Forum Discussion

Fawad_29089's avatar
Fawad_29089
Icon for Nimbostratus rankNimbostratus
May 14, 2012

Exchange 2010 Certificate on LTMs

Hi all,

 

 

I installed Subject ALternative Name (SAN) certificate on F5 LTMs for all the Exchange Server Domain Names - this Certificate request was generated from F5 as all client SSL requests are terminating on F5 (we are doing SSL Offloading).

 

 

 

After Certificate Installation everything working fine except for Autodiscover. We suspected that it is an issue with Certificate and we might need Certificate on Exchange Servers as well. So Exchange Server Admin also initiated a SAN Certificate request and installed certificate on Exchange 2010 Servers. Now we still have issue with Autodiscover.

 

 

 

Do I need to install the certificate that was issued for Exchange Servers on my F5 LTMs? If so, how do I do it as there is no .Key file?

 

 

 

Can I have my F5 Certificates and Exchange Servers have their own Certificates for the same Domain Names? DOes it matter if these are different?

 

 

 

Has anyone experienced problem with Autodiscover using Certificates?

 

 

 

Your help will be appreciated!

 

 

 

Thanks,

 

 

 

Fawad

 

 

 

 

 

9 Replies

  • Hi Fawad,

     

    How are you testing Autodiscover are you testing it in the live environment and what is the message that you get when Autodiscover is failing.

     

     

    Regards,

     

  • Hi Fawad,

     

    How are you testing Autodiscover are you testing it in the live environment and what is the message that you get when Autodiscover is failing.

     

     

    Regards,

     

  • Hi Fawad,

     

    How are you testing Autodiscover are you testing it in the live environment and what is the message that you get when Autodiscover is failing.

     

     

    Regards,

     

  • Hi,

     

    The is the error:

     

     

    ExRCA is attempting to retrieve an XML Autodiscover response from URL https://exchange-test.cfx.com/Autodiscover/Autodiscover.xml for user guest33@cfx.com.

     

    ExRCA failed to obtain an Autodiscover XML response.

     

    Additional Details

     

    An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).

     

     

    Is this a certificate related issue?

     

     

    Thanks,

     

    Fawad
  • Hi Fawad,

     

    I dont think it is a certificate issue.... better you open a case with F5 and let them investigate this problem on urgent basis.

     

     

    Regards,

     

  • Hello Fawad,

     

     

    Are you using F5 LTM for load balance Exchange server 2010? if yes, in that case you need to generate SAN certificate on LTM box. And get the csr & key and request for fresh SSL certificate, because window server certificate will not work on f5 ltm. And same certificate you can apply f5 & window server. Hope it will work.

     

     

    For generating SSL csr& key on ltm box, please follow this link.

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html?sr=21266389

     

     

    for more information you can touch with f5 support center.

     

    Regards,
  • Hello Fawad,

     

     

    Are you using F5 LTM for load balance Exchange server 2010? if yes, in that case you need to generate SAN certificate on LTM box. And get the csr & key and request for fresh SSL certificate, because window server certificate will not work on f5 ltm. And same certificate you can apply f5 & window server. Hope it will work.

     

     

    For generating SSL csr& key on ltm box, please follow this link.

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html?sr=21266389

     

     

    for more information you can touch with f5 support center.

     

    Regards,
  • Dear Fawad,

     

     

    please see http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx

     

    It explains why/how to use SAN certificates for autodiscovery etc. in EXC2010.

     

     

    Cheers

     

    jpw
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Please ensure that you followed the deployment guide carefully. Better yet, if you are on v11, use an iApp for all of exchange.

     

     

    The file containing this new iApp template (and eventually other new templates or updates) is available from downloads.f5.com

     

     

    Since you are using what seems to be only one virtual for all of exchange services, requests from each of the services must be routed to the proper pool. It looks from the error message that the request is not reaching the autodiscover pool. There is an iRule which determines when autodiscover requests come in and routes them to the proper pool.

     

     

    Check this link out:

     

    https://devcentral.f5.com/weblogs/jason/archive/2011/03/15/microsoft-exchange-2010-irule-workflow-visualized.aspx

     

     

    Check this link out as well:

     

    https://devcentral.f5.com/Forums/tabid/53/aft/2161854/Default.aspx

     

     

     

    HTH