What Simon said. Personally, where practical, I prefer going with a wildcard cert, and this discussion becomes somewhat academic.
Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Liu [mailto:ganymed...@gmail.com] Sent: Monday, February 06, 2012 10:53 AM To: MS-Exchange Admin Issues Subject: Re: autodiscover for SAN certs Thanks MBS for the quick response. Yes, so for our NA implementation we have currently non-internet facing site with available CAS servers (with different casarray names/external vip's currently) that we can point external VIP's from the production to. Or, we could always play DNS tricks, lower ttl on autodiscover.domain.com<http://autodiscover.domain.com> and point it to one o the external VIP's at EMEA or APAC, assuming redirection et al is working. However, even if we were to do this, don't the other regions SAN certs also need to include autodiscover.domain.com<http://autodiscover.domain.com> if they are requesting separate SAN certs ? The question is if EMEA adds autodiscover.domain.com<http://autodiscover.domain.com> will that "invalidate" APAC's existing autodiscover.domain.com<http://autodiscover.domain.com>? On Mon, Feb 6, 2012 at 10:22 AM, Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote: This is the right answer: The other proposal is to have one region request autodiscover.domain.com<http://autodiscover.domain.com> and use that as the main entry point and change all EWS/OAB/OA external url to autodiscover.domain.com<http://autodiscover.domain.com> per tech kb http://technet.microsoft.com/en-us/library/bb201695.aspx . Does that simplify things? I don't know your DR situation, but that can come into play as well. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Liu [mailto:ganymed...@gmail.com<mailto:ganymed...@gmail.com>] Sent: Monday, February 06, 2012 10:11 AM To: MS-Exchange Admin Issues Subject: autodiscover for SAN certs All, For those of you that have to secure multiple SAN certs across different regions of the globe, how do you handle including autodiscover.domain.com<http://autodiscover.domain.com> in your SAN cert? For example. if the external smtp domain is domain.com<http://domain.com> and you have 3 regional Exchange 2010 internet facing sites for say, APAC, EMEA, and NA, each requiring a separate SAN cert for delegation/administrative purposes, do you include autodiscover.domain.com<http://autodiscover.domain.com> in each of the SAN cert request? Does this not cause a conflict as my understanding is that each SAN name requested must be unique? The other proposal is to have one region request autodiscover.domain.com<http://autodiscover.domain.com> and use that as the main entry point and change all EWS/OAB/OA external url to autodiscover.domain.com<http://autodiscover.domain.com> per tech kb http://technet.microsoft.com/en-us/library/bb201695.aspx . Does that simplify things? Many thanks in advance, --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist