SSL Certificate for Exchange 2007 CAS NLB Cluster
Dear all, We need to genrate an SSL certificate for our new Windows Network Load Balanced (NLB)/ Client Access Server pair (HUB/CAS) Exchange 2007 environment.Here is the current configuration: NLB Name: NLB.domain.localCAS Node1: HT-CA1.domain.local CAS Node2: HT-CA2.domain.local Public OWA address: https://Mail.domain.com/owa Our users will connect to : public OWA Outlook anywhere (autodiscover) ActiveSync Do i have to generate SAN Cert. OR could i use "one common name" Cert + applying Autodiscover & OWA redirect websites as stated in this link http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx "Scenario 2: How to Use One Single-Name Certificate by creating OWA site and Autodicover site (& CNAME record for Autodiscover record) with different IPs than the default website and install the one single name cert in the default one. if i created another zone in my internal DNS "Domain.com" to be like split DNS configuration and change the NLB name to be like the public OWA address ...this could help ?? kindly provide me with the neccessary steps to generate and apply the right Cert. if possiblemwahab
April 8th, 2010 12:56pm

SAN certificate highly recommended for work Outlook Anywhere. http://msexchangeteam.com/archive/2007/04/30/438249.aspx
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 3:47pm

HI, As your description you should purchase SAN certificate. Because you should add mail.domain.com, autodiscover.domain.com and internal FQDN in the certificate. Split-brain DNS helps us to minimize number of host name for exchange owa or other services. Split-brain DNS reduce usage of two URls for Internal and external. So you can use same URL in internally that you use in externally. Recourse Generating Exchange 2010 Certificates (Exchange Management Shell) Exchange 2010 SSL Installation Guide - video Regards Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/
April 8th, 2010 4:37pm

I am also suggesting SAN certificate for your requirement. Generating CSR on Exchange Server 2007 **************************************** New-ExchangeCertificate -GenerateRequest -SubjectName "C=OM, S=Muscat, L=Muscat, OU=IT Department, CN=owaname.yourdomain.com" -DomainName owaname.yourdomain.com,autodiscover.yourdomain.com,thirdname.yourdomain.com, fourthname.yourdomain.com" -privatekeyexportable:$true -Path c:\cert_Req.txt Generating CSR on Exchange Server 2010 *************************************** New-ExchangeCertificate -GenerateRequest -SubjectName "C=OM, S=Muscat, L=Muscat, OU=IT Department, CN=owaname.yourdomain.com" -DomainName owaname.yourdomain.com,autodiscover.yourdomain.com,thirdname.yourdomain.com,fourthname.yourdomain.com" -privatekeyexportable:$true I hope this will help you out.
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2010 4:01pm

Please follow below step by step articles for Certificate generation http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/http://khurramullah.wordpress.com/2009/07/06/publishing-exchange-2007-owa-via-isa-2006-reverse-proxy/
April 13th, 2010 12:36pm

thanks all ..i used SAN Cert. with 5 names mail.domain.com, NLB.domain.local, Autdiscover.domain.com, Huca01.domain.local & Huca02.domain.local Now if u can help me how to configure the Autodisocver with NLB as i can't find any article that talk exclusively about NLB & autodiscover. settings like : Set-ClientAccessServer===>AutoDiscoverServiceInternalUri Set-OabVirtualDirectory |===>InternalUrl & ExternalUrl Set-WebServicesVirtualDirectory===>InternalNLBBypassUrl , InternalUrl, ExternalUrl Set-ActiveSyncVirtualDirectory ===>InternalUrl & ExternalUrl Idk when to use the local NLB name & local Hub/Cas machine name for InternalUrl field !!!!?? mwahab
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2010 12:38pm

Mwahab, I used the same lab setup as you do. I found that you should do the following (a lot of trial and errors) CERTIFICATE DEPLOYMENT: both servers should use the same certificate with following names - must be SAN certificates: NLB.domain.local HT-CA1.domain.local (must use this name, because of outlook anywhere) HT-CA2.domain.local (must use this name, because of outlook anywhere) MAIL.domain.com (must use this because od OWA and everything else) autodiscover.domain.com (autodiscover, ofcourse) INTERNAL AND EXTERNAL SERVICES URLs INTERNAL URLs: both servers shoud use the local server's name for all services, HT-CAS1: https://HT-CA1.domain.local/owa , /ecp , /oab, /Microsoft-Active-Sync ... HT-CAS1: https://HT-CA2.domain.local/owa , /ecp , /oab, /Microsoft-Active-Sync ... EXTERNAL URLs - use the wizard - open EMC and under SERVER section, Right-Click the CLIENT ACCESS section and select "Configure External Client Access Domain" : both server shoud use the same settings, with external NLB name in URL: HT-CAS1: https://MAIL.domain.com/owa , /ecp , /oab, /Microsoft-Active-Sync ... HT-CAS2: https://MAIL.domain.com/owa , /ecp , /oab, /Microsoft-Active-Sync ... TEST AUTODISCOVER: INTERNAL TEST You can use free standalone utility to test internal autodiscover funcionality, available here (go to the end of the page): http://blogs.technet.com/b/provtest/archive/2010/08/13/exchange-server-2010-sp1-beta-hosting-deployment-part-9-autodiscover.aspx EXTERNAL TEST https://www.testexchangeconnectivity.com/ For external tests, you should have A record in you public DNS zone - autodiscover.domain.com pointing to your client access server external IP address Hope this helps, Andrija Panic Of all the things I lost, I miss my mind the most...
August 23rd, 2010 4:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics