We will be deploying a single CAS array with an ISA 2006 cluster as the FE for Outlook Anywhere, EAS, and OWA using SSL Offloading. Note we will eventually be moving to a UAG cluster to replace ISA. My question is with regards to the required certificates. My understanding is we will need: Name: mycompany.com SAN#1: autodiscover.mycompany.com SAN#2: webmail.mycompany.com SAN#3: legacy.mycompany.com (currently have Exchange 2003 deployed) However, I believe I also read that we should not have the same internal DNS name for the CAS array as we do for the external DNS name, in a split-brain scenario. Given the above case, should we be adding an "internal.mycompany.com" SAN to the certificate, or have ISA route webmail.mycompany.com to "internal.mycompany.com"? EDIT: And in an effort to save money, we do have an existing wildcard certificate. Ignoring the security issues, it sounds like we can use the wildcard for this setup. Is that true? http://sharepoint.nauplius.net

Hi, Wildcard certificate may be an option but it may cause issues with some other applications/devices. About your question. It's not really the CAS Array that should have the same name but the webservices that should have the same name internal and external if you would like to route all traffic to the ISA. This since the OWA/ECP/OAB/EWS and Autodiscover are secured using a certificate. If you can't create a full split-dns you might consider to create pin point DNS records. For more information about pinpoint DNS records have a look at this article: http://blogs.technet.com/b/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx As last remark you can also use webmail.mycompany.com as Name instead of mycompany.com Regards, JohanExchange-blog: www.johanveldhuis.nl

Hi, Wildcard certificate may be an option but it may cause issues with some other applications/devices. About your question. It's not really the CAS Array that should have the same name but the webservices that should have the same name internal and external if you would like to route all traffic to the ISA. This since the OWA/ECP/OAB/EWS and Autodiscover are secured using a certificate. If you can't create a full split-dns you might consider to create pin point DNS records. For more information about pinpoint DNS records have a look at this article: http://blogs.technet.com/b/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx As last remark you can also use webmail.mycompany.com as Name instead of mycompany.com Regards, JohanExchange-blog: www.johanveldhuis.nl

I'm attempting to avoid routing all traffic via ISA. For internal users, they can hit the CAS array directly.http://sharepoint.nauplius.net

I'm attempting to avoid routing all traffic via ISA. For internal users, they can hit the CAS array directly.http://sharepoint.nauplius.net

You can use a wild card but there's some things to consider ignoring the security, for e.g mobile deviced and what Windows mobile they are running, some older vesion (on top of my head) v 5.0 and older dont support them. You may have to set EXPR for a wildcert too -http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx If you want to avoid internal traffic going to the ISA, then you wil have to configire the internal URL's and DNS, i.e dont use the externalnamespace.Sukh

You can use a wild card but there's some things to consider ignoring the security, for e.g mobile deviced and what Windows mobile they are running, some older vesion (on top of my head) v 5.0 and older dont support them. You may have to set EXPR for a wildcert too -http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx If you want to avoid internal traffic going to the ISA, then you wil have to configire the internal URL's and DNS, i.e dont use the externalnamespace.Sukh

Hi Trevor, Above gave some good information, any questiones, please feel free let us know. First of all, I want to verify that do the internal users also use the CERT that used by the external users? If you use the CERT for external users, and if you just use the CAS array for the RPC connection of the internal clients, you do not need add the internal.mycompany.com into the SAN CERT. Or you could add it. And do you configure the NLB of the web service for the external users? If so, some resource for you: http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.html Regards! TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Gavin TechNet Community Support

We'll be installing the cert on ISA, but presumably also on the CAS array members, but from my understanding it is not recommended to expose the same hostname internally as well as externally due to client connectivity.http://sharepoint.nauplius.net

We'll be installing the cert on ISA, but presumably also on the CAS array members, but from my understanding it is not recommended to expose the same hostname internally as well as externally due to client connectivity.http://sharepoint.nauplius.net

Hi Trevor, If you will also use the CERT for CAS server role, you'd better add the names into the SAN CERT. And, you are right, it is not recommended to use the same name for internal and external client. Regards! TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Gavin TechNet Community Support

Can I forgo installing the cert on the CAS servers and just install it on the ISA Server while using SSLOffload = true?http://sharepoint.nauplius.net

Can I forgo installing the cert on the CAS servers and just install it on the ISA Server while using SSLOffload = true?http://sharepoint.nauplius.net

Hi Trevor, If so, you need a internal CA and issue CERT for the servers. And let the ISA trust the CA. Regards! TechNet Subscriber Support in forum If you have any feedback on our support, please contacttngfb@microsoft.comGavin TechNet Community Support

Hi Trevor, Any other questions? Regards! TechNet Subscriber Support in forum If you have any feedback on our support, please contacttngfb@microsoft.comGavin TechNet Community Support

Hi Trevor, Any other questions? Regards! TechNet Subscriber Support in forum If you have any feedback on our support, please contacttngfb@microsoft.comGavin TechNet Community Support

I'm still trying to nail down if I should use the same ExternalUrl and InternalUrl. My understanding is that if you use the same external/internal Urls (e.g. webmail.company.com) for Outlook connectivity, Outlook, externally, will first attempt to connect via MAPI, fail, and fall back to Outlook Anywhere. Where as if you use different Urls externally (webmail.company.com) and internally (outlook.company.com), this will not occur. What we have is: webmail.company.com/autodiscover.company.com: Internet -> ISA -> Reverse SSL -> CAS array outlook.company.com/autodiscover.company.com: WAN -> CAS Array We have an internal Microsoft Cert Authority which is trusted by all internal clients running Outlook. My assumption is that when internal, autodiscover will take care of pointing clients to outlook.company.com while those same clients are external using a Verisign SAN cert, using Outlook Anywhere to connect to webmail.company.com.http://sharepoint.nauplius.net

I'm still trying to nail down if I should use the same ExternalUrl and InternalUrl. My understanding is that if you use the same external/internal Urls (e.g. webmail.company.com) for Outlook connectivity, Outlook, externally, will first attempt to connect via MAPI, fail, and fall back to Outlook Anywhere. Where as if you use different Urls externally (webmail.company.com) and internally (outlook.company.com), this will not occur. What we have is: webmail.company.com/autodiscover.company.com: Internet -> ISA -> Reverse SSL -> CAS array outlook.company.com/autodiscover.company.com: WAN -> CAS Array We have an internal Microsoft Cert Authority which is trusted by all internal clients running Outlook. My assumption is that when internal, autodiscover will take care of pointing clients to outlook.company.com while those same clients are external using a Verisign SAN cert, using Outlook Anywhere to connect to webmail.company.com.http://sharepoint.nauplius.net