• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to create TLS certificates/routing/encyption

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Message Routing >> How to create TLS certificates/routing/encyption Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to create TLS certificates/routing/encyption - 18.Nov.2008 8:18:07 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
We are trying to mimic our existing 2003 routing -

Looks like I have inbound and outbound routing and encrytion and relaying.

Are there any tutorials that walk you through this?

Thanks.

-John
Post #: 1
RE: How to create TLS certificates/routing/encyption - 18.Nov.2008 8:51:06 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Relaying:
http://www.shudnow.net/2008/08/21/how-anonymous-relay-works-in-exchange-2007/

Connectors/TLS/DNS:
http://www.shudnow.net/2008/11/08/exchange-2007-mail-flow-dns-records-connectors-and-tls/

All about Autodiscover/Certificates:
http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 2
RE: How to create TLS certificates/routing/encyption - 20.Nov.2008 12:29:09 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
Thank  you - are there any guidelines that discuss the different types of connectors:

Custom
Internal
Internet
Partner

Is there a way I can tell what my existing ones are so that I can duplicate for 2007 and the new server?

Hope you can help.

Thanks.

-John


(in reply to Elan Shudnow)
Post #: 3
RE: How to create TLS certificates/routing/encyption - 20.Nov.2008 12:37:41 PM   
Exchange_Geek

 

Posts: 1287
Joined: 31.Dec.2006
Status: offline
Ref: http://technet.microsoft.com/en-us/library/aa998662.aspx

You may want to run

Get-SendConnectors | FL

(in reply to john.leonard)
Post #: 4
RE: How to create TLS certificates/routing/encyption - 20.Nov.2008 6:05:03 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
Thank you - I also need to generate a "certificate" - that can be used for the public - not the one that is generated by the server -  Need this for TLS.

Thank you.

-John

(in reply to john.leonard)
Post #: 5
RE: How to create TLS certificates/routing/encyption - 21.Nov.2008 12:29:40 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
 
Thanks for all the info - is the a utility that I can use to generate my own TLS certificate? One that can be used for both internal and external communication?

This can be used to ensure "our mail server is who it is"? Does this have  anything to do with IIS?

What additional information besides the mailserver name and the FQDN info is needed.

It is my understanding that the certificate that is generated during install is not sufficent?

Please advise.
Thanks.
-John

(in reply to john.leonard)
Post #: 6
RE: How to create TLS certificates/routing/encyption - 21.Nov.2008 3:02:58 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Looks like you didn't read my aticle(s) in which two of them contain a tool to help you build your cert, what names need to go in the cert, and the difference between a self signed cert and a new cert. :/

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 7
RE: How to create TLS certificates/routing/encyption - 2.Dec.2008 5:40:23 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
I am now totally confused - I also heard something that  I need to setup certificates on the IIS side also - can these be the same certificates? Or am I just missing the whole concept?

(in reply to Elan Shudnow)
Post #: 8
RE: How to create TLS certificates/routing/encyption - 2.Dec.2008 6:37:17 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
When you Enable-ExchangeCertificate -Services IIS, it'll place that certificate into IIS.  So it uses the same certificate.

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 9
RE: How to create TLS certificates/routing/encyption - 18.Dec.2008 6:45:13 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
Thank you for your feed back - so if we are looking to setup OWA - AutoDiscover -  we need to add those server FQDN.

I take the CASServer is the "client access server" server - if everything is on the same box - we are just going to need a single certifcate - if we wish to add additional services - active sync etc... we need to add those to the cert also if I understand this correctly?
  • OWA.mycompany.com
  • mymailserver 
  • mymailserver.mycompany.com
  • autodiscover.mycompany.com

I am still a bit sketchy on the .local stuff - but it sounds like the autodiscover covers a lot of services.... that will need to be configured on the mail server through the "shell" commands?

Thanks.
-John

(in reply to Elan Shudnow)
Post #: 10
RE: How to create TLS certificates/routing/encyption - 20.Dec.2008 9:40:13 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Outlook Anywhere, OWA, and EAS can all use the same name.  So really, the bare minimum if you also want Autodiscover functionality is to utilize 2 names.  One for your client services (owa.company.com) and the other for Autodiscover (autodiscover.company.com).  .local can be used with an internal CA and from vendors such as Entrust and Digicert since they're not public domains.

There are reasons you may need to include .local (if you're not using Split DNS) and if you want to include the NetBIOS/FQDN of a server.  For example, Autodiscover Site Affinity, connecting to OWA using NetBIOS/FQDN, Etc...

