Introducing the Microsoft Exchange 2010 Certificate Wizard
In modern day messaging environments there are often as many, if not more, users accessing their mailboxes from external clients as those accessing from MAPI clients. As with previous versions of Exchange server, Exchange 2010 provides very feature rich access capabilities from a variety of clients which include Exchange Active Sync devices, Outlook Web Access, Outlook Anywhere, and the traditional POP/IMAP capabilities. With all of these external clients come a few requirements and considerations namely security. We must allow traffic through the corporate firewall to the Exchange 2010 server that is functioning as the Client Access Server and that traffic should proceed through a capable firewall perform application and transport level packet inspection. In addition the traffic from these various clients is always using the Internet and therefore needs to be secured. Historically the way to secure external traffic has always been through the use of Secure Sockets Layer (SSL) for HTTP and that remains true with the Exchange 2010 release. For the first time with Exchange 2007, a new requirement was in place for the server certificate used for the purposes of SSL for the Client Access role. That requirement was the need for a Subject Alternative Name, otherwise known as a Unified Communications, certificate that was capable of storing multiple names. This was due largely to the internal and external names used to connect to Client access in addition to the Autodiscover records that were used to facilitate EAS and Outlook Anywhere automatic configuration. In Exchange 2007 administrators were forced to use EMS cmdlets to create certificate requests, import the obtained certificate, and validate it for use with Exchange services. This is a frequent complaint that I have heard because these functions are not just a single one-time effort. Many organizations have multiple CAS machines and certificates expire and therefore administrators have to learn one of the more complicated cmdlets I have dealt with as an Exchange trainer and administrator.
Exchange 2010 has a new and enhanced version of the Exchange Management console that includes the ability to work with Exchange certificates from the graphical interface. Administrators still have the ability to use the EMS if they so desire but the wizard can take all the appropriate steps for them. Not only does the wizard eliminate the requirement but it actually provides a great deal of guidance as to the names that need to be configured for the certificate to work properly and suggests the type of certificate required. The wizard is accessible at the Server Configuration node without selecting an individual role. Selecting a server in the details pane will make the New Exchange Certificate command available in the Actions pane or from the context menu. The wizard walks administrators through enabling and configuring the external host names for OWA, EAS, Outlook Anywhere, Autodiscover, POP, IMAP, and SMTP (if the server is also a Hub Transport). The wizard is essentially running the new-exchangecertificate cmdlet and producing a certificate request encoded file. That file is then taken to a Certificate Authority and submitted as a certificate request.
The Certificate Authority that you choose is really up to you, and must only support the use of SAN, UC, and/or wildcard certificates. The choice should always be to use a public CA so that all external clients will natively trust the certificates issued by that root authority. Once the certificate is submitted to the Certificate Authority then administrators must wait for the certificate to be issued. Once the certificate is issued to them, usually in the form of a *.cer file, the administrator can once again use the EMC to complete the process. When a server is selected in the details pane, the certificates for that server will be listed in the Work Center below. The certificate request made earlier will be listed here and the administrator can select that and launch the Complete Pending Request wizard which is associated with the import-exchangecertificate cmdlet. Essentially this cmdlet only has a single parameter which is the path to the certificate file issued from the Certificate Authority. Once imported then the Action pane task, Assign Services, is used to associate services with the newly imported certificate. This task is associated with the enable-exchangecertificate cmdlet.
So the types of the certificates are the same in Exchange 2010 and Exchange 2007 administrators will already be familiar with the function and purpose of these certificates. What has gotten so much easier is the ability to completely create and manage these certificates from within the graphical interface of the EMC. So regardless of how many CAS machines are present in the organization or how short the lifetime of a certificate, administrators are never required to use the EMS for the purpose of generating and managing certificates.About K Alliance:
K Alliance is a recognized leader in educational solutions, providing first class e-learning materials in courses for Microsoft, Cisco, CompTIA, Novell and many others. Our Microsoft Exchange Server training delivers specialized information involving the management, optimization and administration of all aspects pertaining to Exchange. Very comprehensive in nature, our Microsoft Exchange 2010 training videos discuss everything from the flexibility to customize Exchange to your particular requirements to high availability to disaster recovery to enhanced mailbox resiliency. Not only do we offer the best instructional online videos to satisfy your training needs, our MCTS Exchange Server 2010 Configuration CBT solution affords the simplicity of a high grade education by inserting a DVD into your hardware system, and commencing your high definition, graphic demonstrations and presentations, quiz assessments, in-depth discussions and more. All designed to elevate your capabilities and instill all of the new functionality of Exchange 2010. For professionals seeking certification in order to advance their careers and their current knowledge, we offer IT certification training with MCITP Enterprise Messaging Administrator 2010.
If you would like to receive permission to use our articles on your webiste, you may contact us at permission@kalliance.com.
