From a technical perspective, this is fine. From a cost perspective this is less desirable. A SAN certificate costs in the range of about $350 per year from a Microsoft supported vendor or about $80 per year from GoDaddy.
If you want to use an existing single name SSL certificate, you can. You just need to change the names for the URLs to all match.
First, install your certificate in IIS for the web site hosting the Exchange services. In a standalone install of Exchange Server 2007/2010, these are in the default web site. In SBS 2008, it is a site named SBS Web Applications.
There are a number of article with the syntax for setting the internal URL for the necessary services to support Outlook with a single label SSL cert. They recommend that you change the internal URL to match your external URL. Something like https://mail.conexion.ca/OAB.
Here is the issue I just had. With the internal URL as https://mail.conexion.ca/OAB on an SBS2008 box, the client credentials were not automatically being passed up to web services. The user was being prompted for a login. I believe this is because a name that is not a single label name is not considered part of the Intranet zone (think IE security zones) and the credentials cannot be automatically passed on. So, we change the URL to http://sites/OAB and all was good.
Two things to note about this:
- SBS 2008 already had sites set up as a host header for the SBS Web Applications site. Otherwise, you would need to configure at least DNS resolution for your site.
- HTTP is used on the assumption that SSL is not required internally. We needed to do this to get a single label domain name. If we didn't the name wouldn't match the certificate and the users would get warnings about certificate errors.
The simple way is to just use a SAN certificate to begin with and avoid the weirdness. GoDaddy is not officially supported, but it does work. Otherwise, Digicert is the cheapest of the officially supported certificate providers.
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete