Hi,
I have seen MS best practice how to generate SSL certificate request with several SANs on Exchange, then send it to external CA, import, then export with private key and import again on TMG to use it in listener.
The problem is that we are taking over an environment with following non-standard setup:
1. 1xTMG 2010 Std SP2, Single NIC, Public IP
- OWA publishing rule with separate owa.external.com SSL certificate - signed by external CA
- Autodiscover publishing rule with separate autodiscover.external.com SSL certificate - signed by external CA
Both rules are sending requests to Exch2010 CAS array NLB casnlb.internal.com.
2. 2x Exch2010 CAS, NLB casnlb.internal.com
- certificates in personal stores on CAS servers : casnlb.internal.comsigned by local CA with SANs of CAS1, CAS2, owa.external.com, external.com, autodiscover.external.com
Questions:
1. Having SingleNIC TMG with Public IP, with a rule of "No delegation, alow authenticate directly" is probably not a best practice security wise, correct? Switching TMG to two NIC mode to make firewall engine be functional would be an improvement, right?
2. Based on certificate setup mentioned above OWA communication between Internet and TMG is encrypted by owa.external.com cert however this certificate is missing on CAS1 and CAS2 therefore OWA communication between TMG and Exchange is not encrypted. Would it be enough to just import those owa.external.com and autodiscover.external.com to CAS1/2? Is there anything else that must be done on exchange (run commands to assign services to those certificates?)
3. What about this internal casnlb.interntal.com certificate. Is it really needed to have a certificate for DNS name of CAS NLB IP address?
4. Exchange CAS1/2 doesnt have access to internet, so there will be problem with those external certificates as exchange CAS servers will not be able to connect to CRL.
Any tips how to solve this? Thanks