Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue

Status
Not open for further replies.
A

Animesh S

I am currently deploying a 3 AD/Physical site Exchange 2010 environment, where

1) there is only 1 AD site that faces internet, and certificate is configured with CAS-Array and server FQDNs of that site only.

2) the mailbox server holds replica of all the mailboxes in environment. the other 2 sites have only 1 DB each, again in a DAG configuration.

3) regional sites CAS server names are not included in SAN certificate and that can't be done before a year is over and we have to renew the cert.

Now the issue is when I failover databases to the regional sites during maintenance window, the users get a certificate error (As the regional CAS server is using self-signed certificates). They can connect to the mailboxes fine, but the certificate pop-up is annoying and users will complain later.

Secondly, I see that probably I can alleviate this problem by applying the SAN cert on regional servers and using the following command.

Set-OutlookProvider EXPR -CertPrincipalName " msstd:mail.contoso.com"

What I don't know is how will the Outlook clients react. Can anyone tell me how to configure failover in such situations.
 
A

AndyD_ [MVP]

What version of Outlook? What is the exact certificate error? Is it an untrusted certificate error?

Using the built-in self-signed Exchange certificate is not recommended. If you want this to work cleanly, you need to either use 3rd party trusted certs on the " regional CAS" or an internal PKI cert that domain-joined clients trust.
 
A

Animesh S

Well adding a total of more than 5 CAS servers and other names to a SAN certificate is neither cheap, safe or easy. You certainly don't want to go out on the internet and tell everyone what your server names are. Apart from that, self-signed certificates are supposed to be trusted across all the domain joined certificates as they have this 1.4.6.x certificate type thing which is trusted across domain, normally.

Anyway, coming to current situation, I am thinking of assigning the public certificate and using above command on all my CAS servers. What I don't know, is what are going to be the repercussions, so reading up a lot.

Anyone, who can help me understand how to get around this issue, without going for a new certificate, will be a big help.

Thanks in advance.
 
A

AndyD_ [MVP]

You dont have to add them to the existing SAN cert. you could create new ones for them. I dont quite get how that is unsafe regardless. You tell everyone what your server names are every day when you send out email.

You say self-signed certs are supposed to trusted across the domain. Which self-signed certs are you referring to?
 
Status
Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
S Exchange 2010 CAS/HT/Mailbox moved - best practice/steps for decommissioning 2007 Exchange Server Administration 3
M Fundamental CAS question for Exchange 2010 and 2007 Co-existence... Exchange Server Administration 7
D Exchange 2010 CAS at 2 different Sites Exchange Server Administration 2
S Do you need a CAS Server in Order to Use OWA in Exchange 2010 (E14)? Exchange Server Administration 9
M Proper way to install Exchange 2010 SP1 on a CAS Array Exchange Server Administration 3
S Any system impact if change exchange 2010 CAS/HUB and Mailbox server IP address Exchange Server Administration 1
B Exchange 2003 OWA/OA/AS over NAT and Exchange 2010 CAS Exchange Server Administration 4
R Exchange 2010 CAS high availibility cross datacenters Exchange Server Administration 9
Diane Poremsky Organizational Forms Library in Exchange 2010 New Slipstick.com Articles 0
V Recover exchange 2010 edb Exchange Server Administration 2
B Exchange 2010 / Outlook 20070 "client error in synchronization log" Exchange Server Administration 1
T Renaming an Resource in Exchange 2010 Exchange Server Administration 1
P Outlook 2010 MS Exchange Calendar to Android- ical or webdav? Using Outlook 1
Fozzie Bear Outlook 2010 or 2013 Dual Configuration Exchange + IMAP Exchange Server Administration 6
H In Exchange 2010, how to block an email containing an attachment that has foreign characters Exchange Server Administration 1
Digitally Hip Outlook 2010 (32) and Exchange 2010 (sp3) sender info not displaying in Outlook Using Outlook 1
A give User Read Only access to secondary mailbox in Exchange 2010 via AD Exchange Server Administration 1
N Outlook 2010 exchange - auto-move emails from @domain Exchange Server Administration 1
V Outlook 2013 cant stay connected to exchange 2010 Exchange Server Administration 5
D cleaning up old Exchange 2003 data on Exchange 2010 Exchange Server Administration 2
L Weird Inbox problems Outlook 2010/13 and Exchange Exchange Server Administration 2
R Exchange 2013/Outlook 2010 Slow Startups Exchange Server Administration 8
Z Outlook 2010 client to Exchange ,,,,search not working proparly Exchange Server Administration 0
M First post -help with managing two calendars Outlook 2010 /Exchange 2010 Using Outlook 0
T Outlook INBOX emails gone back 2-3 weeks after Exchange Server 2010 Restart Using Outlook 0
A Exchange 2003 Outlook 2010 64 Bit- AutoDiscover Connection Err - Certificate Exchange Server Administration 9
C Outlook 2010, two exchange mailboxes configured.Unable to see 2ndrymeeting req Using Outlook 2
C Exchange 2010 / Emails received show with display name and not email address Using Outlook 2
P correct public folder migration exchange 2003 to 2010 Exchange Server Administration 1
S Unable to send or reeceive email in new Exchange 2010 Exchange Server Administration 0
A File - Save Attachments does nothing in Outlook 2003 with Exchange 2010 ... Using Outlook 3
B Sharing Multiple Outlook 2010 Calendars (Exchange) Exchange Server Administration 4
P can't set IRM configuration in Exchange 2010 Exchange Server Administration 2
B Using hosted exchange to sync outlook 2010 calendars and contacts to BB Z10 Using Outlook 4
S Outlook 2010/Exchange 2010 Multi Mailboxes (Server unavailable) Using Outlook 6
O outlook 2010, owa, exchange Exchange Server Administration 2
D why do exchange contacts not sync properly from outlook 2011 to outlook 2010 Exchange Server Administration 2
J Exchange 2010 free/busy shows hashmarks in scheduling tab when not organizer Exchange Server Administration 6
C Exchange 2010 - Outlook 2010 - Exchange Server Administration 4
Fozzie Bear Outlook 2010 wont remember Exchange Credentials on log off /shutdown of Win7 Exchange Server Administration 2
T Exchange 2010: 'could not save item' and 'Unknown error' when edit calendars Exchange Server Administration 1
I Shared Contacts in Outlook 2010 and Exchange Server 2010 Using Outlook 4
A emails disappearing from inbox outlook 2010 exchange server 2010 major trouble Exchange Server Administration 6
J OL2003 Public Folder Sync Errors w/ Exchange 2010 Exchange Server Administration 11
B Outlook 2010 won't configure exchange account, 0kb .ost file Exchange Server Administration 5
R Thousand of sync issues on Outlook clients with Exchange 2010 Exchange Server Administration 5
R Create a contacts list on Exchange 2010 Exchange Server Administration 10
T Exchange / Outlook 2010 - How to cancel meetings but retain the calendar entry Using Outlook 4
S Outlook Quick Steps - Exchange 2003 / Exchange 2010 Exchange Server Administration 2
R Sharing Exchange 2010 calendars with people outisde our organization Exchange Server Administration 17

Similar threads

Top