ENTERPRISE

Installing Exchange Server 2010 : Post-setup configuration (part 2) - Add a certificate to the Client Access Server role

1/18/2011 2:55:48 PM

5 Add a certificate to the Client Access Server role

When the Exchange Server 2010 Client Access Server role is installed, a self-signed certificate is installed automatically, primarily for testing purposes. However, as soon as the installation is finished, a real certificate should be acquired and installed. Exchange Server 2010 uses a Unified Messaging certificate, which holds besides its Subject Name other names as well, called the Subject Alternative Names (SAN). For example, the Subject Name could be webmail. yourdomain.com and Subject Alternative Names could be autodiscover.yourdomain.com and mail.yourdomain.com.

To request a certificate you can either use the Exchange Management Console or the Exchange Management Shell. When using the Exchange Management Console (after all, we are Windows administrators, right?) use the following steps:

  1. Log on to the Exchange Server 2010 Client Access Server and open the Exchange Management Console.

  2. In the navigation pane, expand "Microsoft Exchange On-Premises."

  3. In the navigation pane, click on "Server Configuration."

  4. In the top half of the middle pane you'll see your Exchange Server, including your Edge Transport Server, and in the bottom half you'll see the corresponding certificate. This is the self-signed certificate that's created during the installation of your Exchange server.

  5. In the actions pane click on "New Exchange Certificate," and the New Exchange Certificate wizard is shown. Enter a Friendly Name, for example "Exchange Server". Click Next to continue.

  6. The next page is the Exchange Configuration where you can determine the usage of the certificate. Select the following services:

    • Client Access Server (Outlook Live)

    • Client Access Server (Exchange ActiveSync)

    • Client Access Server (Web Services, Outlook Anywhere and Autodiscover).

  7. In all three options, enter the external hostname for your organization. In the last option also select "Autodiscover used on the Internet" and select the proper URL. The default is the Long URL like autodiscover.yourdomain.com. Click Next to continue.

  8. In the Organization and Location page you have to enter your company specific details like Organization, Organizational Unit, Country, etc. In the Certificate Request File Path click Browse to enter a location for the Certificate Request File. Enter a filename like c:\Exch-Cert.req and click Save. Click Next to continue.

  9. On the Certificate Configuration page check your certificate request details and, if all is OK, click New to generate the request file.

  10. On the completion page you'll see the PowerShell command that was used for generating this certificate request. If needed you can use CTRL-C to copy the contents of this page to the server's clipboard. Click Finish to continue.

You can find the file c:\Exch-Cert.req on your server. This file looks something like this:

To request a new certificate, you have to submit this file to your Certificate Authority. Microsoft has a list on their support website of supported vendors who can supply Unified Communications certificates: HTTP://TINYURL.COM/CERTVENDORS.

On the Exchange Certificates tab in the Exchange Management Console, you'll see a new entry, and the parameters you entered in the previous step can be identified here.

When you receive the certificate from your authority follow these steps:

  1. Save the certificate on the hard disk of your server.

  2. In the Exchange Management Console, on the Exchange Certificates tab, right-click the new certificate and select "Complete Pending Request."

  3. Browse to the file you stored in Step 1 on the hard disk.

  4. Follow the wizard to complete the certificate request and finish the installation.

  5. In the Exchange Management Console, on the Exchange Certificates tab select the original, self-signed certificate, right-click it, and select Remove to remove this certificate from the Exchange Server 2010 server.

  6. Using Internet Explorer open Outlook Web App (using HTTPS://LOCALHOST/OWA) and check the new certificate. Never mind the error message you will receive, this is because the name "localhost" is not in the certificate.

You can also use the Exchange Management Shell to request a new certificate:

  1. Log on to the Exchange Server 2010 server with domain administrator credentials and open the Exchange Management Shell.

  2. Since the –Path option is no longer supported in Exchange Server 2010 you first have to use a variable and in Step 2 you have to write the actual file:



A certificate will be sent by your certificate authority that can be imported on the Client Access Server by using the Import-ExchangeCertificate commandlet in the Exchange Management Shell. The output of this commandlet can be piped into the Enable-ExchangeCertificate to enable the certificate after importing it:

  1. Log on to the Exchange Server 2010 server with domain administrator credentials and open the Exchange Management Shell.

  2. Enter the following command:



The Client Access Server role is responsible for handling all client requests with respect to mailbox access. This means Outlook Web App, POP3 and IMAP4, Outlook Anywhere and ActiveSync all have to be configured on the Client Access Server role. New in Exchange Server 2010 is the fact that the Client Access Server now also handles all MAPI requests. So Outlook clients no longer connect to the Mailbox Server role directory, but rather to the Client Access Server. This functionality is called "RPC Client Access." The codename for this was "MAPI on the Middle Tier" or MoMT.

In this section, I will briefly focus on Outlook Web App, Outlook Anywhere and ActiveSync. A prerequisite for proper functioning of these services is that a valid Unified Communications certificate from a trusted vendor, with proper Subject Alternative Names is installed as described in Section 2.7.5. Since the Client Access Server is on the same box as the Mailbox Server, no special configuration is needed for the MAPI clients.

  1. Log on to the Exchange Server 2010 server with domain administrator credentials and open the Exchange Management Console.

  2. In the navigation pane expand "Microsoft Exchange On-Premises."

  3. In the navigation pane expand "Server Configuration."

  4. Click on "Client Access."

  5. In the lower part of the results pane you can select the tabs for Outlook Web App, Exchange ActiveSync, Offline Address Book Distribution and POP3 and IMAP4. From here, you can now configure the various aspects of the Client Access Server.

