CAS - Internal and External SSL on one CAS Server

Problem and Background

Exchange 2007 has a number of IIS based features, such as Outlook Web Access, ActiveSync, Autodiscover and Offline Address Book.

Whilst a default installation on your internal network may work fine, you'll probably want some users to be able to access these web-based services from outside your company firewall.
It's highly recommended to use SSL certificated to protect the data - but that brings a problem. If you are using 2 different domain names, one for your internal network, another for external DNS - you'll get SSL certificate prompts.

This is because the name on the SSL certificate can't match both names. E.G, if I have headoffice.internal for my internal domain, and mycompany.com for my external domain. My SSL is the default one that Exchange creates, (so it's something like exchange.headoffice.internal) and when I use Outlook Web Access from a Internet Cafe or from home I get an error telling me that the name on the SSL is invalid - rightly so, as I use https://exchange.mycompany.com/owa to access OWA from the Internet - but the SSL has the headoffice.internal name on it.

This applies to all web-based services with Exchange. Including Autodiscover. This causes major issues if you have an external SSL on your Exchange CAS - as Outlook 2007 on your local network will read the SSL and notify the user that the SSL they are using is invalid everytime they open up Outlook!!!!


Solution

Unfortunatly IIS won't work with 2 SSL's so we need another solution.
The easiest is to get a SSL from a CA with multiple domain names on it. However this is very expensive and can take a while to process.

The alternative is a quick in-house fix which essentially involves creating a new IIS website, and creative new OWA/Autodiscover/OAB/ActiveSync etc virutal directories under the site.

From a basic CAS installation on Windows 2003 you will have a "Default Web Site" in IIS with all Exchange 2007 web services in it. This site has an internal SSL certificate already applied.

The easiest thing to do is:


1. Create a new external SSL certificate for your domain. I suggest using a wildcard SSL such as *.mydomain.com.

2. Add a new IP address to your server which will be used just for external clients.

2. Open up IIS and create a new website. I called mine 'External' as this site will only be used by extenal clients. This site should have Read and Run Script access and should be pointing to the default Windows location of ISS E.G. C:\Inetpub\WWWRoot\. This website should use just the new IP address you created.

3. Go to the Exchange Management Shell

4. Create the relevant services you need by using the 'New-ServiceNameVirtualDirectory' cmdlet.

For example, to create a new Autodiscover virtual directory for the External site I used:


For a new OWA virtual directory:


5. Once done, add your external SSL to the 'External' site and make the relevant DNS and firewall changes to allow Internet users to connect - Volia!

Conclusion

Essentially, the above steps has left us with our 'Default Web Site', which we will use for all internal clients - the site is out of the box with nothing changed.
However, what we did do is create a new IIS site with it's own dedicated IP address and external SSL certificate applied. On the site, we got Exchange 2007 to create two new virtual directories, one for OWA, the other for ActiveSync.
This process can be done with other virtual directories too. (See TechNet for cmdlet details)

Credits to Simon Butler, aka Sembee for his article (which is now removed) for the foundation information on this that helped me get this far!

Hope this helps.


Steve.