Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue

Status
Not open for further replies.
A

Animesh S

I am currently deploying a 3 AD/Physical site Exchange 2010 environment, where

1) there is only 1 AD site that faces internet, and certificate is configured with CAS-Array and server FQDNs of that site only.

2) the mailbox server holds replica of all the mailboxes in environment. the other 2 sites have only 1 DB each, again in a DAG configuration.

3) regional sites CAS server names are not included in SAN certificate and that can't be done before a year is over and we have to renew the cert.

Now the issue is when I failover databases to the regional sites during maintenance window, the users get a certificate error (As the regional CAS server is using self-signed certificates). They can connect to the mailboxes fine, but the certificate pop-up is annoying and users will complain later.

Secondly, I see that probably I can alleviate this problem by applying the SAN cert on regional servers and using the following command.

Set-OutlookProvider EXPR -CertPrincipalName " msstd:mail.contoso.com"

What I don't know is how will the Outlook clients react. Can anyone tell me how to configure failover in such situations.
 
A

AndyD_ [MVP]

What version of Outlook? What is the exact certificate error? Is it an untrusted certificate error?

Using the built-in self-signed Exchange certificate is not recommended. If you want this to work cleanly, you need to either use 3rd party trusted certs on the " regional CAS" or an internal PKI cert that domain-joined clients trust.
 
A

Animesh S

Well adding a total of more than 5 CAS servers and other names to a SAN certificate is neither cheap, safe or easy. You certainly don't want to go out on the internet and tell everyone what your server names are. Apart from that, self-signed certificates are supposed to be trusted across all the domain joined certificates as they have this 1.4.6.x certificate type thing which is trusted across domain, normally.

Anyway, coming to current situation, I am thinking of assigning the public certificate and using above command on all my CAS servers. What I don't know, is what are going to be the repercussions, so reading up a lot.

Anyone, who can help me understand how to get around this issue, without going for a new certificate, will be a big help.

Thanks in advance.
 
A

AndyD_ [MVP]

You dont have to add them to the existing SAN cert. you could create new ones for them. I dont quite get how that is unsafe regardless. You tell everyone what your server names are every day when you send out email.

You say self-signed certs are supposed to trusted across the domain. Which self-signed certs are you referring to?
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
S Exchange 2010 CAS/HT/Mailbox moved - best practice/steps for decommissioning 2007 Exchange Server Administration 3
M Fundamental CAS question for Exchange 2010 and 2007 Co-existence... Exchange Server Administration 7
D Exchange 2010 CAS at 2 different Sites Exchange Server Administration 2
S Do you need a CAS Server in Order to Use OWA in Exchange 2010 (E14)? Exchange Server Administration 9
M Proper way to install Exchange 2010 SP1 on a CAS Array Exchange Server Administration 3
S Any system impact if change exchange 2010 CAS/HUB and Mailbox server IP address Exchange Server Administration 1
B Exchange 2003 OWA/OA/AS over NAT and Exchange 2010 CAS Exchange Server Administration 4
B Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 15
M Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 2
I Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 4
T ActiveSync proxy problem from Exchange 2010 CAS to Exchange 2007 CAS Exchange Server Administration 5
K Exchange 2010 OWA redirection between 2 CAS Servers Exchange Server Administration 5
S exchange 2010 cas memory usage Exchange Server Administration 2
P Exchange 2010 SP1 Cross Site CAS connection disable Exchange Server Administration 2
H Outlook 2007 periodically disconnects from Exchange 2010 CAS - OWA works Using Outlook 4
S CAS array in Exchange 2010 Exchange Server Administration 1
G Exchange 2010 CAS Array Exchange Server Administration 4
T Exchange 2010 CAS Array setup and lab Exchange Server Administration 18
S NLB exchange 2010 CAS Array Exchange Server Administration 4
J Exchange 2010 CAS Server OWA Redirection to Exchange 2003 Fail Exchange Server Administration 4
H Is possible to have exchange 2007 CAS point to the exchange 2010 CAS? Exchange Server Administration 2
K DR site resiliency design with Exchange 2010 - shared or different namespace for cas. Exchange Server Administration 1
B exchange 2010 cas - exchange 2003 frond end Exchange Server Administration 3
O Exchange 2010 Hub/CAS install Exchange Server Administration 2
S What to Use Instead a Hardware-based Load Balancer for an Exchange 2010 CAS Array Exchange Server Administration 21
7 Exchange 2010 sp1 mailbox, hub, cas roles and w3wp.exe / very slow Exchange Server Administration 6
S Exchange 2010 two datacenters two CAS array Exchange Server Administration 4
S Exchange 2010 CAS and MB role on same server, does OWA redirect to Exchange 2003 still work? Exchange Server Administration 5
A Does CAS-only server need Forefront security protection for Exchange 2010? Exchange Server Administration 4
S CAS access problem with new Outlook 2003 profile to Exchange 2010 Exchange Server Administration 1
A CAS Proxying with Active Sync when migrate from Exchange 2007 to 2010 Exchange Server Administration 1
T Exchange 2010 CAS Server not installed first Exchange Server Administration 2
S CAS array in exchange 2003 and exchange 2010 coexsit environment Exchange Server Administration 4
A Command to show users connected on Exchange 2010 CAS Exchange Server Administration 2
M CAS access and Mailbox servers with Exchange 2010 Exchange Server Administration 13
K Outlook client on Exchange 2010 changes cas array name to instance-<guid> Using Outlook 21
A exchange 2010 CAS redirect to Exchange 2003 OWA error Exchange Server Administration 15
R Exchange 2010 CAS high availibility cross datacenters Exchange Server Administration 9
Diane Poremsky Organizational Forms Library in Exchange 2010 New Slipstick.com Articles 0
V Recover exchange 2010 edb Exchange Server Administration 2
B Exchange 2010 / Outlook 20070 "client error in synchronization log" Exchange Server Administration 1
T Renaming an Resource in Exchange 2010 Exchange Server Administration 1
P Outlook 2010 MS Exchange Calendar to Android- ical or webdav? Using Outlook 1
Fozzie Bear Outlook 2010 or 2013 Dual Configuration Exchange + IMAP Exchange Server Administration 6
H In Exchange 2010, how to block an email containing an attachment that has foreign characters Exchange Server Administration 1
Digitally Hip Outlook 2010 (32) and Exchange 2010 (sp3) sender info not displaying in Outlook Using Outlook 1
A give User Read Only access to secondary mailbox in Exchange 2010 via AD Exchange Server Administration 1
N Outlook 2010 exchange - auto-move emails from @domain Exchange Server Administration 1
V Outlook 2013 cant stay connected to exchange 2010 Exchange Server Administration 5
D cleaning up old Exchange 2003 data on Exchange 2010 Exchange Server Administration 2
Similar threads


















































Top