|
|
|
date: Thu, 15 May 2008 18:01:48 -0500,
group: microsoft.public.exchange.setup
back
Using Microsoft Cert Service for Exchange 2007/IIS
Greetings...
Situation - introducing an Exchange 2007 server to replace existing 2003
site. Am mid-migration, problem we are having is with IIS/OWA - the new
server is named postmaster, external url is mail.domain.com, locally the
machine is postmaster.domain.com. We requested an IIS cert using the
wizard from the Cert Service running on the network, and can use Outlook
Anywhere to proxy in via Outlook as well as OWA. Problem is that the
server cert is for mail.domain.com, and Outlook 2007 users locally are
getting cert errors because the local name is postmaster.domain.com
So, we have followed these instructions:
http://tinyurl.com/6sxg9d
To request a certificate with alternate names including mail.domain.com
and postmaster.domain.com - however, when we install this certificate
into IIS, OWA no longer responds via SSL. If we go back to the IIS cert
we got using the Cert wizard, in IIS, it works fine. But, of course, it
thinks it is only mail.domain.com.
What we need is a certificate we can use that will allow our existing
RPC/HTTP, OWA, and Outlook users to connect without error.
We are testing this cert with IIS before running the
Import-ExchangeCertificate command, as we want to make sure it works
before marrying this cert to Exchange (to be honest, the whole cert
process is a mess in Exchange 2007, but I digress). Is running this
command a pre-requisite to IIS/OWA working? And if so, what is our
fallback if the import cert doesn't work right? WTF does Exchange even
bloody need this cert?
Sigh... any help appreciated.
Venger
date: Thu, 15 May 2008 18:01:48 -0500
author: Venger
RE: Using Microsoft Cert Service for Exchange 2007/IIS
Hi
why don't configure a second IIS virtual server?
one with the internal cert one with external
and by the way if you want to use autodiscover you can create a third IIS
virtual server for it.
Henry
"Venger" wrote:
>
> Greetings...
>
> Situation - introducing an Exchange 2007 server to replace existing 2003
> site. Am mid-migration, problem we are having is with IIS/OWA - the new
> server is named postmaster, external url is mail.domain.com, locally the
> machine is postmaster.domain.com. We requested an IIS cert using the
> wizard from the Cert Service running on the network, and can use Outlook
> Anywhere to proxy in via Outlook as well as OWA. Problem is that the
> server cert is for mail.domain.com, and Outlook 2007 users locally are
> getting cert errors because the local name is postmaster.domain.com
>
> So, we have followed these instructions:
>
> http://tinyurl.com/6sxg9d
>
> To request a certificate with alternate names including mail.domain.com
> and postmaster.domain.com - however, when we install this certificate
> into IIS, OWA no longer responds via SSL. If we go back to the IIS cert
> we got using the Cert wizard, in IIS, it works fine. But, of course, it
> thinks it is only mail.domain.com.
>
> What we need is a certificate we can use that will allow our existing
> RPC/HTTP, OWA, and Outlook users to connect without error.
>
> We are testing this cert with IIS before running the
> Import-ExchangeCertificate command, as we want to make sure it works
> before marrying this cert to Exchange (to be honest, the whole cert
> process is a mess in Exchange 2007, but I digress). Is running this
> command a pre-requisite to IIS/OWA working? And if so, what is our
> fallback if the import cert doesn't work right? WTF does Exchange even
> bloody need this cert?
>
> Sigh... any help appreciated.
>
> Venger
>
>
date: Fri, 16 May 2008 00:49:00 -0700
author: Henry
Re: Using Microsoft Cert Service for Exchange 2007/IIS
Hi
I installed as much as 10-15 Exchange CAS during the last 1 and a half years
and most often I did it the way I wrote. And I never had problems doing so.
I don't know a reason why I should change this because it works. Not only
that you can have much cheeper Certs (⬠39,00 at the moment for one year, no
alternative names required in Cert) you also can have different authenication
mechanism per virtual IIS instance and CAS feature.
You need a dedicated IP per virtual server. That had never be a problem
because theses IPs are from internal scope.
And then it is very easy to create new owa virtual directories, active sync
directories and what ever you need in your additional instance.
btw.
- OMA doesn't exist anymore and
- host header will not work because of SSL
encryption(http://support.microsoft.com/kb/187504)
- other dependencies also don't exist in the new version of Exchange
But of cause, if you had bad experiences configuring Exchange this way, you
do not need to follow my recommendations.
A last note on your question in the first post.
as long as you don't delete the selfsigned cert from the local computer cert
store you can fall back to this. To be more secure you could export the cert
including the private key as kind of backup.
Henry
"Venger" wrote:
> Henry wrote:
> > Hi
> > why don't configure a second IIS virtual server?
> > one with the internal cert one with external
> > and by the way if you want to use autodiscover you can create a third IIS
> > virtual server for it.
>
> This seems sub-optimal to me - I've seen issues in the past when you
> start ducttaping Exchange and IIS, such as using the oma virtual
> directory, etc., and if I recall they also didn't recommend using named
> headers (i.e. prefer all unassigned requests to specific named instances
> in IIS).
>
> Do you know of a good, thorough setup and discussion of what you are
> recommending?
>
> Thanks for your help,
>
> Venger
>
date: Sat, 17 May 2008 05:48:00 -0700
author: Henry
Re: Using Microsoft Cert Service for Exchange 2007/IIS
Venger wrote:
>
> Greetings...
>
> Situation - introducing an Exchange 2007 server to replace existing 2003
> site. Am mid-migration, problem we are having is with IIS/OWA - the new
> server is named postmaster, external url is mail.domain.com, locally the
> machine is postmaster.domain.com. We requested an IIS cert using the
> wizard from the Cert Service running on the network, and can use Outlook
> Anywhere to proxy in via Outlook as well as OWA. Problem is that the
> server cert is for mail.domain.com, and Outlook 2007 users locally are
> getting cert errors because the local name is postmaster.domain.com
>
> So, we have followed these instructions:
>
> http://tinyurl.com/6sxg9d
>
> To request a certificate with alternate names including mail.domain.com
> and postmaster.domain.com - however, when we install this certificate
> into IIS, OWA no longer responds via SSL. If we go back to the IIS cert
> we got using the Cert wizard, in IIS, it works fine. But, of course, it
> thinks it is only mail.domain.com.
>
> What we need is a certificate we can use that will allow our existing
> RPC/HTTP, OWA, and Outlook users to connect without error.
>
> We are testing this cert with IIS before running the
> Import-ExchangeCertificate command, as we want to make sure it works
> before marrying this cert to Exchange (to be honest, the whole cert
> process is a mess in Exchange 2007, but I digress). Is running this
> command a pre-requisite to IIS/OWA working? And if so, what is our
> fallback if the import cert doesn't work right? WTF does Exchange even
> bloody need this cert?
>
> Sigh... any help appreciated.
To follow up, the URL
http://blogs.technet.com/industry_insiders/pages/creating-subject-alternative-name-certificates-with-microsoft-certificate-server.aspx
Works like a champ, and the ONLY way I could get it going was to do the
Import-ExchangeCertificate step in Exchange, and all that did was put it
in the local computer Personal store, where it was available for IIS.
Went to IIS default web site, Security, and told it to select another
certificate, and bam - working.
Venger
date: Wed, 21 May 2008 19:09:34 -0500
author: Venger
|
|
