Configure Outlook Anywhere to Use Multiple SSL Certificates
Applies to: Exchange Server 2010
You can use multiple Secure Sockets Layer (SSL) certificates for Outlook Anywhere and the Microsoft Exchange services that Microsoft Office Outlook 2007 and Outlook 2010 use, such as Unified Messaging and the offline address book.
After your Outlook Anywhere deployment has been configured correctly to use multiple SSL certificates, your domain-joined clients will contact Active Directory and obtain the site address for the Autodiscover service from the service connection point (SCP) object. Clients that aren't domain joined or that don't have direct access to Active Directory will contact the DNS server to obtain the site address for the Autodiscover service SCP object. After a client connects to the Autodiscover service, the client will receive the URLs for the available Microsoft Exchange services. The client won't be prompted with a certificate warning because a valid certificate is provided at each point during the connection process.
Looking for management tasks related to Outlook Anywhere? See Managing Outlook Anywhere.
Configure your Outlook Anywhere deployment to use multiple SSL certificates
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "SSL for Outlook Anywhere", "IIS Manager", and "Autodiscover service virtual directory settings" entries in the Client Access Permissions topic.
The following are the steps required to configure your Outlook Anywhere deployment to use multiple SSL certificates.
Obtain two valid SSL certificates You must obtain two valid SSL certificates from a certification authority (CA) that's trusted by the client's operating system. One SSL certificate will be used for the site that will handle e-mail and the other will be used for the site dedicated to the Autodiscover service. For example, you can create one SSL certificate named mail.contoso.com and another certificate named autodiscover.contoso.com. For more information, see Obtain a Server Certificate from a Certification Authority.
Configure a second IP address After you've obtained the certificates, you must assign an additional IP address to the network adapter, also known as a NIC, on the Microsoft Exchange Server 2010 Client Access server. This will enable the Client Access server to have two public IP addresses. For more information, see the Windows Server 2008 documentation about configuring networks and servers.
Create an A record Create a Host (A) resource record using the DNS manager for the second site that's dedicated to the Autodiscover service, for example, autodiscover.contoso.com, and point it to the new IP address that you created on the Client Access server. For more information, see the Windows Server 2008 DNS documentation about adding resource records.
Create a new Autodiscover Web site On the Client Access server, use Internet Information Services (IIS) Manager to create a new Web site that points to an empty directory. Then assign this new Web site the IP address for the second site that's dedicated to the Autodiscover service (for example, autodiscover.contoso.com). Follow these steps:
- From IIS Manager, expand your server name > Sites, and select the new Web site
- In the Actions pane, select Bindings.
- From the Site Bindings dialog box, in the Types column, select http, and then click Edit.
- In the Edit Site Binding dialog box, assign the dedicated IP address, enter the host name, for example autodiscover.contoso.com, and then click OK.
Create a new Autodiscover virtual directory Use the New-AutodiscoverVirtualDirectory cmdlet to create the new Autodiscover virtual directory on this second Web site that's dedicated to the Autodiscover service. For more information, see Create an Autodiscover Virtual Directory.
Remove the Autodiscover virtual directory for the default Web site You must correctly identify and remove the Autodiscover virtual directory that you created during Exchange Setup by using the Remove-AutoDiscoverVirtualDirectory cmdlet. For more information, see Delete the Default Autodiscover Virtual Directory.
Assign the SSL certificates to the correct Web sites You must assign the first SSL certificate, for example, the certificate for mail.contoso.com, to the default Web site, and then assign the second SSL certificate to the site that's dedicated to the Autodiscover service, for example, the autodiscover.contoso.com Web site. Follow these steps:
- From IIS Manager, expand your server name > Sites, and then select the Web site.
- In the action pane, select Bindings.
- In the Site Bindings dialog box, click Add.
- In the Add Site Bindings dialog box, set the binding type as https.
- Under SSL certificate, select the SSL certificate to be used for this site, and then click OK.
Change the URLs for the Exchange services You must change the external and internal URLs for your available Exchange services to point to the site that's dedicated to handling e-mail, for example, mail.contoso.com. For more information about how to set the URLs for the Exchange services, see Configure Exchange Services for the Autodiscover Service.
Configure the SCP object You must configure the SCP object to use the site that's dedicated to the Autodiscover service, for example, autodiscover.contoso.com. This example sets the Active Directory SCP object to direct users to the autodiscover.contoso.com URL using the Set-ClientAccessServer cmdlet on CAS1:
Set-ClientAccessServer -Identity CAS1 -AutoDiscoverServiceInternalUri "https://autodiscover.contoso.com/autodiscover/autodiscover.xml"
Test your results After you've completed these steps, you must make sure that the sites that are dedicated to handling e-mail and the Autodiscover service can be resolved internally and externally by your Outlook client. For more information, see Test Outlook Anywhere Connectivity and Test Outlook Autodiscover Connectivity.
Other Tasks
After you've configured Outlook Anywhere to use multiple SSL certificates, you may also want to: