Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue

Status
Not open for further replies.
A

Animesh S

I am currently deploying a 3 AD/Physical site Exchange 2010 environment, where

1) there is only 1 AD site that faces internet, and certificate is configured with CAS-Array and server FQDNs of that site only.

2) the mailbox server holds replica of all the mailboxes in environment. the other 2 sites have only 1 DB each, again in a DAG configuration.

3) regional sites CAS server names are not included in SAN certificate and that can't be done before a year is over and we have to renew the cert.

Now the issue is when I failover databases to the regional sites during maintenance window, the users get a certificate error (As the regional CAS server is using self-signed certificates). They can connect to the mailboxes fine, but the certificate pop-up is annoying and users will complain later.

Secondly, I see that probably I can alleviate this problem by applying the SAN cert on regional servers and using the following command.

Set-OutlookProvider EXPR -CertPrincipalName " msstd:mail.contoso.com"

What I don't know is how will the Outlook clients react. Can anyone tell me how to configure failover in such situations.
 
A

AndyD_ [MVP]

What version of Outlook? What is the exact certificate error? Is it an untrusted certificate error?

Using the built-in self-signed Exchange certificate is not recommended. If you want this to work cleanly, you need to either use 3rd party trusted certs on the " regional CAS" or an internal PKI cert that domain-joined clients trust.
 
A

Animesh S

Well adding a total of more than 5 CAS servers and other names to a SAN certificate is neither cheap, safe or easy. You certainly don't want to go out on the internet and tell everyone what your server names are. Apart from that, self-signed certificates are supposed to be trusted across all the domain joined certificates as they have this 1.4.6.x certificate type thing which is trusted across domain, normally.

Anyway, coming to current situation, I am thinking of assigning the public certificate and using above command on all my CAS servers. What I don't know, is what are going to be the repercussions, so reading up a lot.

Anyone, who can help me understand how to get around this issue, without going for a new certificate, will be a big help.

Thanks in advance.
 
A

AndyD_ [MVP]

You dont have to add them to the existing SAN cert. you could create new ones for them. I dont quite get how that is unsafe regardless. You tell everyone what your server names are every day when you send out email.

You say self-signed certs are supposed to trusted across the domain. Which self-signed certs are you referring to?
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
S Exchange 2010 CAS/HT/Mailbox moved - best practice/steps for decommissioning 2007 Exchange Server Administration 3
M Fundamental CAS question for Exchange 2010 and 2007 Co-existence... Exchange Server Administration 7
D Exchange 2010 CAS at 2 different Sites Exchange Server Administration 2
S Do you need a CAS Server in Order to Use OWA in Exchange 2010 (E14)? Exchange Server Administration 9
M Proper way to install Exchange 2010 SP1 on a CAS Array Exchange Server Administration 3
S Any system impact if change exchange 2010 CAS/HUB and Mailbox server IP address Exchange Server Administration 1
B Exchange 2003 OWA/OA/AS over NAT and Exchange 2010 CAS Exchange Server Administration 4
B Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 15
M Re: Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 2
I Exchange 2007 and CAS from Exchange 2010 problem Exchange Server Administration 4
T ActiveSync proxy problem from Exchange 2010 CAS to Exchange 2007 CAS Exchange Server Administration 5
K Exchange 2010 OWA redirection between 2 CAS Servers Exchange Server Administration 5
S exchange 2010 cas memory usage Exchange Server Administration 2
P Exchange 2010 SP1 Cross Site CAS connection disable Exchange Server Administration 2
H Outlook 2007 periodically disconnects from Exchange 2010 CAS - OWA works Using Outlook 4
S CAS array in Exchange 2010 Exchange Server Administration 1
G Exchange 2010 CAS Array Exchange Server Administration 4
T Exchange 2010 CAS Array setup and lab Exchange Server Administration 18
S NLB exchange 2010 CAS Array Exchange Server Administration 4
J Exchange 2010 CAS Server OWA Redirection to Exchange 2003 Fail Exchange Server Administration 4
H Is possible to have exchange 2007 CAS point to the exchange 2010 CAS? Exchange Server Administration 2
K DR site resiliency design with Exchange 2010 - shared or different namespace for cas. Exchange Server Administration 1
B exchange 2010 cas - exchange 2003 frond end Exchange Server Administration 3
O Exchange 2010 Hub/CAS install Exchange Server Administration 2
S What to Use Instead a Hardware-based Load Balancer for an Exchange 2010 CAS Array Exchange Server Administration 21
7 Exchange 2010 sp1 mailbox, hub, cas roles and w3wp.exe / very slow Exchange Server Administration 6
S Exchange 2010 two datacenters two CAS array Exchange Server Administration 4
S Exchange 2010 CAS and MB role on same server, does OWA redirect to Exchange 2003 still work? Exchange Server Administration 5
A Does CAS-only server need Forefront security protection for Exchange 2010? Exchange Server Administration 4
S CAS access problem with new Outlook 2003 profile to Exchange 2010 Exchange Server Administration 1
A CAS Proxying with Active Sync when migrate from Exchange 2007 to 2010 Exchange Server Administration 1
T Exchange 2010 CAS Server not installed first Exchange Server Administration 2
S CAS array in exchange 2003 and exchange 2010 coexsit environment Exchange Server Administration 4
M Exchange 2010 Resource Forest RPC Distibution with Multiple CAS Exchange Server Administration 1
A Command to show users connected on Exchange 2010 CAS Exchange Server Administration 2
G coexistence between Exchange 2010 HUB/CAS with SP1 and Exchange 2010 mailbox rtm Exchange Server Administration 2
M CAS access and Mailbox servers with Exchange 2010 Exchange Server Administration 13
M Exchange 2010'you can't have 2 stand alone CAS servers' Exchange Server Administration 5
C Exchange 2010 Public CAS Comodo cert - the certificate status could not be determined because the revocation check failed Exchange Server Administration 2
B Problem installing exchange 2010 (CAS Role) Exchange Server Administration 16
M Exchange 2010 CAS to preexisting Exchange 2003 server Exchange Server Administration 3
D Exchange 2010 CAS Install Timeout due to aspnet_regiis.exe Exchange Server Administration 3
Z Active SynC Issue in Exchange 2010 on CAS Array Exchange Server Administration 4
S exchange 2010 Hub and Cas server error Exchange Server Administration 2
J Exchange 2010 CAS - Outlook connecting to phantom name Exchange Server Administration 2
C installation error when installing exchange 2010 cas/hub in exchange 2003 org Exchange Server Administration 10
J unable to telnet on port 25 on exchange 2010 CAS Exchange Server Administration 4
K user accounts 'check name' to wrong exchange 2010 CAS Exchange Server Administration 1
K Outlook client on Exchange 2010 changes cas array name to instance-<guid> Using Outlook 21
S Exchange 2010 MMC slow with multiple CAs servers Exchange Server Administration 6
Similar threads


















































Top