Welcome to ISAserver.org

OWA Certificates and Publishing

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Web Publishing >> OWA Certificates and Publishing

Page: [1]

Message

<< Older Topic Newer Topic >>

OWA Certificates and Publishing - 14.Feb.2008 4:45:16 PM

killagruv

Posts: 5
Joined: 14.Jan.2008
Status: offline

My company is going to a new naming format and management wants to keep the old name around. Our Exchange 2003 OWA address is currently (ex. https://webmail.happymonday.com/exchange) and they want it to be (example: https://jdmoney.com/exchange) but they want both urls to be active for about six months. We are also changing all of the IP addresses. Do we need a separate certificate for each url, do we need to make any IIS changes, do we need to redirect? We are totally lost and any help will be greatly appreciated.

Post #: 1

Featured Links*

RE: OWA Certificates and Publishing - 14.Feb.2008 7:39:36 PM

Rotorblade

Posts: 976
Joined: 27.Feb.2007
Status: online

Hi,

Are you currently publishing to a Front-end exchange server?

With changing the FQDN, several things will need to happen. You will need separate certificates. With ISA 2004, you will also need to add an additional IP to bind to the new certificate and a new web listener. You can�t have more than one certificate bound to an IP and web listener. With ISA 2006, the limitation has been removed. The problem you�re going to have is on the back-end. You�re changing the FQDN and the common names do not match. You did not provide much detail so I�m assuming that you will bring up separate systems?

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to killagruv)

Post #: 2

RE: OWA Certificates and Publishing - 14.Feb.2008 9:39:30 PM

killagruv

Posts: 5
Joined: 14.Jan.2008
Status: offline

Yes...we have a NLB front end. Can we make the new address an alias on the backend? What further information can I provide to give more clarity to my problem? Also, we did not plan oon bringing up another system. we have a new CIO that didn't think link our FQDN's and he has ordered that they all be changed. To reflect a convention that is to his liking.

Can you give me some insight into the backend problems that we may have? We tried to find the place in exchange where we define our email convention (john.doe@money.com) so that we can change it or the new convention and make it the default but we have had no luck thus far. Any further information will be greatly appreciated.

(in reply to Rotorblade)

Post #: 3

RE: OWA Certificates and Publishing - 15.Feb.2008 2:52:04 PM

Rotorblade

Posts: 976
Joined: 27.Feb.2007
Status: online

quote:

Can you give me some insight into the backend problems that we may have? We tried to find the place in exchange where we define our email convention (john.doe@money.com) so that we can change it or the new convention and make it the default but we have had no luck thus far. Any further information will be greatly appreciated.

Thanks for the updated information. With your current dilemma, you�re moving more into the Exchange side of things than an ISA related issue. You need to prepare the Exchange and network backend for the new domain name.
The reason I was inquiring if you were going to bring up a new domain or stick with the current Internal domain would be the determining factor on how far and how much pain you want put yourself through. Since Exchange is tightly integrated with AD, changing the Internal domain name is a bit risky. Things can get broke pretty fast and I would not recommend doing that. It would be better to migrate over to the new domain and leave the old one up if that is what your wanting to do. That�s one option.
The other option is to host the new FQDN on Exchange as another domain along side the old one for now. Hosting multiple domains in Exchange is fairly easy to do and the good folks over at MSExchange.org would be a good resource. Googling �hosting multiple Exchange domains� would get you a lot of hits on the subject or hit the Microsoft TechNet site.
The quick and dirty on doing so would involve modifying Exchange default recipient policy and ad the new FQDN there. (This answers your question where to find in Exchange) Do not delete the old @olddomain.com from the recipient policy. Adding the @domain tells Exchange to except mail for that domain. You then need to create new HTTP Virtual servers (First using the Exchange ESM not IIS.) to support the new domain on the front-end servers and the same on the back-end. What you do on the front-end must be done on the back-end. Using SSL, you will need to modify the new virtual server (this time using IIS not the ESM) and assign a new IP and bind a new certificate. This also needs to be done on all FE and BE servers. Then you�re going to need to implement a well designed �Split DNS� to support the new domain internally. As far keeping the old FQDN around for a while, as long as the old @domain is in the recipient policy, you will still receive e-mail for that domain. You will need to modify your Recipient policy to add the new FQDN SMTP e-mail address for each user. This can be done automatically for you when by reapplying the modified policy to all your mail-enabled domain users. By leaving the old e-mail address, your recipients will still receive their e-mail.
As far as ISA, you will need to go through the whole process of republishing for the new Domain name and adding certificates to support the new FQDN common name.
Hopefully this is of some help and you at least have a good indication on what direction you need to go. I would recommended hitting the MSExchange.org and ask the question there just to make sure you have all the answers.

Please keep us updated.

Regards,

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to killagruv)

Post #: 4