Configuring Outlook Anywhere to Use Multiple SSL Certificates
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic provides information about how to use multiple Secure Sockets Layer (SSL) certificates for Outlook Anywhere and the Microsoft Exchange services that Microsoft Office Outlook 2007 uses, such as Unified Messaging and the offline address book (OAB). The following sections give an overview of the process for configuring your Outlook Anywhere deployment to use multiple SSL certificates.
Configuring Your Outlook Anywhere Deployment to Use Multiple SSL Certificates
To configure your Outlook Anywhere deployment to use multiple SSL certificates, you must do the following:
Obtain two valid SSL certificates You must obtain two valid SSL certificates from a certification authority (CA) that is trusted by the client's operating system. One SSL certificate will be used for the site that will handle e-mail and the other will be used for the site dedicated to the Autodiscover service. For example, create one SSL certificate named mail.contoso.com and another certificate named autodiscover.contoso.com. For more information about how to obtain a valid SSL certificate, see How to Obtain a Server Certificate from a Certification Authority.
Configure a second IP address After you have acquired the certificates, you must assign an additional IP address to the network adapter, also known as a NIC, of the server that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. This will enable the Client Access server to have two public IP addresses.
Create an A record Create an A record for the second site that is dedicated to the Autodiscover service (for example, autodiscover.contoso.com ) and point it to the new IP address that you created on the Client Access server.
Create a new Autodiscover Web site On the Client Access server, use the Internet Information Services (IIS) Administrator program to create a new Web site that points to an empty directory. Then assign this new Web site the IP address for the second site that is dedicated to the Autodiscover service (for example, autodiscover.contoso.com). Use the New-AutodiscoverVirtualDirectory cmdlet to create the new Autodiscover virtual directory on this second Web site that is dedicated to the Autodiscover service. For more information about how to create a new Autodiscover service virtual directory, see How to Create a New Autodiscover Service Virtual Directory.
Remove the Autodiscover virtual directory for the default Web site You must correctly identify and remove the Autodiscover service virtual directory that you created during Exchange Setup by using the Remove-AutoDiscoverVirtualDirectory cmdlet. For more information about how to remove the default Autodiscover service virtual directory, see How to Delete the Default Autodiscover Service Virtual Directory.
Assign the SSL certificates to the correct Web sites You must assign the first SSL certificate (example, the certificate for mail.contoso.com) to the default Web site, and then assign the second SSL certificate to the site that is dedicated to the Autodiscover service (for example, the autodiscover.contoso.com Web site).
Change the URLs for the Exchange services You must change the external and internal URLs for your available Exchange services to point to the site that is dedicated to handling e-mail, for example, mail.contoso.com. For more information about how to set the URLs for the Exchange services, see How to Configure Exchange Services for the Autodiscover Service.
Configure the SCP object You must configure the service connection point (SCP) object to use the site that is dedicated to the Autodiscover service, for example, autodiscover.contoso.com
Test your results After you have completed all these steps, you must make sure that the sites that are dedicated to handling e-mail and the Autodiscover service can be resolved internally and externally by your Outlook client.
How Outlook Uses Multiple SSL Certificates
After your Outlook Anywhere deployment has been configured correctly to use multiple SSL certificates, your domain-joined clients will contact Active Directory and obtain the site address for the Autodiscover service from the SCP object. Clients that are either not domain joined or that do not have direct access to Active Directory will contact the DNS server to obtain the site address for the Autodiscover service SCP object. After a client connects to the Autodiscover service, the client will receive the URLs for the available Microsoft Exchange services. At no point will the client be prompted with a certificate warning because a valid certificate is provided at each point during the connection process.
For More Information
For more information about the Autodiscover service and Outlook Anywhere, see the following topics: