+ Reply to Thread
Results 1 to 7 of 7
  1. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,965

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #1

    Default mutiply autodiscover domains

    Hi,

    hoping some one can help,

    if i have two domains set up in exchange

    Company.com
    office.com

    that I want to set up autodiscovery and EWS on, can i simple install two separate certs on the server one for each domain?

    People are saying you have to have one cert with both domains as separate SAN's, but this is not possible with how our domains are registered and how we have to apply for certs. Am i correct you simple install the public certs on to the server and then they are used as needed?

    Thanks
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #2
    You need one certificate with multiple SAN's. Two certs wont work.
    Reply With Quote Quote  

  4. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,965

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #3
    why does it have to be one? for any thing else you can use a different cert for each domain/listener. Whats the reason it has to be a single cert, and how does this work if you can't get a single cert to cover it?

    For example if i was hosting multiply exchange domains for clients, it would not be possible or at least easy to get a single cert with all the domains listed.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  5. Senior Member rsutton's Avatar
    Join Date
    Sep 2007
    Location
    SF Bay Area, Ca
    Posts
    1,015

    Certifications
    83-640, 70-642, 70-662, ICND1
    #4
    Multi-tenant environments use autodiscover redirect (cname record) so the SSL cert need only have a CN and SAN's for the hosting company's domain.
    Reply With Quote Quote  

  6. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,965

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #5
    Ahh..

    So basically the full story is we are using lync, and the sip domain is different to our company domain. But from what you are saying we should redirect the sip admin auto discover in dns using a cname recourd to point to our internal auto discover domain recourd that already has all the certs set up.

    So it's just a case of a crecourd that says

    autodiscover.sip.com. Points to autodiscover.company.com? And clients should be happy
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  7. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #6
    That will handle the DNS portion but the client will still expect a server response with the Autodiscover.sip.com name in the certificate. That's why you need multiple names in the cert and one of the reasons SAN (Subject Alternate Name) certs and now commonly referred to as UCC (Unified Communications and Collaborations) certificates. I always have to install a UCC cert on an Exchange server to handle the names for all the services and domains. I have a client where we have to support over 100 domain/service names.

    If you have a certificate mismatch, the service will fail. When you browse a website and the certificate does not match, you get a warning but can still choose to continue. When Outlook, Lync, or an Autodiscover service request encounter a certificate error, they just fail.
    Reply With Quote Quote  

  8. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,965

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #7
    Changing the server recourd to point to the main domain auto discover address has sorted the issue I think. Clients are now connecting to ews and using auto discover with out issues even though there is no cert installed for autodiscover.sipdomin.com

    i assume because clients look at the server recourd and this replies with the company.domain address. Which when they use has the correct cert.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks