Configure SSL Certificate on Exchange 2013

Question

Configure SSL Certificate on Exchange 2013

Innocent Heartvoice 296

I am upgrading our infrastructure services from AD 2012 R2 to AD 2019 and Exchange 2013 to 2019. We have a separate setup of Primary Domain and Child Domain. The primary domain has 2 CAS servers with Windows NLB and 2 servers DAG and the same goes with child domain 2 CAS servers with Windows NLB and 2 servers DAG. The placement of servers in the organization is as follows.

Primary Domain

netware.com

Exchange CAS
Windows NLB = 10.10.100.20
Windows NLB Name= groundfloor.netware.com

Exchange DAG
DAG IP = 10.10.100.22
DAG Name = ExDAG

Child Domain
netwire.netware.com

Exchange CAS
Windows NLB = 15.10.100.20
Windows NLB Name = firstfloor.netwire.netware.com

Exchange DAG
DAG IP = 15.10.100.22
DAG Name = ChDAG

Exchange Subject Alternate Names (SAN) on external domain.
Webmail.contoso.com
Autodiscover.contoso.com

All virtual directories are set with the following configuration. (Primary Domain)
Internal Virtual directories = groundfloor.netware.com
External Virtual directories = webmail.contoso.com

All virtual directories set with the following configuration. (Child Domain)
Internal Virtual directories = firstfloor.netwire.netware.com
External Virtual directories = webmail.contoso.com

Now we are planning to implement a third-party SSL certificate in the environment and are curious about the deployment of SSL certificate on both primary domain and child domain and how to configure the Internal virtual directories with a local namespace or external subject alternate names (SAN)

1 answer

Your answer

Answer 1

Kai Yao 37,776 Moderator

Hi @Innocent Heartvoice

According to your information, do you have different mail domain (contoso.com) with AD domain (netware.com)?

If so, I suppose you may need one certificate for contoso.com including at least these two urls:
autodiscover.contoso.com
Webmail.contoso.com

And since you are having a parent-child domain structure, you may also need to include the child domain urls in the certificate for users to connect to the Exchange servers in child domain:
autodiscover.child.contoso.com
Webmail.child.contoso.com

About virtual directorie urls, it is usually recommended to set the internal urls to be the same as external ones.
In your case, it should be set to Webmail.contoso.com and Webmail.child.contoso.com.
Otherwise, internal clients would throw certificate warnings when they connect to Exchange servers, as the url groundfloor.netware.com isn't included in the certificate.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Innocent Heartvoice 296 Reputation points

2021-08-17T11:18:23.087+00:00

This is to inform you that our External mail domain (contoso.com) is the same for both parent and child domains. In our opinion, the following entries in the certificates will not be required.

autodiscover.child.contoso.com
Webmail.child.contoso.com

Now , we want to confirm for our internal domains as we have different internal AD domains (netware.com) and (netwire.netware.com), so how will the internal users of both parent(netware.com) and child domain (netwire.netware.com) connect their Outlook when the certificate does not contain internal AD domain URL's.
Kai Yao 37,776 Reputation points Moderator

2021-08-18T01:50:33.44+00:00

Hi,
Sorry I misunderstood that part.

In our opinion, the following entries in the certificates will not be required.

Yes.You don't need to include these two URLs in the certificates.

Now , we want to confirm for our internal domains as we have different internal AD domains (netware.com) and (netwire.netware.com), so how will the internal users of both parent(netware.com) and child domain (netwire.netware.com) connect their Outlook when the certificate does not contain internal AD domain URL's.

You may set the internal URLs to be the same as external ones (webmail.contoso.com) which are included in the certificates.
The internal clients would also connect using the same URLs as the external clients, instead of using the internal AD domain URLs.
Since clients would trust the certificates, they would not give warnings when they connect to Exchange.

Otherwise, besides changing the URLs to be the same, you can also export the Exchange self-signed certificate which includes the internal AD domain URLs and import it to the trusted root certification authorities of the clients.
It would make clients trust the self-signed certificates.
Kai Yao 37,776 Reputation points Moderator

2021-08-25T09:11:42.633+00:00

Hi @Innocent Heartvoice

Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

Share via

Configure SSL Certificate on Exchange 2013

1 answer

Your answer