mutiply autodiscover domains

DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
Hi,

hoping some one can help,

if i have two domains set up in exchange

Company.com
office.com

that I want to set up autodiscovery and EWS on, can i simple install two separate certs on the server one for each domain?

People are saying you have to have one cert with both domains as separate SAN's, but this is not possible with how our domains are registered and how we have to apply for certs. Am i correct you simple install the public certs on to the server and then they are used as needed?

Thanks
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • rsuttonrsutton Posts: 1,029Member ■■■■■□□□□□
    You need one certificate with multiple SAN's. Two certs wont work.
  • DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
    why does it have to be one? for any thing else you can use a different cert for each domain/listener. Whats the reason it has to be a single cert, and how does this work if you can't get a single cert to cover it?

    For example if i was hosting multiply exchange domains for clients, it would not be possible or at least easy to get a single cert with all the domains listed.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • rsuttonrsutton Posts: 1,029Member ■■■■■□□□□□
    Multi-tenant environments use autodiscover redirect (cname record) so the SSL cert need only have a CN and SAN's for the hosting company's domain.
  • DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
    Ahh..

    So basically the full story is we are using lync, and the sip domain is different to our company domain. But from what you are saying we should redirect the sip admin auto discover in dns using a cname recourd to point to our internal auto discover domain recourd that already has all the certs set up.

    So it's just a case of a crecourd that says

    autodiscover.sip.com. Points to autodiscover.company.com? And clients should be happy
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • ClaymooreClaymoore Posts: 1,637Member
    That will handle the DNS portion but the client will still expect a server response with the Autodiscover.sip.com name in the certificate. That's why you need multiple names in the cert and one of the reasons SAN (Subject Alternate Name) certs and now commonly referred to as UCC (Unified Communications and Collaborations) certificates. I always have to install a UCC cert on an Exchange server to handle the names for all the services and domains. I have a client where we have to support over 100 domain/service names.

    If you have a certificate mismatch, the service will fail. When you browse a website and the certificate does not match, you get a warning but can still choose to continue. When Outlook, Lync, or an Autodiscover service request encounter a certificate error, they just fail.
  • DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
    Changing the server recourd to point to the main domain auto discover address has sorted the issue I think. Clients are now connecting to ews and using auto discover with out issues even though there is no cert installed for autodiscover.sipdomin.com

    i assume because clients look at the server recourd and this replies with the company.domain address. Which when they use has the correct cert.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.