autodiscover.company.com:4443/autodiscover/autodiscover.xml"?????
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2008 7:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics