As per the previous article the Organization Configuration is now complete. The next step in the process is to configure the actual Server. In multi-server environments where the roles have been split this would need to take place on each server with the necessary configuration taking place at the required role level.
Let’s begin with the global Server Configuration by clicking on the Server Configuration node on the Exchange Management Console.
One of the parts that causes much frustration in modern Exchange installations is the configuration of Outlook Anywhere and ActiveSync which require the publishing of a Subject Alternate Name (SAN) Certificate. To save unnecessary frustration down the line it is recommended that this certificate be acquired from an Enterprise Root Certificate Authority e.g. VeriSign / Thawte / Go Daddy. The Go Daddy certificates are the most cost effective and their publishing process is much simpler so my personal recommendation is to use that service.
Let’s begin by creating the certificate request using the Exchange Management Console. On the right-hand action pane click on ‘New Exchange Certificate…’
In the window that opens type a ‘Friendly Name’ for the certificate and then click ‘Next’. The friendly name should be something you will be able to identify in a list full of certificates.
Next you will be prompted to define a Domain Scope for subdomains which will issue a ‘wildcard’ certificate request. As I am not configuring a domain with subdomains I am leaving this step out but you may need to use it should you require subdomains at any point. Click ‘Next’ when done.
You will now need to configure the actual services you will be using. By default I recommend that the following be enabled:
- Outlook Web App (internal and external)
- ActiveSync
- Web Services, Outlook Anywhere, and Autodiscover
- Hub Transport (Using TLS)
My examples are above. Click ‘Next’ once done.
Exchange will generate multiple domains for you. You need to modify these as follows:
- mail.<external domain> i.e. mail.domain.com, must be set to the common name
- you only require 3 more (Exchange will generate 6) these are:
- <external domain> i.e. domain .com
- autodiscover.<external domain> i.e. autodiscover.domain.com
- Server Name in this instance it is SFTEXCH.sft.local
Click ‘Next’ once you have modified this.
You will now need to fill in the organisation’s details. Once completed click ‘Next’. You will be presented with a summary window… click ‘New’. The certificate request will be generated and the text-based file will be copied to the location you specified in the window above.
Open the text document and submit the generated ‘hash’ to the certificate authority. They will in due course issue you with a certificate which you will now need to install on your Exchange server as per the instructions you can find here on the GoDaddy community: http://community.godaddy.com/help/article/5863
Note if you are not using GoDaddy as your certificate provider then you will more than likely not need to do the import into the ‘Intermediate Certificate Authorities’ it refers to in the first few steps of the process.
Once complete your centre pane should look as follows:
Note the status of self-signed should be false.
We now need to assign services to the newly installed certificate.
Right-Click on the Certificate and click on ‘Assign Services to Certificate…’
You will see a list of Exchange Servers… in this example there is only one. Click ‘Next’
Select your services… in this example I am not configuring Unified Messaging so I tick: IMAP, POP, IIS, SMTP. Click ‘Next’ and on the new screen click ‘Assign’ to assign the services to the certificate.
You will be prompted to overwrite the SMTP self-signed certificate service which Exchange created during the original installation. Click ‘Yes’ and once completed, click ‘Finish’.
Your certificate console should now look like this:
Note the services are now assigned to your newly installed certificate.
Your certificate installation is now complete. Note that you may need to export this certificate if the Firewall you are publishing this service through needs it e.g. Microsoft ISA / TMG.
C
No comments:
Post a Comment