Exchange 2013 Internal and External URLs with multiple servers and certificates

ssl-certificate domain-name exchange-2013 autodiscovery dag

I'm building a lab with two Exchange 2013 Servers with different internal names and only one external URL, the naming schema is something like this:

Internal Names:

exchange1.local.example.com
exchange2.local.example.com

External URL:

exchange.example.com

In this schema local.example.com is the AD zone and example.com is my external domain.

Both servers are using private IP addresses and there's port forwarding to make the server exchange1 able to talk with the WAN.

My problem now is how to configure the internal and external URL's on Exchange Control Panel to avoid misconfiguration and certificate errors.

A lot of guides on the internet says to put both URLs equal using the external name, but I'm not sure if this is the right way to do this. There's a DAG with both servers and I'm worried how this would work setting equal internal and external URLs on different servers.

Another thing that keeps me confused, is about the certificates. I've two Wildcard certificates for those domains:

*.local.example.com
*.example.com

How Exchange will match those certificates with different URL schemas? In the certificates selection I must choose which services will be guaranteed by the certificates, but I'm not able to use more than one certificate for a single server on ECP. Some guides on the web says that the certificate will match accordingly, but this isn't really what happens.

Thanks in advance,


Using a wildcard certificate will be problematic in your situation, as internal and external names are in separate domains. Rather than a Wildcard certificate, request a SAN (Subject Alternative Name) certificate for your Exchange servers to cover all the host names you require.

In your example, the Subject of the certificate would be exchange.example.com, and the Subject Alternative Name list for the certificate would include exchange.example.com, exchange1.local.example.com, exchange2.local.example.com.

If you would like to avoid a 'split DNS' situation (where you would have exchange.example.com resolve to a public IP address externally and a private IP address internally), you could add a fourth SAN to the certificate (exchange.local.example.com) and set your internal and external URLs appropriately.

Related

Why nfs transfer speed is slower than http?
Unable to create Home Directory for LDAP Login
gammu-smsd daemon not sending SMS messages
What difference does slash make in apache2.conf?
Simple NAT64 with Jool and Debian 11
NAT64 on Debian
How to combine YAMLfiles in Python?
Confusing Python version
wget failed: Connection timed out
Choice of NAT64 prefix
Can I limit the length of an array in JavaScript?
git .ignore not working in a directory