0

We are currently running Exchange 2007. All our clients access the EWS service on Outlook via the internal server name server.domain.local. For this we use a self-signed certificate from the domain's CA. For OWA we would like to use a official certificate, as it needs to be accessible from anywhere e.g. https://owa.domain.com/ In order to access owa, we have a public IP natting (:443 and :80) to the exchange server.

How can I install a separate certificate only for owa and maybe ecp? I only can add one certificate per IP and as IIS only knows the internal IP there is no way to assign a public certificate.

Following two print-screens concerning the IIS configuration:

IIS Sites

Bindings of IIS

joelschmid
  • 177
  • 2
  • 11

2 Answers2

1

Quick EDIT: In case anyone wants to feel like correcting me... Yes you can use SNI to achieve a quasi multiple certs on one website, but I have not gone into any of these as they involve far more work than the option below. The below is what I have seen done by all IT professionals my whole career. --End EDIT

You CANNOT use two different certificates for one website. This is universal and not related to Exchange. Since Exchange leverages IIS for its web services you cannot do this. You have two options:

When you buy your new public cert add BOTH domain names. Add your external address as the primary and add your internal address as an additional SAN. This way when clients request the web services using either addresses, they will match a name on the cert. This is probably your easiest approach.

You other approach is to not use NAT and use a reverse proxy. A reverse proxy presents a web front end to outside world - in your case to listen on the external URL and use the public cert for this. Then configure the rules on reverse proxy to "proxy" any requests to this URL to come out the back end as your internal name. A reverse proxy actually creates an end-to-end encryption to the external user using the public cert, and "proxies" the traffic through to the internal side using local cert on the IIS server using the local name (it "translates" the URL from external to internal one). If you are unfamilar with reverse proxies do a google, the concept isn't that hard to get.

Mucker
  • 382
  • 2
  • 10
1

Basically, you should have a second NIC for this.

If another NIC is not an option, try adding a virtual IP to the NIC, and then assign the certificates.
I tried it once myself and it half worked, but didn't had enough time to do more testing.

EliadTech
  • 1,240
  • 9
  • 14
  • This is incorrect. If you assign a separate NIC, it means using a different IP address. And that new IP address needs to be associated with a different WEBSITE. The OP requires ONE website, where a virtual directory (subsite of the website) needs to use a different certfificate. Doing what this answer says will not achieve this. – Mucker Aug 28 '23 at 11:51
  • @Mucker you actually CAN do it. An IIS web site can have multiple bindings and each binding can be associated with a different IP address and use its own certificate. Note that I'm **not** recommending this (especially for Exchange), but it's technically possible. – Massimo Aug 28 '23 at 12:30
  • @Massimo you are right, you can assign multiple IPs to the same site. I think I didn't consider this because I have never seen anyone assign 2 IPs to bind 2 certs to the same website. Also what threw me off was the extra NIC; to achieve the binding of two certs, you only need an extra IP, not an extra NIC. If you look at my answer below, this is by far the easier and better approach (getting a cert with 2 names) and this is how it's done in the industry. – Mucker Aug 28 '23 at 12:40