Hi,

I am intending to install Exchange 2013 on a server called EXCH2K13)

I will only required internal access to Exchange (via Outlook and internal OWA). No external Exchange services will be published (Outlook Anywhere, external OWA, ActiveSync etc.)

I know Exchange 2013 now works using RPC over HTTP internally instead of over TCP.

1. Can I get away with using the certificate that is created during the install (it will have the name EXCH2K13)...or do I still need to purchase a public SSL?
2. Do I need to do anything on my internet proxy server due to the way Outlook now connects to Exchange 2013 (RPC over HTTP).

Thanks

1.  Self-signed certificates aren't trusted unless you add them to the trusted root store on all client computers.  You could push that out as a trusted certificate using group policy.  Or, better, use a certificate from an internal enterprise CA, whose root certificate is automatically pushed out as a trusted root to all clients.

2.  Not if you're connecting internally.  It would be hugely inefficient to route internal traffic through an Internet proxy server.  I would hope that you would exclude internal traffic from going through the proxy.

Hi,

I am intending to install Exchange 2013 on a server called EXCH2K13)

I will only required internal access to Exchange (via Outlook and internal OWA). No external Exchange services will be published (Outlook Anywhere, external OWA, ActiveSync etc.)

I know Exchange 2013 now works using RPC over HTTP internally instead of over TCP.

1. Can I get away with using the certificate that is created during the install (it will have the name EXCH2K13)...or do I still need to purchase a public SSL?
2. Do I need to do anything on my internet proxy server due to the way Outlook now connects to Exchange 2013 (RPC over HTTP).

Thanks

you can create new certificate from internal certificate authority , you can install this CA on separate server or your .

http://it.mzedan.com/2012/07/18/certificates-for-exchaneg-2010-using-internal-ca/

Hi SupCra,

Thank you for your question.

I agree with Ed.

In addition, we could refer to the following link to perform it:

Install an internal CA:

https://technet.microsoft.com/en-us/library/cc776709(v=ws.10).aspx

Deploy Certificates by Using Group Policy

https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hi Supcra,

 Yes, you are right, you need to deploy an internal CA.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

If you only have one server, the answer is yes. The default cert will work if you can make it trusted by clients. However, do take note that it is not a good practice hence not recommended.

For the proxy question, it depends on whether internal traffic is configured to bypass the proxy currently. If the answer is yes, then you don't need to do anything.

hi... sorry but therre is conflicting answers here... So yes, I can just use the server cert and DO NOT need to install internal CA? Yes, single server, small environment, no external mail services needed hence the desire to not pay for a public cert, or invest time to install an internal CA. out of curiosity why is it not good practice to use the default cert in my circumstances?

You can use any certificate issued from anyone if the following things are true:

• the certificate you assign to the IIS Service is installed to the trusted root certificate store on all computers accessing the server.
• The namespace you are using for OutlookAnywhere and Autodiscover are listed as names on the certificate.

Exchange really doesn't care who issues the certs and clients really only care about the two things listed above.

• If you have multiple load balanced CAS, the default cert won't work.
• If you have external clients (unmanaged), it's very difficult to make the client trust the default cert.
• You may not like your users know your actual server name
• etc

thanks for all the answers...

1. We will only have internal domain joined clients connecting to Exchange

2. We wont be using any external services

3. As far as i know the default Exchange certificate simply creates a single URL entry that includes the servername

4. This would lead to problems with Autodidcover I believe as there also needs to be a ln autodiscover.servername.domain.com entry...or is there a way around this?

"Yes, single server, small environment, no external mail services needed hence the desire to not pay for a public cert."

I'm not sure where you are located or what certificate providers are available in your region but in North America, a public certificate (with 5 subject alternate names) can be obtained for around $60 USD.

That would be roughly 50 euros in the EU (for those countries using the euro) if that helps to give you an idea.

So for $60 US dollars, you can have (for example):

mail.contoso.com

autodiscover.contoso.com

And not even have to worry about point 4 - since you can have multiple names on a single certif

thanks for all the answers...

1. We will only have internal domain joined clients connecting to Exchange

2. We wont be using any external services

3. As far as i know the default Exchange certificate simply creates a single URL entry that includes the servername

4. This would lead to problems with Autodidcover I believe as there also needs to be a ln autodiscover.servername.domain.com entry...or is there a way around this?

No default certificate I've ever seen has the FQDN, just the unqualified se