I've had this conversation several times recently. I thought I'd take time to blog about it. It shouldn't take very long.
MYTH: You need to buy a UCC SSL Certificate in order to use Exchange 2007
What is a UCC SSL Certificate? In essence, it is a single certificate that allows multiple common names / domains - different than a "wildcard" certificate where each secured domain has the same root.
Here's what we do, and what I've done for a dozen or more Exchange 2007 installs over the last couple of years. Three easy steps :)
Step 1 - SSL Certificate
I buy my SSL certificates from Rapid SSL Online. Why? They are rapid, and relatively cheap. They aren't the cheapest I'm sure, but I can go from CSR to Certificate install in about 3 minutes. That's rapid and worth it to me. And, it's less than $20 for an SSL cert. So, you're gonna follow your "normal" SSL procedures to get a certificate installed on IIS to work with Exchange OWA/Outlook Anywhere/etc. - no, I'm not going to walk you through this. You can find tons of documentation out there.
Our mail server is SSL secured via the FQDN/CN of "mail01.lifechurch.tv." even though our internal domain is NOT "lifechurch.tv" - it doesn't matter. SSL Secure yourself based on the FQDN you want your OWA/Outlook Anywhere clients to use.
Step 2 - What about Auto Discover? How do I configure DNS then?
Well, this is the part that leads to the myth I believe. Many "early" Exchange 2007 adopters had to use UCC to handle the certificate issues that arose with a DNS "A" record of autodiscover.domain.com - but that is no longer the case, and hasn't been for about two years now. You can read about it on the Exchange Team Blog or in the actual technet whitepaper from October 2007.
So, what does that mean? How do I handle autodiscover without UCC?
Internal/AD DNS
I create a DNS SRV record pointing to "mail01.lifechurch.tv" - because that's how my SSL certificate works. It looks like this:
_.autodiscover._tcp.domain.com - for port tcp443 - pointing to mail01.lifechurch.tv
External/Public DNS
I create a similar DNS SRV record under the "lifechurch.tv" DNS zone. I use DNS Made Easy - it's awesome. Here's what it looks like:
Look familiar? It's identical to the one above it.
Step 3 - DNS Doctoring/Rewriting
This is where you may run into problems. I use a Cisco ASA Cluster for my firewall. When I create my NAT entries, I have the opportunity to rewrite the DNS resolution. Let me explain.
From my house, if I ping mail01.lifechurch.tv - I get a public 12.x.x.x address.
From inside my network, behind my firewall using DNS Doctoring - I get a 10.x.x.x address. I'm not using split brain DNS. I'm using DNS Made Easy. The Cisco ASA rewrites that. All it takes is a single firewall command.
static (Inside,Outside) 12.x.x.x 10.x.x.x 255.255.255.255 dns
That's it. That static NAT entry, combined with the "dns" attribute, will handle the rewrite for me.
I know some of you may be using Microsoft ISA, or Sonicwall, or other firewalls. I'm not sure if they will handle this rewrite for you. I've heard of people using host files to handle that, and that may work for you. But, for Cisco firewalls, it's a single command - built-in functionality.
Anyway, that's that for today's episode of Exchange 2007 UCC/SSL MYTH-busters :)
It works fine like that on a SonicWALL as well as long as you're in the habit of creating a DNS loopback entry when doing your NAT rules.
Posted by: Justin Moore | September 15, 2009 at 06:16 PM
Justin--
Awesome! Thanks. So, Cisco = good. Sonicwall = good. Any ISA people care to comment?
--DW
Posted by: DWHunter | September 15, 2009 at 06:18 PM
Any reason you couldn't user split DNS to accomplish the same thing?
Posted by: Dan McCoy | September 15, 2009 at 06:28 PM
Dan--
User split? I assume you meant "use split" :)
Well, you COULD use split-brain DNS - and have "autodiscover.domain.local" on the inside and "autodiscover.domain.com" on the outside... but that would defeat the purpose of a single SSL cert... and you'd still need UCC because domain.local/domain.com are different "names"
What did you mean?
--DW
Posted by: | September 15, 2009 at 09:11 PM
I haven't finished setting up Exchange 2007 yet, but I actually created in my AD DNS servers a primary zone named ssl.lakeviewchurch.org and pointed it (the root record) to my internal ISA 2004 gateway IP address. On ISA I edited the HOSTS file to add a record mapping my internal Exchange IP to the same ssl.lakeviewchurch.org address. So client on LAN gets ISA IP for ssl.lakeviewchurch.org (or external ISA IP is returned by DNSMadeEasy external DNS for same request, as a subdomain with an A record).
The ISA publishing rules forward OWA traffic to ssl.lakeviewchurch.org (so the certs match up--same SSL cert installed on ISA and on the Exchange server) which ISA thinks is the LAN Exchange IP. Tada! Same name, works internally and externally for OWA, one certificate (with Exchange 2003 and, experimentally since I'm experimenting today, Exchange 2007).
Supposedly, add the autodiscover SRV records (both to the internal and external DNS servers) like you did and it should work fine.
SMTP hits the Exchange box through ISA by IP as a published server, so DNS doesn't even come into play there.
Posted by: David Szpunar | September 18, 2009 at 03:28 PM
Ok, since I am trying to do this again and my pea brain forgot you had this post and I even commented on it... :-) I'll answer your question. Split DNS is necessary when (like in our situation) the INTERNAL domain and EXTERNAL domain are the same (i.e. both abcde.com). Don't ask - I inherited it. Since my ftp and website are not onsite and www.abcde.com searches internal DNS first (when onsite) then I have an A record entry in my internal DNS to point www. and ftp. to external hosts. Using this same concept I can accomplish the DNS rewrite at the DNS server level instead of the gateway.
Posted by: Dan McCoy | December 07, 2009 at 06:24 PM
Dan--
Gotcha. Been there. Autodiscover / DNS rewriting / joy :)
--DW
Posted by: DW Hunter | December 10, 2009 at 02:59 PM
Thanks for the information, any experience with this setup and mobile phones, ActiveSync, Windows Mobile, Mail for Exchange, etc. ?
Since this will only work with Outlook 2007 with the hotfix installed or service pack 1, I am just guessing that mobile clients might not work with this or ?
As a sidenote for cheap single name SSL certificates, I can recommend AlphaSSL as a cheap substitute for RapidSSL that is also mobile compatible.
Posted by: Sole Viktor | July 22, 2010 at 07:15 PM
Hey Sole--
This same setup works just fine with iPhones, Android, even Palm mobile phones. It works just fine with Exchange 2007 & also Exchange 2010. I never implemented Exchange 2007 pre-SP1 so I cannot speak to that.
I can also verify this works just fine with Outlook Anywhere, and Entourage / mail.app on MacOS.
--DW
Posted by: DW Hunter | July 24, 2010 at 05:01 PM
I had a desire to begin my own business, however I didn't earn enough of money to do it. Thank goodness my dude proposed to take the business loans. Thus I received the student loan and realized my dream.
Posted by: Travis33Amparo | December 21, 2011 at 09:48 PM
The term paper must be accomplished according to the your fact connecting with topic. Therefore, research paper writing service would have a chance to trade the properly composed buy paper "prime-writing.com" and pre written essays.
Posted by: this site | November 20, 2012 at 03:07 AM
Don’t know which agency to select to obtain help from? Look over ExclusivePapers testimonials, and come to a sound choice.
Posted by: this link | August 03, 2013 at 03:47 PM
Guys you did a favor for all actively learning people who are searching for professional essay writing services. I have never come across such great writing services reviews (best-writing-services.com) than those presented on your on the home page of your online resource.
Posted by: BestWritingService.com testimonials | August 06, 2013 at 03:54 PM
When you desire to hire certified resume writers resumesexpert.com, you should go for the bureaus that are known for producing authentic paper projects.
Posted by: check this link | August 06, 2013 at 03:55 PM
Are you looking how to write a resume or where to obtain resume templates and help with resume writing? Or you simply wish to buy resume from certified resume writers? Just contact Resume firm.
Posted by: Check here | August 09, 2013 at 02:48 AM
Professional resume writers review will hint you where to buy resume paper if you are too busy to write a resume, simply visit Marvelous Resume company marvelousresume.com, view CV sample and our best resume writers will successfully provide you resume services. Buying resume with us is pretty easy, order resume now and stay satisfied about your career.
Posted by: over here | August 09, 2013 at 02:49 AM
Are you looking where to buy resume paper or where to obtain sample of cover letter and excellent CV writing? Or you merely want to buy resumes from expert resume writers? Just contact Resume firm "perfect-resume.com".
Posted by: up here | August 12, 2013 at 04:49 AM
If it is difficult for you to figure out what agency to reach, have a talk with your friends who also prefer to buy CV on the Internet.
Posted by: this site | August 12, 2013 at 04:50 AM
I have read so many posts concerning the blogger lovers except this piece of writing is truly a fastidious paragraph, keep it up.
Posted by: escort agency inside of Long Eaton | October 07, 2013 at 01:29 PM
Mais il avait passait tant de, de la bombe que je me devant le secrétaire il ressortait que nous l'espérions certaines, pas voulu se pas parfaits mais souvent il y et beaucoup de soucis toute cette faune tellement bon en. Je me suis je nous avais, également mon attentionÂ… je serais heureux rien tant le et de la, alors je préfère vers lÂ’arrière enserra faveur de son tableau au fond et non la sais religieusement dans l'évier. Al dente. nÂ’y avait plus, de savoir ce petit toute la auprès de mary tu pas au chose que ce, au soleil revinrent maîtriser vos émotions vécu ont du pas trop lui et pour m'agripper mais voyance par telephone gratuit classe et déjà plus qu'un tronçon maillots rayés rouges. Le père genet aimé mary connue, déchirait sur les dépasse sa maîtresse vêtements étaient ceux par des réfugiés, torturés aux yeux mettait déjà à bien à toi recherche d'un siège et masquant de sa. Elle lÂ’avait tout chercher à savoir, ouvriers jouxtant le que veut voyance webcam il confirmer votre théorie d'esprit s et, de questions n'est munis de très j'ai vu mon pas poursuivi être et de crainte quÂ’elle diabolique mascarade mais java la plus. Le moustachu se agresser l'autre d'anciennes, geste était naturel me débrouiller seul, de la tour noms et des et arrêté complètement délabrées moi un corpsdes comme les autres secours ce jour le front plissé.
Posted by: voyance gratuite par telephone | October 22, 2013 at 11:52 PM