SSL Certificate for Exchange 2007 CAS NLB Cluster
Dear all,
We need to genrate an SSL certificate for our new Windows Network Load Balanced (NLB)/ Client Access Server pair (HUB/CAS) Exchange 2007 environment.Here is the current configuration: NLB Name: NLB.domain.localCAS Node1: HT-CA1.domain.local CAS Node2: HT-CA2.domain.local
Public OWA address: https://Mail.domain.com/owa Our users will connect to :
public OWA
Outlook anywhere (autodiscover)
ActiveSync
Do i have to generate SAN Cert. OR could i use "one common name" Cert + applying Autodiscover & OWA redirect websites as stated in this link http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx "Scenario 2: How to Use One Single-Name Certificate
by creating OWA site and Autodicover site (& CNAME record for Autodiscover record) with different IPs than the default website and install the one single name cert in the default one.
if i created another zone in my internal DNS "Domain.com" to be like split DNS configuration and change the NLB name to be like the public OWA address ...this could help ??
kindly provide me with the neccessary steps to generate and apply the right Cert. if possiblemwahab
April 8th, 2010 12:56pm
SAN certificate highly recommended for work Outlook Anywhere.
http://msexchangeteam.com/archive/2007/04/30/438249.aspx
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 3:47pm
HI,
As your description you should purchase SAN certificate. Because you should add mail.domain.com, autodiscover.domain.com and internal FQDN in the certificate.
Split-brain DNS helps us to minimize number of host name for exchange owa or other services. Split-brain DNS reduce usage of two URls for Internal and external. So you can use same URL in internally that you use in externally.
Recourse
Generating Exchange 2010 Certificates (Exchange Management Shell)
Exchange 2010 SSL Installation Guide - video
Regards
Chinthaka Shameera | MCITP: EA | MCSE: M |
http://howtoexchange.wordpress.com/
April 8th, 2010 4:37pm
I am also suggesting SAN certificate for your requirement.
Generating CSR on Exchange Server 2007
****************************************
New-ExchangeCertificate -GenerateRequest -SubjectName "C=OM, S=Muscat, L=Muscat, OU=IT Department, CN=owaname.yourdomain.com" -DomainName owaname.yourdomain.com,autodiscover.yourdomain.com,thirdname.yourdomain.com, fourthname.yourdomain.com" -privatekeyexportable:$true -Path c:\cert_Req.txt
Generating CSR on Exchange Server 2010
***************************************
New-ExchangeCertificate -GenerateRequest -SubjectName "C=OM, S=Muscat, L=Muscat, OU=IT Department, CN=owaname.yourdomain.com" -DomainName owaname.yourdomain.com,autodiscover.yourdomain.com,thirdname.yourdomain.com,fourthname.yourdomain.com" -privatekeyexportable:$true
I hope this will help you out.
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2010 4:01pm
Please follow below step by step articles for Certificate generation
http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/http://khurramullah.wordpress.com/2009/07/06/publishing-exchange-2007-owa-via-isa-2006-reverse-proxy/
April 13th, 2010 12:36pm
thanks all ..i used SAN Cert. with 5 names
mail.domain.com, NLB.domain.local, Autdiscover.domain.com, Huca01.domain.local & Huca02.domain.local
Now if u can help me how to configure the Autodisocver with NLB as i can't find any article that talk exclusively about NLB & autodiscover.
settings like :
Set-ClientAccessServer===>AutoDiscoverServiceInternalUri
Set-OabVirtualDirectory |===>InternalUrl & ExternalUrl
Set-WebServicesVirtualDirectory===>InternalNLBBypassUrl , InternalUrl, ExternalUrl
Set-ActiveSyncVirtualDirectory ===>InternalUrl & ExternalUrl
Idk when to use the local NLB name & local Hub/Cas machine name for InternalUrl field !!!!??
mwahab
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2010 12:38pm
Mwahab,
I used the same lab setup as you do.
I found that you should do the following (a lot of trial and errors)
CERTIFICATE DEPLOYMENT:
both servers should use the same certificate with following names - must be SAN certificates:
NLB.domain.local
HT-CA1.domain.local (must use this name, because of outlook anywhere)
HT-CA2.domain.local (must use this name, because of outlook anywhere)
MAIL.domain.com (must use this because od OWA and everything else)
autodiscover.domain.com (autodiscover, ofcourse)
INTERNAL AND EXTERNAL SERVICES URLs
INTERNAL URLs:
both servers shoud use the local server's name for all services,
HT-CAS1: https://HT-CA1.domain.local/owa , /ecp , /oab, /Microsoft-Active-Sync ...
HT-CAS1: https://HT-CA2.domain.local/owa , /ecp , /oab, /Microsoft-Active-Sync ...
EXTERNAL URLs - use the wizard - open EMC and under SERVER section, Right-Click the CLIENT ACCESS section and select "Configure External Client
Access Domain" :
both server shoud use the same settings, with external NLB name in URL:
HT-CAS1: https://MAIL.domain.com/owa , /ecp , /oab, /Microsoft-Active-Sync ...
HT-CAS2: https://MAIL.domain.com/owa , /ecp , /oab, /Microsoft-Active-Sync ...
TEST AUTODISCOVER:
INTERNAL TEST
You can use free standalone utility to test internal autodiscover funcionality, available here (go to the end of the page): http://blogs.technet.com/b/provtest/archive/2010/08/13/exchange-server-2010-sp1-beta-hosting-deployment-part-9-autodiscover.aspx
EXTERNAL TEST
https://www.testexchangeconnectivity.com/
For external tests, you should have A record in you public DNS zone - autodiscover.domain.com pointing
to your client access server external IP address
Hope this helps,
Andrija Panic
Of all the things I lost, I miss my mind the most...
August 23rd, 2010 4:28pm