Posts Tagged ‘SAN’

How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts!

Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped spinning yet? So you’ve decided on what FQDN’s to use, next step order some SSL certificates, should be easy enough right, You allready figured out You need SLL certificates that are Unified Communications Certificates (UCC) enabled. In my example I will use GlobalSign Domain Validated SAN’s, if I needed multiple domains for example for @sole.dk and @soleit.dk, I would choose GlobalSign Organisation Validated SAN’s instead.

For a GlobalSign SSL certificate to be UCC enabled, it must use SAN domains, no other way of enabling it. So no point in spending lots of budget on seperate SSL certificates for each service. SAN Subdomains are also quite alot cheaper than buying seperate SSL certificates.

One of the tricky parts of Office Communications Server 2007 R2 and SSL certificates, is that You can not use one single SAN SSL for all services, if You intend to use port 443 for all services!

Why would we only use port 443 ? Read the rest of this entry »

How to configure Exchange 2007 and ISA with FBA and NTLM, without loosing ActiveSync on the way

Basicly we are here, because we want to use Forms Based Authentication (FBA) for our Outlook Web Access (OWA) users in Exchange 2007, while still using NTLM/Kerberos authentication for Outlook Anywhere (OA), wich in turn means less entering of the users password, while still not killing our ActiveSync clients since they only run Basic authentication.

Confused? let me try and make it easier.

  • We prefer FBA for OWA, it is just more nice for the user to get a webpage to login to their OWA.
  • We prefer NTLM for OA, it gives less password prompts and well it sounds safer than basic authentication
  • We still want ActiveSync with Basic, but it fails if we use NTLM on our connection as well so we need to seperate them

ISA Rules

What is the solution? Well its rather simple, we configure our services to use the authentication as we prefer, but we need to do some configuring of public DNS, Public IP’s and ISA to get all 3 authentication schemes to work at the same time. Basicly NTLM and Forms Based Authentication just does not mix. If you use FBA on a listener in ISA it will always fallback to Basic authentication if the client does not support FBA. It is not possible to use NTLM and FBA on the same ISA 2006 listener.

I have added screenshots of the important bits of the configuration in the bottom, and You should have all the required info to get it working, but You will need some basic knowledge of how to setup up Exchange 2007, ISA 2006 with Exchange 2007, etc. Read the rest of this entry »