I suggest going over an article I wrote.  I wrote that article in mind for people who are trying to get a grasp on certificates, DNS, Autodiscover, Web Services, and provide a real world example of how/why you'd deploy a certificate/DNS depending on the environment and what you'd need to do if your environment changed a little.

Check that article out here: http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 11
RE: How to create TLS certificates/routing/encyption - 13.Jan.2009 12:56:31 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
I have a question on the autodiscover -

What if I have multiple entry points into our network?

We are looking to have the following certs.

owa-us.example.com
usmail.example.com
usmail
??? not sure on the autodiscover?
autodiscover.example.com

owa-eu.example.com
eumail.example.com
eumail
???? not sure on the autodiscover?
autodiscover.example.com

Any thoughts?

Thanks.

-John

(in reply to Elan Shudnow)
Post #: 12
RE: How to create TLS certificates/routing/encyption - 13.Jan.2009 2:13:30 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
That's fine.  If you have multiple entry points, then you can have -ExternalURL for OWA on both locations.  This will redirect users and minimize OWA proxying traffic.  Everything else will be proxied.  But if you have EAS and OA on both servers, then during Autodiscover (Windows Mobile 6.0+) setup, the user will be setup to use the OA/EAS hostname on the CAS which is in the same site in which their mailbox is located.

For autodiscover, unfortunately there's no good solution.  If the CAS in the one datacenter gets hit by a meteor, you'll have to tell the ISP to change the external DNS record for it to go to the other site.

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 13
RE: How to create TLS certificates/routing/encyption - 13.Jan.2009 3:53:41 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
Thanks Elan - if I throw an existing server into the mix is it going to change things much?
What if I have a mixed 2003/2007 environment - I take EAS=Exchange Active Sync ( this is used for Mobile - non blackberry devices) and OA = Outlook Anywhere? Can I get the certs and just not enable some features for now?

I think I am getting closer?
Two new 2007 servers being built

owa-us.example.com
usmail.example.com
usmail
autodiscover.example.com

owa-eu.example.com
eumail.example.com
eumail
autodiscover.example.com

The existing 2007 server - does not have a cert currently - IIS generated (which we find is a no-no)

owa-eu.example.com
eu1mail.example.com
eu1mail.
autodiscover.example.com

Appreciate the help - I am still a rookie at this 2007 stuff.
 
Thanks.
 
-John

(in reply to Elan Shudnow)
Post #: 14
RE: How to create TLS certificates/routing/encyption - 13.Jan.2009 4:26:41 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Well when you install a new CAS, it places an SCP record into AD.  You'll have to modify this using set-clientaccesserver -autodiscoverserviceinternalURI.  You can just point it to a URL which goes to itself or another CAS or wherever you want.  This is more for internal Autodiscover.

You'd want to do the same for the web services URLs.  You can still point them to the other server just like the Autodiscover.

And you can't really disable this other than disabling what a cert allows you to use.  Set-ExchangeCertificate -services.  But the -services for all these features are all bundled up into the IIS service.  So once you enable it for that, it's enabled for everything.  You can choose not to install Outlook Anywhere (OA) or Exchange Activesync (EAS) though.

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to john.leonard)
Post #: 15
RE: How to create TLS certificates/routing/encyption - 20.Jan.2009 4:23:03 PM   
john.leonard

 

Posts: 152
Joined: 16.Oct.2008
Status: offline
Elan - thanks for you insight - I am still a bit confused about the .local suffix in a cert?








owa-us.example.com
usmail.example.com

usmail.example.local
usmail
autodiscover.example.com

owa-eu.example.com
eumail.example.com

eumail.example.local 
eumail
autodiscover.example.com
The existing 2007server - does not have a cert currently - IIS generated (which we find is a no-no)

owa-eu.example.com
eu1mail.example.com

eu1mail.example.local
eu1mail.
autodiscover.example.com


From what you have gone over and  chatted with with AJ recently - If I go with these requests on our certificate - I should be able to cover all possibilities.

Am I getting too deep on this?

If I go with the owa-eu.example.com that should cover the EU countries and the owa-us.example.com  would cover the US.

What would I use the .local for if I have the netbois name in there or could I use the netbios name and use .local for down the road?

Thanks.

-John

(in reply to Elan Shudnow)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Message Routing >> How to create TLS certificates/routing/encyption Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter