Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
certificates for 2 CAS's?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
certificates for 2 CAS's? - 9.Sep.2008 10:06:46 AM
|
|
|
aleceiffel
Posts: 53
Joined: 16.Dec.2005
Status: offline
|
I have 2 Client access servers for exchange 2007, one internal which also servers as the mailbox role and the other just a Client access server for OWA and possibly Outlook anywhere in the near future. We are in the process of upgrading our Outlook clients to 2007 and I need certificates for the autodiscover service. We will be getting UCC certificates from GoDaddy.
Can I list "autodiscover.domain.com" and "domain.com" in the subject alternate names of both certificates?
Everything I can find says to list the server's netbios name, the domain name, the internal fqdn for the server, any external fqdns for the server and autodiscover.domain.com. I cannot find any mention of what to do when you have 2 CAS servers though.
|
|
|
|
|
RE: certificates for 2 CAS's? - 9.Sep.2008 10:55:35 AM
|
|
|
John Weber
Posts: 618
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
|
It is going to depend on what services each does.
I always list every dns name the box answers.
Your entries for the SAN cert are correct.
How the autodiscover is going to work may be problematical.
Can the internal users see the external CAS?
_____________________________
-jmw
http://tsoorad.blogspot.com
|
|
|
|
|
RE: certificates for 2 CAS's? - 9.Sep.2008 11:23:30 AM
|
|
|
aleceiffel
Posts: 53
Joined: 16.Dec.2005
Status: offline
|
The internal users can see the external CAS but do not typically access it.
Here's what I was thinking for the autodiscovery config:
CAS1 (ip 192.168.1.101) runs CAS and mailbox roles. It's accessed by internal outlook 2007 clients. Internal DNS servers have an A record for autodiscover.domain.com = 192.168.1.101
CAS2 (ip 192.168.1.102) runs CAS for OWA and in the future Outlook Anywhere. external DNS servers have an A record for autodiscover.domain.com = <my external IP>. the firewall redirects the ssl port for that external IP to 192.168.1.102 internally.
A concern I have is that outlook anywhere users will use the external autodiscover record when their laptop is outside our network but when they bring their laptop onto the internal network, they will be using the internal autodiscover record. Effectively this will change autodiscover servers on them. I'm not sure if this will be an issue or not?
|
|
|
|
|
RE: certificates for 2 CAS's? - 9.Sep.2008 1:01:21 PM
|
|
|
Sembee
Posts: 3960
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Autodiscover is autodiscover - there is no difference between internal and external.
If you setup a split DNS system you can control which server the autodiscover.example.net URL goes to.
Saying that, I put autodiscover.example.net on every SSL certificate for the CAS role. If I am using load balancing for OWA then the certificates are identical except for server's own name.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
