2

I'v just started looking into buying a new cert to upgrade from our 2003 SBS server to Exchange 2010.

Since Exchange 2010 uses 3 (in our case) subdomains then would that mean we need to have 3 external IP addresses too?

As each of these domains are used both internally and externally.

mail.company.com
autodiscover.company.com
legacy.company.com

Or am I missing something?

I know with web servers you can use SNI to get multiple certs on one IP, but I also know that this isn't supported to well with older browsers, thus people tend to not use SNI.

Mint
  • 456
  • 2
  • 9
  • 23

2 Answers2

5

Only if you need to support Windows XP/2003 clients must you avoid SNI. Vista/2008 and later have full support for SNI. For more, see Multiple SSL domains on the same IP address and same port?

You could also use a wildcard certificate, or a certificate using multiple subject alternate names, sometimes marketed as a "unified communication" certificate; such a certificate would allow you to continue using a single IPv4 address.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
1

Please make sure when you order a UC certificate that your external client access name is the cert's common name. "Autodiscover" (note that it is autodiscover and not autodiscovery) and "legacy" can be the alternate names.

If you run into issues with XP clients running older versions of Outlook constantly asking for login information when connecting using Outlook Anywhere, make sure that your Outlook Provider is using the correct CertPrincipalName value, which should be msstd:[your_cert_common_name] (i.e. msstd:mail.company.com, or msstd:*.company.com if you use a wildcard certificate.

To verify:

Get-OutlookProvider EXPR

To correct (if necessary):

Set-OutlookProvider EXPR -CertPrincipalName 'msstd:mail.company.com'
Jeremy Lyons
  • 1,088
  • 6
  • 9