Outlook Web App

  1. To configure Outlook Web App select the Outlook Web App tab, right-click on OWA (Default Website) and select its properties.

  2. In the External URL field, enter the URL that users will use when connecting to the OWA site from the Internet. Make sure that this name corresponds to the name used in the certificate you installed in the previous section.

  3. Click OK to close the properties page.

Exchange ActiveSync

  1. On the Exchange ActiveSync tab, right-click the Microsoft-Server-ActiveSync and select its properties.

  2. In the External URL field, enter the URL that users will use when connecting to the OWA site from the internet. Make sure that this name corresponds to the name used in the certificate you installed in the previous section.

  3. Click OK to close the properties page.

NOTE

Testing your Exchange Server 2010 ActiveSync setup is always difficult. To avoid needing a real mobile device you can use an emulator for testing purposes. Microsoft has several emulators available on the Microsoft download site, and you can download the Windows Mobile 6.5 emulator here: HTTP://TINYURL.COM/WINMOB6. Just install it on your computer or laptop, connect it to your local network adapter and start configuring the device. When you have the proper connectivity you can even test it from home – this works great!

Figure 1. Windows Mobile 6.5 working with an Exchange Server 2010.
Outlook Anywhere

Outlook Anywhere uses the HTTP protocol to encapsulate RPC information for sending between the Outlook client (version 2003 and 2007) and the Exchange Server 2010 server. For this service to run properly the RPC over HTTP Proxy service has to be installed on the Client Access Server. This can be achieved either by adding this as a feature via the Server Manager, or by entering the following command on a PowerShell Command Prompt:

  1. Open the Exchange Management Console.

  2. In the navigation pane, expand "Microsoft Exchange On-Premises."

  3. In the navigation pane, expand "Server Configuration."

  4. Click on "Client Access" and select your Client Access Server.

  5. In the Actions pane, click on "Enable Outlook Anywhere."

  6. On the Enable Outlook Anywhere page enter the External host name. Make sure that this name is also available in the certificate you created on the previous Paragraph. Select the authentication methods used by clients, i.e. Basic Authentication or NTLM authentication. For now leave these settings on default and click Enable to continue.

  7. This will activate the Outlook Anywhere service on this service, and it may take up to 15 minutes before the service is actually usable on the Client Access Server. Click Finish to close the wizard.
Other  
  •  Exchange Server 2007: Design and Deploy Disaster Recovery Settings - Use Dial-Tone Restores
    •
  •  Exchange Server 2007: Design and Deploy Disaster Recovery Settings - Work with Recovery Storage Groups
    •
  •  Exchange Server 2007: Design and Deploy Disaster Recovery Settings - Implement Database Portability
    •
  •  Sharepoint 2007: Specify Your Colleagues
    •
  •  Sharepoint 2007: Modify the Links in the SharePoint Sites Web Part
    •
  •  Sharepoint 2007: Get Started with Your Personal Site
    •
  •  Sharepoint 2007: Create a Personal Site
    •
  •  Exchange Server 2007 : Backup and Recover Data (part 2) - Backup and Recovery with Server 2008
    •
  •  Exchange Server 2007 : Backup and Recover Data (part 1) - Backup and Recovery with Server 2003
    •
  •  Exchange Server 2007 : Design and Deploy Disaster Recovery Settings - Recover Deleted Items and Mailboxes
    •
  •  Exchange Server 2007 : Design and Deploy Disaster Recovery Settings - Design for Disaster
    •
  •  Architecting a SharePoint 2010 Deployment : Choosing the Right Hardware for SharePoint
    •
  •  Architecting a SharePoint 2010 Deployment : Understanding the Reasons for Deploying Multiple Farms
    •
  •  Understanding the SharePoint Server Roles
    •
  •  Installing Exchange Server 2010 : Installing the Edge Transport Server
    •
  •  Installing Exchange Server 2010 : Installing dedicated server roles
    •
  •  Installing Exchange Server 2010 : Check the Exchange installation
    •
  •  Introducing SharePoint 2010 (part 2)
    •
  •  Introducing SharePoint 2010 (part 1)
    •
  •  Installing Exchange Server 2010 : Unattended setup
    •
     
    Top 10
    Fujifilm Fujinon XF 14mm f/2.8R Lens Review
    Nikon Coolpix L320 - A Compact Camera (Part 2)
    Nikon Coolpix L320 - A Compact Camera (Part 1)
    NZXT Kraken X60 - The Best Liquid Cooling System (Part 2)
    NZXT Kraken X60 - The Best Liquid Cooling System (Part 1)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 4)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 3)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 2)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 1)
    The Apple iPad (Fourth Generation) - The Bigger Brother Is Back
    Most View
    How To Make A Massive Synth Bass Sound (Part 5) : Commercial house bass with impOSCar
    Guide To Upgrades With The Greatest Effects (Part 1)
    Top 10 Televisions – Q1 2013
    Master The New Outlook.com Calendar
    17 Killer Mac Apps Under $20 (Part 1) : Smartday, Eisenpower
    Google vs Apple vs Microsoft (Part 5)
    Nokia Lumia 822 Windows Phone 8 Smartphone (Part 3)
    Red Redray Player - Dedicated 4K Player
    Lenovo Ideapad Yoga 11 Hybrid Laptop
    Gentlemen, Lend Me Your Ears!