Mark Minasi's Reader Forum - CASArray Name and Split-DNS

Mark Minasi's Reader Forum

Username:	Password:
Save Password
Forgot your Password?

All Forums

Email, Databases, Sharepoint and more

Exchange

CASArray Name and Split-DNS

New Topic

Reply to Topic

Printer Friendly

Author

Topic

MadCow
Honorable But Hopeless Addict

Canada
1834 Posts
Status: offline

Posted - 07/10/2012 : 12:41:25 PM

Exchange 2010 SP2. 2 A/P DAG members. Only 2 mailboxes on the server for now.

I ran into an issue yesterday when I setup my webservices URL to my CASArray name. Since the CASArray name was not present on my SAN Certificate the 2 Outlook users started getting the certificate error: "the name of the security ceritificate is invalid or does not match the name of the site" .

To resolve this issue I removed the CASArray name and added a name "webmail.domain.com" as the casarray name which is present on my SAN Certificate and it is also the name of the NLB. This resolved the issue.

Concern now I have is that my CASArray name is also resolvable from the internet and I know this is not good practise and may slow down Outlook or Outlook Anywhere access. Currently I only have 2 mailboxes. We don't use Outlook anywhere and don't plan to use it.

Should I use a different name for CASArray name or I will be ok? I can use Autodiscover.domain.com as my CASArray name since it is also on the SAN Certificate.

I also read that the CASArray name should not be present on the SAN certificate ...but I am finding this information to be untrue.

Advise Please.

Thank you

Sunny
__________________________________________________________________________

"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer

Edited by - MadCow on 07/12/2012 09:34:06 AM

NMDANGE
Honorable But Hopeless Addict

USA
2054 Posts
Status: offline

Posted - 07/12/2012 : 11:24:08 AM

The CAS Array Name (I am referring to the Fqdn attribute when you run Get-ClientAccessArray) is only used for MAPI/RPC. This does not use SSL and does not require a certificate.

Your web services URL should match your OWA URL, it should not match your CAS Array Name.

Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)

(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org

aval
Honorable But Hopeless Addict

USA
3274 Posts
Status: offline

Posted - 07/13/2012 : 7:19:02 PM

Any luck? Otherwise, I can confirm that you do not need the name of the CAS Array on the cert for the reason Michael already gave. This has been discussed more than once in the Exchange Technet forums and while anyone can make a mistake, that would be a lot fo Exchange MVPs (like Simon Butler) who are wrong on this.

Jazzy
Administrator

Netherlands
1931 Posts
Status: offline

Posted - 07/14/2012 : 03:08:22 AM

You'r both right, MAPI traffic is no SSL so doesn't need a cert.

Jetze Mellema

Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/

MadCow
Honorable But Hopeless Addict

Canada
1834 Posts
Status: offline

Posted - 07/16/2012 : 08:34:25 AM

Thanks All.

I don't tend to disagree with you all.

I had my CASArray named CASArray.mydomain.com and the Outlook Users started getting this dialog box "the name of the security ceritificate is invalid or does not match the name of the site". - This name is not on the SAN Certificate.

Then I removed the CASArray and changed my CASArray name to Autodiscover.mydomain.com ..... since this name is on my SAN Certificate the users are fine now. No Certificate errors.

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Mark Minasi's Reader Forum

This page was generated in 0.16 seconds.

Snitz Forums 2000