1. Wildcard certificate not recommended due to Lync. Always use UCC cert that support SAN name. But if you do use wildcard, remember to set EXPR Provider to msstd:*.contoso.com.
2. You do NOT put the actual CAS array name into the certificate. The only place cas array name is being used is the RPCClientAccessServer attribute for mailbox database. Outlook clients will use this for MAPI\RPC connection. It’s not over HTTPS, so no need to put that in the cert. Normally the cas array name will be the internal FQDN, such as casarray.contoso.local. But if you happen to have internal domain name be the same as external domain name, make sure you DO NOT have a DNS record for cas array name. If you do, this will slow down the initial connection of Outlook Anywhere. Do not use the actual CAS array name (casarray.contoso.local or casarray.contoso.com) as the URL for any virtual directory (owa, ecp, activesync, ews, oab, etc). Create a different name such as owa.contoso.local for the internal URL.
3. If you have ISA\TMG at front, issue a cert using internal CA for the backend exchange server. The public cert should go on to ISA\TMG or load balancer if you do SSL offloading.
4. I wouldn’t recommend to put the internal server FQDN to the public cert (and you really don’t need to) as this will expose your server to the outside world.
5. So in a nutshell, the basic names you would need in the cert would be:
Owa.contoso.com
Autodiscover.contoso.com
Legacy.contoso.com (if doing co-exist)
failback.contoso.com (for datacenter failover and failback)
smtp.contoso.com (if secure SMTP is required)
References:
Just based on my understanding and experience. Any comments is highly welcomed.
No comments:
Post a Comment