Monday, May 16, 2011

Microsoft Exchange 2010 Installation Step-By-Step Part 3 (Server Configuration–Certificate)

As per the previous article the Organization Configuration is now complete. The next step in the process is to configure the actual Server. In multi-server environments where the roles have been split this would need to take place on each server with the necessary configuration taking place at the required role level.

Let’s begin with the global Server Configuration by clicking on the Server Configuration node on the Exchange Management Console.

image

One of the parts that causes much frustration in modern Exchange installations is the configuration of Outlook Anywhere and ActiveSync which require the publishing of a Subject Alternate Name (SAN) Certificate. To save unnecessary frustration down the line it is recommended that this certificate be acquired from an Enterprise Root Certificate Authority e.g. VeriSign / Thawte / Go Daddy. The Go Daddy certificates are the most cost effective and their publishing process is much simpler so my personal recommendation is to use that service.

Let’s begin by creating the certificate request using the Exchange Management Console. On the right-hand action pane click on ‘New Exchange Certificate…’

image

In the window that opens type a ‘Friendly Name’ for the certificate and then click ‘Next’. The friendly name should be something you will be able to identify in a list full of certificates.

image

Next you will be prompted to define a Domain Scope for subdomains which will issue a ‘wildcard’ certificate request. As I am not configuring a domain with subdomains I am leaving this step out but you may need to use it should you require subdomains at any point. Click ‘Next’ when done.

image

image

You will now need to configure the actual services you will be using. By default I recommend that the following be enabled:

  • Outlook Web App (internal and external)
  • ActiveSync
  • Web Services, Outlook Anywhere, and Autodiscover
  • Hub Transport (Using TLS)

My examples are above. Click ‘Next’ once done.

image

Exchange will generate multiple domains for you. You need to modify these as follows:

  • mail.<external domain> i.e. mail.domain.com, must be set to the common name
  • you only require 3 more (Exchange will generate 6) these are:
    • <external domain> i.e. domain .com
    • autodiscover.<external domain> i.e. autodiscover.domain.com
    • Server Name in this instance it is SFTEXCH.sft.local

Click ‘Next’ once you have modified this.

image

You will now need to fill in the organisation’s details. Once completed click ‘Next’. You will be presented with a summary window… click ‘New’. The certificate request will be generated and the text-based file will be copied to the location you specified in the window above.

Open the text document and submit the generated ‘hash’ to the certificate authority. They will in due course issue you with a certificate which you will now need to install on your Exchange server as per the instructions you can find here on the GoDaddy community: http://community.godaddy.com/help/article/5863

Note if you are not using GoDaddy as your certificate provider then you will more than likely not need to do the import into the ‘Intermediate Certificate Authorities’ it refers to in the first few steps of the process.

Once complete your centre pane should look as follows:

image

Note the status of self-signed should be false.

We now need to assign  services to the newly installed certificate.

image

Right-Click on the Certificate and click on ‘Assign Services to Certificate…’

image

You will see a list of Exchange Servers… in this example there is only one. Click ‘Next’

image

Select your services… in this example I am not configuring Unified Messaging so I tick: IMAP, POP, IIS, SMTP. Click ‘Next’ and on the new screen click ‘Assign’ to assign the services to the certificate.

image

You will be prompted to overwrite the SMTP self-signed certificate service which Exchange created during the original installation. Click ‘Yes’ and once completed, click ‘Finish’.

Your certificate console should now look like this:

image

Note the services are now assigned to your newly installed certificate.

Your certificate installation is now complete. Note that you may need to export this certificate if the Firewall you are publishing this service through needs it e.g. Microsoft ISA / TMG.

C

No comments: