Let me start by saying that I like Exchange 2007. However, I am convinced that when it came time to design Exchange 2007's certificate handling functions, the task was handed to someone with a true loathing for humanity.
We are rolling out Exchange 2007 in my organization and I'm working on figuring out certificates. Here's what I have learned so far:
- You need certificates for many of Exchange 2007's features. OWA, Autodiscover, ActiveSync and other services all use SSL for communication. Although you can disable SSL, it is not recommended.
- You need different certificates for different services. For example, if you have a server named "mail" and you use OWA, you'll need a certificate that protects "mail.yourdomain.com." Simple enough.
Now, bear in mind that the Exchange 2007/Outlook 2007 combination has a new feature called Autodiscover that makes it simple to connect to a mailbox. By default, non-domain Outlook 2007 clients look for https://Autodiscover.yourdomain.com/Autodiscover/Autodiscover.xml or https://yourdomain.com/Autodiscover/Autodiscover.xm in order to find settings. These URLs are hard coded into Outlook 2007. So, in order to use Autodiscover for non-domain clients, you must use SSL.
Microsoft recommends that you create a DNS entry for autodiscover.yourdomain.com that points to your Exchange 2007 server. Alternatively, you could add a secondary IP address to your Exchange 2007 server and point the Autodiscover entry to that address.
If you use multiple IP addresses, you need a minimum of two certificates -- one for the mail server's services, such as OWA, and another for Autodiscover.
Some of you may be thinking that your existing wildcard certificate would do the trick. Unfortunately, if you plan to support Windows Mobile clients via ActiveSync, your wildcard certificate is about as useful as Clippy. Windows Mobile clients do not support the use of wildcard certificates on the server.
To address this issue, you can obtain a new kind of certificate known as a Unified Communications Certificate. This kind of certificate supports what is called Subject Alternate Names. In other words, a single certificate can protect multiple URLs and domains. These kinds of certificates are more expensive than regular certificates, but the expense is not prohibitive. Most of the major certificate vendors, including Comodo, Thawte and Verisign sell them.
As we move along in our project at work, I'll run through the steps we used to secure our Exchange 2007 system.