« Exchange 2007 SP2 - Upgrade + Fallout | Main | UPGRADED: Solarwinds Orion NPM + APM »

09/15/2009

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Justin Moore

It works fine like that on a SonicWALL as well as long as you're in the habit of creating a DNS loopback entry when doing your NAT rules.

DWHunter

Justin--

Awesome! Thanks. So, Cisco = good. Sonicwall = good. Any ISA people care to comment?

--DW

Dan McCoy

Any reason you couldn't user split DNS to accomplish the same thing?

none

Dan--

User split? I assume you meant "use split" :)

Well, you COULD use split-brain DNS - and have "autodiscover.domain.local" on the inside and "autodiscover.domain.com" on the outside... but that would defeat the purpose of a single SSL cert... and you'd still need UCC because domain.local/domain.com are different "names"

What did you mean?

--DW

David Szpunar

I haven't finished setting up Exchange 2007 yet, but I actually created in my AD DNS servers a primary zone named ssl.lakeviewchurch.org and pointed it (the root record) to my internal ISA 2004 gateway IP address. On ISA I edited the HOSTS file to add a record mapping my internal Exchange IP to the same ssl.lakeviewchurch.org address. So client on LAN gets ISA IP for ssl.lakeviewchurch.org (or external ISA IP is returned by DNSMadeEasy external DNS for same request, as a subdomain with an A record).

The ISA publishing rules forward OWA traffic to ssl.lakeviewchurch.org (so the certs match up--same SSL cert installed on ISA and on the Exchange server) which ISA thinks is the LAN Exchange IP. Tada! Same name, works internally and externally for OWA, one certificate (with Exchange 2003 and, experimentally since I'm experimenting today, Exchange 2007).

Supposedly, add the autodiscover SRV records (both to the internal and external DNS servers) like you did and it should work fine.

SMTP hits the Exchange box through ISA by IP as a published server, so DNS doesn't even come into play there.

Dan McCoy

Ok, since I am trying to do this again and my pea brain forgot you had this post and I even commented on it... :-) I'll answer your question. Split DNS is necessary when (like in our situation) the INTERNAL domain and EXTERNAL domain are the same (i.e. both abcde.com). Don't ask - I inherited it. Since my ftp and website are not onsite and www.abcde.com searches internal DNS first (when onsite) then I have an A record entry in my internal DNS to point www. and ftp. to external hosts. Using this same concept I can accomplish the DNS rewrite at the DNS server level instead of the gateway.

DW Hunter

Dan--

Gotcha. Been there. Autodiscover / DNS rewriting / joy :)

--DW

Sole Viktor

Thanks for the information, any experience with this setup and mobile phones, ActiveSync, Windows Mobile, Mail for Exchange, etc. ?

Since this will only work with Outlook 2007 with the hotfix installed or service pack 1, I am just guessing that mobile clients might not work with this or ?

As a sidenote for cheap single name SSL certificates, I can recommend AlphaSSL as a cheap substitute for RapidSSL that is also mobile compatible.

DW Hunter

Hey Sole--

This same setup works just fine with iPhones, Android, even Palm mobile phones. It works just fine with Exchange 2007 & also Exchange 2010. I never implemented Exchange 2007 pre-SP1 so I cannot speak to that.

I can also verify this works just fine with Outlook Anywhere, and Entourage / mail.app on MacOS.

--DW

Luis Chen

Hi,
I'm having issues only when connecting Outlook 2007 via IMAP4 or POP3. I get a certificate error "Target name principal name is incorrect". I did not create an SRV record, because my domain registrar could not allow it. Will this SRV record be enough and spare me from buying a UCC/SAN certificate? Thanks!

johny

Such a detailed discussion and very useful when one need to buy an UCC certificate for their exchange server. Recently one of my client who is using godaddy ucc certificate asked me to replace the one with other low price UCC certificate.

I searched online for godaddy alternative provider and landed on this detailed comparison by Scott https://www.ssl2buy.com/wiki/ucc-exchange-ssl-certificates-comodo-vs-digicert-vs-godaddy/

I never heard about SSL2buy but it seems legit in my initial findings. Does anyone has experience with this brand? should i use their product for my client?

please suggest!

The comments to this entry are closed.

Twitter Updates

    follow me on Twitter