Certificate Planning for Exchange
Recently, our specialist encountered the problem of minimizing the SAN fields in the Exchange certificate of the client (the certificate is paid, there is no TMG - that is, the same certificate for internal and external users is obtained).
They have NLB cluster, so also the name of the AD domain and the external one do not match (contoso.local and contoso.ru). Ideally, it would be like this:
1. mail.contoso.ru (external fqdn)
2. autodiscover.contoso.ru
3. cashub1.contoso.local (int fqdn for InternalNLBBypassUrl and SMTP, UM)
4. cashub2.contoso.local (int fqdn for InternalNLBBypassUrl and SMTP, UM)
5. cashubnlb.contoso.local (fqdn ClientAccessArray and for InternalUrls)
6. mail (Short name, not to type a lot of letters)
7. cashub1 (Short name so as not to type a lot of letters)
8. cashub2 (Short name, not to type a lot of letters)
Total 8 names - it is very expensive !
')
Go:
1. You can immediately refuse short names, because you shouldn’t relax when typing an address! (Officially, it’s not necessary to use the server. If you’re logging on it. necessary. - blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx ).
2. We do Split DNS and all InternalUrl as well as AutodiscoverServerInternalUri are registered in mail.contoso.ru instead of cashubnlb.contoso.local.
3. For ClientAccessArray set the value in cashubnlb.contoso.local. An identical value as for HTTPS is not recommended, since Outlook will be slow from the outside. And in the certificate it is not required because it is used for MAPI connections, and SSL is not used. Array is not allowed to use the CAS. It is recommended that you use the CAS. Doing this (using the same FQDN) will result in a significant Outlook Anywhere timeouts / delays for external users. -9152992dd598 ).
4. If we create an SRV autodiscover entry, then there may be no autodiscover entry in the certificate at all. (It is possible to check the Autodiscover service for the DNS service.) It should not be a record (Witout autodiscover.) xxx.org for the DNS in the certificate, you can’t have it configured.). But this is too much ...
5. For SMTP and UM services, you can use a self-signed or internal certificate, so the intFQDN can be waived.
6. Since InternalNLBBypassUrl still remains, BPA will swear at it, but it will not affect its work. - social.technet.microsoft.com/Forums/da-DK/exchangesvradmin/thread/54d2c3ae-3a12-4cbd-9ea1-70832e1b593a ).
After some simple manipulations we get:
1. mail.contoso.ru (external fqdn)
2. autodiscover.contoso.ru
Everything!
They have NLB cluster, so also the name of the AD domain and the external one do not match (contoso.local and contoso.ru). Ideally, it would be like this:
1. mail.contoso.ru (external fqdn)
2. autodiscover.contoso.ru
3. cashub1.contoso.local (int fqdn for InternalNLBBypassUrl and SMTP, UM)
4. cashub2.contoso.local (int fqdn for InternalNLBBypassUrl and SMTP, UM)
5. cashubnlb.contoso.local (fqdn ClientAccessArray and for InternalUrls)
6. mail (Short name, not to type a lot of letters)
7. cashub1 (Short name so as not to type a lot of letters)
8. cashub2 (Short name, not to type a lot of letters)
Total 8 names - it is very expensive !
')
Go:
1. You can immediately refuse short names, because you shouldn’t relax when typing an address! (Officially, it’s not necessary to use the server. If you’re logging on it. necessary. - blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx ).
2. We do Split DNS and all InternalUrl as well as AutodiscoverServerInternalUri are registered in mail.contoso.ru instead of cashubnlb.contoso.local.
3. For ClientAccessArray set the value in cashubnlb.contoso.local. An identical value as for HTTPS is not recommended, since Outlook will be slow from the outside. And in the certificate it is not required because it is used for MAPI connections, and SSL is not used. Array is not allowed to use the CAS. It is recommended that you use the CAS. Doing this (using the same FQDN) will result in a significant Outlook Anywhere timeouts / delays for external users. -9152992dd598 ).
4. If we create an SRV autodiscover entry, then there may be no autodiscover entry in the certificate at all. (It is possible to check the Autodiscover service for the DNS service.) It should not be a record (Witout autodiscover.) xxx.org for the DNS in the certificate, you can’t have it configured.). But this is too much ...
5. For SMTP and UM services, you can use a self-signed or internal certificate, so the intFQDN can be waived.
6. Since InternalNLBBypassUrl still remains, BPA will swear at it, but it will not affect its work. - social.technet.microsoft.com/Forums/da-DK/exchangesvradmin/thread/54d2c3ae-3a12-4cbd-9ea1-70832e1b593a ).
After some simple manipulations we get:
1. mail.contoso.ru (external fqdn)
2. autodiscover.contoso.ru
Everything!
Source: https://habr.com/ru/post/143278/
All Articles