I can't seem to find a straight answer to this question for the environment we are running. We have one exchange server 2007 with only OWA running. We are considering installing BESX for our blackberry users. We currently have a self-signed certificate and therefore require to purchase an SSL cert. My confusion is what name or names are required for the certificate and what will be visible if someone chooses to view the details of the certificate. I've read that NetBIOS name and internal server.domain.local names are discouraged from being used for the certificate. Here's the info from my exchange server: 1. In Server Configuration, Hub Transport, Default Receive Connector shows ex: exch1.internaldomain.local as the FQDN; Client Receive Connector is the same 2. Organization Configuration, Hub Transport, Accepted Domains is "internaldomain.local" and "emailaddress.com" 3. Organization Configuration, Hub Transport, Send Connectors is "mail.emailaddress.com" 4. We are not using Outlook Anywhere and may use ActiveSync if non-blackberry users want to connect, but so far there seems to be no interest. 5. OWA in Server Configuration, Client Access, FQDN is : Internal is https://exch1.internaldomain.local/owa and External is https://mail.emailaddress.com/owa 6. I assume that autodiscover is working since when creating a new user on a workstation and launch Outlook 2007, the connection to the server auto-generates all the info about the user's mailbox, etc. Is mail.emailaddress.com and autodiscover.emailaddress.com sufficient for the SSL certificate?

Yes, those 2 names are sufficient for the SSL cert. Make sure mail.emailaddress.com is your common name Sukh

Thank you so much! Wish me luck!

good luckSukh

Well... that partially worked. OWA and autodiscover work fine but my Outlook 2007 clients get a Security Alert saying that "The name of the security certificate is invalid or does not match the name of the site." and I know that is because I haven't entered the server.domain.local in the certificate (the reason being is that I don't want that to be visible on the certificate). So now what do I do?

Set the variour URL to what's on your cert http://support.microsoft.com/kb/940726Sukh

I know I don't need to do #5 but how do I know I have an OAB directory or not, and do I do both CAS and EWS or just CAS?

You probaably dont need #5 but I would just to keep everything consistent. Get-OABVirtualDirectory Sukh

Thank-you. I'll will apply all, except 5 since I don't run UM, over the weekend.

I effected the changes and I still get a Security Alert but it now shows the CN from the SSL certificate and if I view the certificate it's not the SSL certificate but my firewall. Any more advise you could give me would be greatly appreciated! (BTW, I still can send a receive email) As stated in my original post, when creating your SSL certificate, the mention that it is not recommended to put your NETBios name or internal domain.local name, but if the certificate is not used for a webserver and only for the OWA and smartphone users can see the certificate, if they know where to look, what's the reason behind that recommendation?

Run Get-ExchangeCertificate | fl And see which one is assigned to IISSukh

The third-party certificate shows IMAP, POP, IIS, SMTP. I have not removed the self-signed certificate which shows SMTP.

And your URL's are set correctly?Sukh

Yes. I've been reading a lot of info on this and the SAN internal name of the domain keeps being mentionned as having to be added. this is the .local name that the server has. As asked in the previous reply, it seems to be that it would be fine to add this to the certificate since no one would have access to viewing it in the outside world since my server is not a webserver (for online shopping, etc.) just for staff to view mail in OWA and with a smartphone. Do you have any thoughts to this? Also, having the self-signed certificate still valid with SMTP, does it not conflict with the new third-party certificate?

SMTP 3rd party cert, if you dont use TLS for SMTP then I wouldn't worry about this. You can add the local server name FQDN if you wish, there's no harm to doing this. Sukh

I will had the FQDN of the local server and see what happens. Thanks

Seems to have done the trick.