You sure about this? It seems to me that you just need a generic server authentication OID.
IN that case, the CN property in the cert just needs to match whatever FQDN is used to connect to the AD LDS instance. If that happens to be the same internally and externally, then there is no problem. Same as other types of server authN certs (e.g. web servers) Cheers Ken From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, 18 November 2010 11:40 PM To: NT System Admin Issues Subject: RE: LDAPS Setup question As it says: the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. That's the internal FQDN. If you want to use it externally, you are going to need something that does SSL termination and URL rewriting. Such as ISA or TMG. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] Sent: Thursday, November 18, 2010 10:32 AM To: NT System Admin Issues Subject: LDAPS Setup question Hi Chaps, I'm trying to get LDAP over SSL set up on a Windows 2008 AD server. Before I order the SSL cert, I just want to check. The docs at the MS site say; "When you request the certificate, specify the fully qualified domain name (FQDN) of the computer on which your AD LDS instance is running as the identifying name for the certificate. In other words, the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. " Now, we want to use LDAPs both internally and externally. Am I right in thinking we can order a cert with the FQDN of ldap.mydomain.com and as long as that domain resolves to the LDAP/AD server both externally and internally it will be accepted? Or should we get a multiple host SSL cert, as we do with Exchange 2xxx, and register the netbios, internal FQDN (server.mydomain.local) and the external FQDN (ldap.mydomain.com) ? Olly [cid:image002.png@01CB8780.4AF38CB0] Network Support Online Backups Server Management [http://www.g2support.com/googleapps.jpg] Tel: 0845 307 3443 Email: oliver.marsh...@g2support.com<mailto:oliver.marsh...@g2support.com> Web: http://www.g2support.com<http://www.g2support.com/> Twitter: g2support<http://twitter.com/home?stat...@g2support> Newsletter: http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF Have you said something nice about us to a friend or colleague ? Let us say thanks. Find out more at www.g2support.com/referral<http://www.g2support.com/referral> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
<<inline: image002.png>>
