RE: NLB CAS SSL Certs
I followed this article originally when I tried a regular ssl cert first: http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobili ty-client-access/securing-exchange-2007-client-access-server-3rd-party-s an-certificate.html I believe I have already made all the necessary changes to make the proper cert work. I'm getting a SAN cert from Comodo today so I'm crossing my fingers that Outlook Anywhere will work this time (OWA works but not Outlook RPC/HTTPS). Thanks, Matt -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 6:24 AM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs Just make you set the avail and autodiscovery stuff (AutoDiscoverServiceInternalUri), etc.. via powershell to point to the FQDN of the NLB. -Original Message- From: Matt Bullock [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 3:44 PM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs So I can remove the .local names, and use - cas1.domain.com cas2.domain.com mail.domain.com (NLB address) autodiscover.domain.com (NLB address) Thanks Neil and Andy -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 4:21 AM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs If you point the clients to the NLB FQDN and set the autodiscovery stuff etc to the NLB address, then all you really need is that and the autodiscovery FQDN as well(dont forget autodiscovery!) No need to add the .local and actual host names of the servers unless you really want to. From: Matt Bullock [EMAIL PROTECTED] Sent: Thursday, January 24, 2008 12:24 AM To: MS-Exchange Admin Issues Subject: NLB CAS SSL Certs I am trying to figure out the proper SSL cert to purchase. I have two CAS/HUB servers using NLB for redundancy and load balancing, and I wanted to make sure a single SAN cert will do the trick. Would the following names be all I need to include in the cert? Cas1.domain.com Cas2.domain.com Cas1.domain.local Cas2.domain.local Mail.domain.com (NLB address) After installing on the first server, I'll export and install on the second. Thanks, Matt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: NLB CAS SSL Certs
Just make you set the avail and autodiscovery stuff (AutoDiscoverServiceInternalUri), etc.. via powershell to point to the FQDN of the NLB. -Original Message- From: Matt Bullock [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 3:44 PM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs So I can remove the .local names, and use - cas1.domain.com cas2.domain.com mail.domain.com (NLB address) autodiscover.domain.com (NLB address) Thanks Neil and Andy -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 4:21 AM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs If you point the clients to the NLB FQDN and set the autodiscovery stuff etc to the NLB address, then all you really need is that and the autodiscovery FQDN as well(dont forget autodiscovery!) No need to add the .local and actual host names of the servers unless you really want to. From: Matt Bullock [EMAIL PROTECTED] Sent: Thursday, January 24, 2008 12:24 AM To: MS-Exchange Admin Issues Subject: NLB CAS SSL Certs I am trying to figure out the proper SSL cert to purchase. I have two CAS/HUB servers using NLB for redundancy and load balancing, and I wanted to make sure a single SAN cert will do the trick. Would the following names be all I need to include in the cert? Cas1.domain.com Cas2.domain.com Cas1.domain.local Cas2.domain.local Mail.domain.com (NLB address) After installing on the first server, I'll export and install on the second. Thanks, Matt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: NLB CAS SSL Certs
Do you have an internal Windows CA? With new products all now making use of certs (E2K7, OCS, SCOM, et al) it makes sense IMO to implement your own CA internally for such certs, using purchased certs at the ISA level of course. This way, you can create and re-create your internal certs as often as you like which is cool if you miss off an important name. :) The reason I say this is because there are other names to consider. What about autodiscover? Are you planning on that externally? The NetBIOS name can also be useful (optional). There's a good article on this subject here: http://msexchangeteam.com/archive/2007/07/02/445698.aspx -Original Message- From: Matt Bullock [mailto:[EMAIL PROTECTED] Sent: 24 January 2008 05:25 To: MS-Exchange Admin Issues Subject: NLB CAS SSL Certs I am trying to figure out the proper SSL cert to purchase. I have two CAS/HUB servers using NLB for redundancy and load balancing, and I wanted to make sure a single SAN cert will do the trick. Would the following names be all I need to include in the cert? Cas1.domain.com Cas2.domain.com Cas1.domain.local Cas2.domain.local Mail.domain.com (NLB address) After installing on the first server, I'll export and install on the second. Thanks, Matt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: NLB CAS SSL Certs
If you point the clients to the NLB FQDN and set the autodiscovery stuff etc to the NLB address, then all you really need is that and the autodiscovery FQDN as well(dont forget autodiscovery!) No need to add the .local and actual host names of the servers unless you really want to. From: Matt Bullock [EMAIL PROTECTED] Sent: Thursday, January 24, 2008 12:24 AM To: MS-Exchange Admin Issues Subject: NLB CAS SSL Certs I am trying to figure out the proper SSL cert to purchase. I have two CAS/HUB servers using NLB for redundancy and load balancing, and I wanted to make sure a single SAN cert will do the trick. Would the following names be all I need to include in the cert? Cas1.domain.com Cas2.domain.com Cas1.domain.local Cas2.domain.local Mail.domain.com (NLB address) After installing on the first server, I'll export and install on the second. Thanks, Matt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: NLB CAS SSL Certs
So I can remove the .local names, and use - cas1.domain.com cas2.domain.com mail.domain.com (NLB address) autodiscover.domain.com (NLB address) Thanks Neil and Andy -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 4:21 AM To: MS-Exchange Admin Issues Subject: RE: NLB CAS SSL Certs If you point the clients to the NLB FQDN and set the autodiscovery stuff etc to the NLB address, then all you really need is that and the autodiscovery FQDN as well(dont forget autodiscovery!) No need to add the .local and actual host names of the servers unless you really want to. From: Matt Bullock [EMAIL PROTECTED] Sent: Thursday, January 24, 2008 12:24 AM To: MS-Exchange Admin Issues Subject: NLB CAS SSL Certs I am trying to figure out the proper SSL cert to purchase. I have two CAS/HUB servers using NLB for redundancy and load balancing, and I wanted to make sure a single SAN cert will do the trick. Would the following names be all I need to include in the cert? Cas1.domain.com Cas2.domain.com Cas1.domain.local Cas2.domain.local Mail.domain.com (NLB address) After installing on the first server, I'll export and install on the second. Thanks, Matt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~