Exchange Server 2007: More highlights on 2007 and certificates with real world scenario

Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to securing web services, Exchange 2007 has also incorporated Transport Layer Security (TLS) for session based authentication and encryption. TLS has been around for a while but the Exchange 2007 implementation is able to mutually authenticate with external transport servers, […]

Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to securing web services, Exchange 2007 has also incorporated Transport Layer Security (TLS) for session based authentication and encryption. TLS has been around for a while but the Exchange 2007 implementation is able to mutually authenticate with external transport servers, internal servers and Outlook 2007 clients. TLS as implemented in Exchange 2007 is an effective alternative to S/MIME and is much easier to administer. 'Domain Security in Exchange 2007' is an excellent whitepaper on Exchange 2007 and TLS so we aren't going to reproduce it in this post, but we wanted to give mention to this new change and point everyone in a direction to read more on this topic. You can download it here:

http://technet.microsoft.com/en-us/library/bb266978.aspx

Since Exchange 2007 shipped, we in Support Services have been helping a lot of customers navigate the process of obtaining and installing certificates. The following scenario comprises the majority of our experiences:

Tom works for a company, Contoso Inc. Let's also say that Tom just put a default install of Exchange 2007 on a server called SERVER01 which makes its internal FQDN SERVER01.contoso.local since he also implemented split DNS. Tom wants to make sure he takes all of the correct steps in order for his External Outlook Anywhere 2007 clients to function correctly. He wants his users to be able to access OWA using https://mail.contoso.com. He has also read enough Microsoft documentation to know that the Outlook 2007 Auto-discover feature will attempt to find my auto-discover service at the following locations (in order from top to bottom):


Service Connection Point (SCP) – client communicates directly to AD

https://contoso.com
https://autodiscover.contoso.com
http://contoso.com
http://autodiscover.contoso.com


Tom doesn't want his users to get "invalid certificate" errors nor does he want to affect his clients with redirection requests.

Tom has just one more decision to make and then its implementation time. Does he go with the recommended solution of a certificate with Subject Alternative Names (SAN) – also known as Unified Communications Certificates or with individual certificates?

Full Article

Microsoft, Exchange, Server, Exchange Server 2007, Certificates, Knowledgebase, Articles