Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue

  • Thread starter Animesh S
  • Start date Views 1,805
Status
Not open for further replies.
A

Animesh S

I am currently deploying a 3 AD/Physical site Exchange 2010 environment, where

1) there is only 1 AD site that faces internet, and certificate is configured with CAS-Array and server FQDNs of that site only.

2) the mailbox server holds replica of all the mailboxes in environment. the other 2 sites have only 1 DB each, again in a DAG configuration.

3) regional sites CAS server names are not included in SAN certificate and that can't be done before a year is over and we have to renew the cert.

Now the issue is when I failover databases to the regional sites during maintenance window, the users get a certificate error (As the regional CAS server is using self-signed certificates). They can connect to the mailboxes fine, but the certificate pop-up is annoying and users will complain later.

Secondly, I see that probably I can alleviate this problem by applying the SAN cert on regional servers and using the following command.

Set-OutlookProvider EXPR -CertPrincipalName " msstd:mail.contoso.com"

What I don't know is how will the Outlook clients react. Can anyone tell me how to configure failover in such situations.
 
A

AndyD_ [MVP]

What version of Outlook? What is the exact certificate error? Is it an untrusted certificate error?

Using the built-in self-signed Exchange certificate is not recommended. If you want this to work cleanly, you need to either use 3rd party trusted certs on the " regional CAS" or an internal PKI cert that domain-joined clients trust.
 
A

Animesh S

Well adding a total of more than 5 CAS servers and other names to a SAN certificate is neither cheap, safe or easy. You certainly don't want to go out on the internet and tell everyone what your server names are. Apart from that, self-signed certificates are supposed to be trusted across all the domain joined certificates as they have this 1.4.6.x certificate type thing which is trusted across domain, normally.

Anyway, coming to current situation, I am thinking of assigning the public certificate and using above command on all my CAS servers. What I don't know, is what are going to be the repercussions, so reading up a lot.

Anyone, who can help me understand how to get around this issue, without going for a new certificate, will be a big help.

Thanks in advance.
 
A

AndyD_ [MVP]

You dont have to add them to the existing SAN cert. you could create new ones for them. I dont quite get how that is unsafe regardless. You tell everyone what your server names are every day when you send out email.

You say self-signed certs are supposed to trusted across the domain. Which self-signed certs are you referring to?
 
Status
Not open for further replies.
Top