Forum Discussion
ssandoval_87293
Nimbostratus
NimbostratusExchange 2007 - What Type of SSL certificate required (single domain or UCC)
We are planing on installing an F5 load balancer in front of our Exchange 2007 environment with has two CAS/HUB servers. We would like to load balance and SSL offload OWA, Outlook Anywhere, and ActiveSync traffic. According to the f5-exchange07-dg0.dpf development guide it looks like we can use a single virtual server to support all three of these services. Now to my questions: What type of commercial SSL certificate do we need to purchase and install on the F5? Will a single domain SSL certificate work or do we need to purchase a UCC multiple domain certificate? If a UCC multiple domain certificate is required, what names do we need to have assigned to it? Do we need to install any SSL certificates on the CAS/HUB servers?
Thanks
4 Replies
- Hi Ssandoval,
To answer your questions, you have options where your SSL certs are concerned. The most common deployment we see is a SAN certificate, as it will give you the flexibility to add as many domain names as you need. You could go with a cert for a single domain name, but if problems arise, it might present difficulties in troubleshooting. If money were no object, then a wildcard cert (like *.yourdomain.com) would serve all your needs and then some, but those are pretty expensive.
As for which names to put in there, that will depend on the names under which you'll have the traffic decrypted. So if you have one domain for OWA, one for Outlook Anywhere, and one for ActiveSync, it might look something like .yourdomain.com, and could potentially have 3 different names. Again, if you have more than that, you'll want to add more to the cert.
To answer your last question about SSL Certs on HUB/CAS servers...this will depend on whether you're going to have those servers decrypt the incoming traffic. If you plan on assigning that task to the HUB/CAS, then yes, you'll want a cert there. If you're going to have it decrypted upstream, like on the F5 device, then you won't need it on the HUB/CAS.
I hope that information is helpful--please let me know if you have further questions.
Cheers,
Helen 
ssandoval_87293Thanks for the quick response Helen. We are planing on using the same external domain name (http:/mail.ourcompany.com/..service..) and public IP for all three services if possible. Thus, It sounds like a single domain certificate will work.
I have another question. I've enable SSL offloading on the CAS/Hub servers using the registry key in the following article ( http://technet.microsoft.com/en-us/library/bb885060%28EXCHG.80%29.aspx ) and disabled the SSL required check box on the IIS7 virtual website and directories . However when I enter the HTTP version of the owa url (http://CASserver/owa) it still automatically redirects to a SSL secure login page (https://CASserver/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fCASserver%2fowa%2f. Is this going to be an issue for the F5?- Hi Ssandoval,
Just to be clear, you're going to have the F5 do SSL offloading, and it's not in the mix yet, correct?
If that's the case, once you have the F5 device in place, the certificate loaded and associated with the Virtual IP that's handling the HUB/CAS traffic, you shouldn't get that login page. 
hoolioCirrostratus
As Helen suggested, if you have a single host name for all three services, you will only need an explicit SSL cert for that host name. If you're doing SSL offloading (without re-encrypting the LTM to pool connection) the behavior you're seeing on redirects to https:// is what you'll need the application to do as the client will expect references to the application to be made via https://.
Aaron
