SSL certificates for multiple exchange 2010 servers

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I am just curious, about Exchange 2010 SSL certificates.

I have two servers that host the exchange server. Basically for redundancy...

Exch1 and Exch2

I am looking to generate the certificate request from GoDaddy so my question is, do I need to generate a request for each server? i.e Exch1 and 2.. or is one SSL certificate request enough if I incorporate the FQDNs and the Netbios names of both the servers?

I am using the exchange powershell command to do this.

 

One SAN SSL cert is fine mate

 

Cool, thanks guys.. it's what I thought.

 

Don't forget to include your DAG name as well mate and items such as autodiscover.domainname.local

 

the DAG for sure... but isn't autodiscover for the outlook anywhere? we're not going to use it... unless it's best to have just in case?

 

Not just for Outlook Anywhere it is also used by internal clients to locate the Exchange Server as well, can cause certificate issues and lots of crap.

Best to include it mate, makes for an easy life.

 

I blogged about this JUST yesterday haha
Exchange 2010 Namespace considerations


carefully plan your namespace before buying certs, GoDaddy are pretty good at not always charging you PER SAN like some CAs do, also seriously consider proper split-dns configuration, netbios names really have no place being used

Edit: Autodiscover is used by OA, EAS, Internal clients, etc

Edit again: how are you handling the CAS set up? is it set up as a CAS array? you can only have one CAS system per AD site be it a single server, or a CAS array, if there is a CAS array there are two other names to consider, the AD entry for the ClientAccessServer and the Network Load Balancer Cluster name
while people often use the same, these are different names! Outlook clients dont use the load balancer for MAPI connections, so the ClientAccessServer name does not require anything special in the cert
and you could put the friendly name of the Load Balancer VIP to match your external configuration in a split-dns setup

ie
external
mail.mycompany.com -> hits ISA/TMG -> Load Balancer
internal
mail.mycompany.com -> hits Load Balancer

the ExternalURL configuration on all your EX virtual directories need to be mapped for that

 

Craigie and Phoenix, thanks again! Ryan, I book marked the page as it was very helpful! Learn something new everyday! You see, this is why I need the consulting gig... you learn so much ;)

 

Can you not just use DNS Round Robin to manual load balance, I know if a server dies it will continue to try and look it up, but you could update DNS manually in this scenario?

Or what about Windows Network Load Balancing?

We are doing our first load balanced CAS role soon in on the same LAN, we do have multiple CAS servers but these are in different sites for DR only.

Be interested to know your thoughts on the best method mate.

 

Windows load balancing counts as a load balancer
it is not ideal in all scenarios and has limitations, but works for plenty of people
you can not however mix NLB and DAG on the same systems, which is why most exchange deployments are four nodes (2x DAG, 2x CAS/HUB)
Round robin is far from recommended
far far far from recommended lol

Understanding Load Balancing in Exchange 2010: Exchange 2010 SP1 Help
Exchange Team no longer recommend Windows NLB for Client Access Server Load Balancing | Steve Goodman's Exchange Blog

 

Phoenix is correct.

But the reasoning is a lot more complex. The cert advice he gave looks good, but I'm a little tired and buzzed to look deeply into it.

Regarding load balancing, it all boils down to give and take situations. Exchange works best if users experience consistency. They will not if using DNS round Robin and one CAS fails. Windows NLB is not bad, but you can't run it on a multirole server running a DAG mailbox server. Thus, a HLB is recommended. They can be had for a few thousand bucks now (and can further be used for Lync etc).

The latest MS recommendation is to collocate all three roles on a single server, but... You need an HLB (avoid DNS round Robin for your own good). Might seem like a pain, but the 2k HLB is cheaper than 4 servers (2 CAS+Hub & 2 MB)X vs 2 multi role (all 3 roles).

 

My Colleague took over the Exchange setup as I was asked to setup and configure Sharepoint 2010 as I seem to have more experience with it.. However I am not sure if we have a CAS array... I would have to double check with him. He asked me to help him with the SSL certs stuff so here I am.

As for split-dns, we did see it as a good practice and I think he was looking into it. Again I would have to ask him where he's at... But these are all good pointers. I will look into and relay the message on to him.

Thanks Ryan.

 

thats simply not true Shinigami,
most customers are deploying these virtually and the cost is marginal of what 4 physical servers would be, so the 2x load balancers hit the bottom line and spike the projects cost

I have no problem positioning hardware load balancers, i think they are awesome, but lets not use MS Math to make it a done deal