Internal Exchange 2010 environment was partially configured by prior staff, so we are in the process of identifying issues and moving towards completing the configuration in stages.
Exchange 2010 SP2 - using OWA, ActiveSync, and eventually Outlook Anywhere
External:
webmail.externaldomain.com
external requests go through TMG
certificate: has 3rd-party wildcard certificate *.externaldomain.com defined on TMG listener
Internal:
email.domain.local - name of CAS array, set as RPC Client Acces server on all databases
server1.domain.local, server2.domain.local, server3.domain.local - FQDN of each CAS
InternalURL: https://servername/owa (i.e.
https://server1/owa on server1 CAS for owa,ecp, etc.)
ExternalURL: https://webmail.externaldomain.com
certificate: SAN cert from internal CA
1. Load-balancing was not set up and the DNS record email.domain.local points directly to server1.domain.local. The TMG policy publishes directly to server1 as well. We are setting up Windows NLB in the interim for all 3 CAS (moving to F5 next year),
and pointing email.domain.local to the IP of the NLB. What URL's do we need to update to use the email.domain.local CAS array - is it just owa, ecp, and ews?
2. The ExBPA reports the following error message:
Certificate SAN Mismatch
The subject alternative name (SAN) of SSL certificate for
https://webmail.externaldomain.com/ews/exchange.asmx does not appear to match the host address. Host address: webmail.externaldomain.com. Current SAN: DNS Name=*.externaldomain.com, DNS Name=externaldomain.com.
We do not get any security warnings or cert errors using OWA internally or externally (no problems using OWA or ActiveSync). Is the above error an actual problem that needs to be fixed or is it just ExBPA not liking wildcard certs?
What are the specific names needed in the internal SAN cert? The "email.domain.local" SAN cert currently has the following:
email.domain.local
autodiscover.domain.local
legacy.domain.local
server1.domain.local
server2.domain.local
server3.domain.local
webmail.externaldomain.com
autodiscover.externaldomain.com
legacy.externaldomain.com
Thanks for reading!