Exchange 2007 CAS certificates without host names?

 02 Jul 2008 12:35:34 pm

I've made statements in the past regarding which names are required on your CAS certificates and sometimes get funny responses when I state that you donít need the internal NetBIOS/FQDN host names on the certificate. Fact is depending on your deployment they may not be required (and in fact there are some arguably good reasons to leave them off). So if youíre interested here is how itís done here is more detail, for the sake of this discussion I'm going to focus on CAS role only.

The names to use on the cert for this example are and the second is (and those are the only names used). Externally connectivity is through ISA which has the CASes published as a web-farm, internally the CASes are shared using a load-balancer; both use the same certificate. All services are published using a SINGLE listener in ISA. Split-brain DNS allows clients internally versus externally to end up where they need to be.

Letís have a look at the setup:

First, for those that are familiar with the autodiscovery process, domain-joined/domain-connected Outlook clients will query AD for SCP records used for autodiscovery; AD returns a list of in-site and out-of-site CAS URIs Outlook can use for autodiscovery (for non domain-joined/domain-connected clients is used first). The records that the CASes use are published by Exchange based off the AutodiscoveryserviceinternalURI:
>Get-ClientAccessServer | fl autodiscoverserviceinternalURI
AutoDiscoverServiceInternalUri :

This was done on all CASes in your ďinternet siteĒ (the ones behind the load balancer), the net result is Outlook gets X SCP records (where X equals the number of CASes) that all point to the same place (the load balancer).

Next I need to make sure EWS uses the right URLs so that Availability, etc. work correctly:
>Get-WebServicesVirtualDirectory | fl internalURL, externalURL
InternalUrl :
ExternalUrl :

The rest of the URL configuration for things like OWA, OAB, etc. can all be done from the Management Console:
>Get-OwaVirtualDirectory "owa (Default Web Site)" | fl internalURL,externalURL
InternalUrl :
ExternalUrl :
>Get-OabVirtualDirectory | fl internalURL, externalURL
InternalUrl :
ExternalUrl :

For those who want a nice visual of how Outlook builds the profile using AutoDiscovery internally versus externally I've included a couple of slides from TechEd last year as a reference:


Posted By : Erik | Category: Exchange | Comments [[134]] | Trackbacks [0]

Jun 2008 July 2008 Aug 2008
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31   




User List