Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

UC San cert or self signed.. which is the right option or both? 3

Status
Not open for further replies.
blade1000

blade1000

IS-IT--Management
Mar 1, 2009
133
US
Hello

So I have Exchange 2010 implemented and built to good specs, I am reading about self signed certs and UC SAN certs.

Question is, can I get away with using just a self signed cert created on the Exchange server (hub/cas server) as well as purchasing a UC SAN cert because CAS absolutely needs it for Outlook Anywhere usage etc? or can I just get away with issuing just a UC SAN, implement it on the CAS server and would that be all I need for encrypted proper communication from inside/outside and vice versa?

thanks for any information on this topic

blade
 
Sort by date Sort by votes
I would recommend UC SAn cert, especially if you want to do autodiscover. I used Digicert and it was very easy and stopped all my annoying pop up security warnings my uses kept getting.
 
Upvote 0 Downvote
You should be able to get a UCC SAN cert that includes all the internal server names and use that single cert for all functions. If you have a single server, you'd want these names:

mail.domainname.com (or whatever the MX record resolves to)
autodiscover.domainname.com
server.internaldomain.local
server (netbios name)

Make sure that the name that matches the MX record is what you use as the "common name".

Dave Shackelford MVP
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Dave and I have always differed on this approach. I never put internal names in certs. The only addresses I use are the MX record name (mail.domain.com, or whatever), the OWA name (often the same as MX), and the autodiscover name (autodiscover.domain.com).

Internally, I use split brain DNS, so resources have the same namespace internally. Thus, a CAS array could use mail.domain.com

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Thanks guys, I actually implemented Pat's recommendation yesterday before looking at these answers from a few forums I scanned thru.

Eitherway it would have worked but did end up involving split brain dns internally for the CAS nlb using the same address.

Thanks to everyone though!
blade
 
Upvote 0 Downvote
Pat,

This is a one off question and won't ask it in it's entirety here but have you implemented TMG 2010 before ?, I would just like to know if you wouldn't mind going to the proxy server forum and you'll see my entry on TMG 2010.

just some general stuff I need to understand. Sorry to anyone on this forum for asking non related issue.... if you've deployed this application of course..

thanks much
blade
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
1K
Wesaf
Wesaf
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
1K
david jackson
david jackson
DrB0b
  • Locked
  • Question
Issue removing large deleted items folder's contents
Replies
1
Views
1K
DrB0b
DrB0b
Rohit Bareja
  • Locked
  • Question
View and access only own records, and not the records by others on SharePoint.
Replies
3
Views
1K
garysm
garysm
sreejay2211
  • Locked
  • Question
email issue
Replies
0
Views
1K
sreejay2211
sreejay2211

Part and Inventory Search

Sponsor

Back
Top