Share via


Exchange 2010 Certificate Planning

I feel it’s necessary to make some standard clarification here to facilitate any future E2010 deployment.

1.      
Wildcard certificate not recommended if you have Lync integration. Always use UCC cert that support SAN name. But if you do choose to use wildcard, remember to set EXPR Provider to msstd:*.contoso.com.

 

2.      
You don't need to put the actual CAS array name into the certificate. The only place cas array name is being used is the RPCClientAccessServer attribute for mailbox database. Outlook clients will use this for MAPI\RPC connection. It’s not over HTTPS, so no need to put that in the cert. Normally the cas array name will be the internal FQDN, such as casarray.contoso.local. But if you happen to have internal domain name be the same as external domain name, make sure you DO NOT have a DNS record for cas array name. If you do, this will slow down the initial connection of Outlook Anywhere. Do not use the actual CAS array name (casarray.contoso.local or
casarray.contoso.com) as the URL for any virtual directory (owa, ecp, activesync, ews, oab, etc). Create a different name such as owa.contoso.local for the internal URL.

 

3.      
If you have ISA\TMG at front, issue a cert using internal CA for the backend exchange server. The public cert should go on to ISA\TMG or load balancer if you do SSL offloading.

 

4.      
I wouldn’t recommend to put the internal server FQDN to the public cert (and you really don’t need to) as this will expose your server to the outside world.

 

5.      
So in a nutshell, the basic names you would need in the cert would be:

 

Owa.contoso.com

Autodiscover.contoso.com

Legacy.contoso.com (if doing co-exist)

failback.contoso.com (for datacenter failover and failback)

smtp.contoso.com (if secure SMTP is required)

 

References:

https://blogs.technet.com/b/exchange/archive/2010/11/22/3411576.aspx

https://www.howexchangeworks.com/2011/06/should-cas-array-url-be-part-of.htm

 

Just based on my understanding and experience. Any comments is highly welcomed.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    September 11, 2014
    please i need the requirements to setup microsoft exchange server in my office, hardware,software nd certificate