4

I'm building a lab with two Exchange 2013 Servers with different internal names and only one external URL, the naming schema is something like this:

Internal Names:

exchange1.local.example.com
exchange2.local.example.com

External URL:

exchange.example.com

In this schema local.example.com is the AD zone and example.com is my external domain.

Both servers are using private IP addresses and there's port forwarding to make the server exchange1 able to talk with the WAN.

My problem now is how to configure the internal and external URL's on Exchange Control Panel to avoid misconfiguration and certificate errors.

A lot of guides on the internet says to put both URLs equal using the external name, but I'm not sure if this is the right way to do this. There's a DAG with both servers and I'm worried how this would work setting equal internal and external URLs on different servers.

Another thing that keeps me confused, is about the certificates. I've two Wildcard certificates for those domains:

*.local.example.com
*.example.com

How Exchange will match those certificates with different URL schemas? In the certificates selection I must choose which services will be guaranteed by the certificates, but I'm not able to use more than one certificate for a single server on ECP. Some guides on the web says that the certificate will match accordingly, but this isn't really what happens.

Thanks in advance,

Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91

1 Answers1

1

Using a wildcard certificate will be problematic in your situation, as internal and external names are in separate domains. Rather than a Wildcard certificate, request a SAN (Subject Alternative Name) certificate for your Exchange servers to cover all the host names you require.

In your example, the Subject of the certificate would be exchange.example.com, and the Subject Alternative Name list for the certificate would include exchange.example.com, exchange1.local.example.com, exchange2.local.example.com.

If you would like to avoid a 'split DNS' situation (where you would have exchange.example.com resolve to a public IP address externally and a private IP address internally), you could add a fourth SAN to the certificate (exchange.local.example.com) and set your internal and external URLs appropriately.

jnaab
  • 965
  • 6
  • 11
  • As today I'm using Let's Encrypt, so yes, your answer is correct. I should have added one here. Wildcards were the only cheap alternative in 2015. – Vinícius Ferrão Aug 08 '21 at 20:21