This is a question that comes up so frequently in forums and I have seen threads where the answers are wrong. Most Exchange admins are confused about this topic and end up adding it as part of the certificate to cover a “just in case” scenario.
Now, the answer to the question is that you DON’T need to add your CAS array URL to the certificate, if you have followed Microsoft recommendations. Only the urls that are used by the clients (via HTTPS) are needed on the SAN cert. Since a CAS array is MAPI only and doesn’t use SSL, it shouldn’t be part of the SAN cert. Below are the Microsoft recommendations around this topic.
- The CAS array url should be different to OWA, EAS, OA and EWS urls.
- Split-DNS is used (A general recommendation, not related to the CAS array issue though)
- You should use a url that isn’t resolvable from the internet as your CAS array.
In small environments or one with split-DNS model, Exchange admins configure the CAS array to be same as the OWA url and in that case, it becomes part of the SAN certificate anyway. From this “experience”, people start to answer in forums that the CAS array url SHOULD be part of the certificate. Microsoft recommendation to have the CAS array url to be completely different to any other urls will make you think as to whether it is needed
If the CAS array url is resolvable from the internet, Outlook Anywhere users will experience significant delay while connecting. Why? Outlook will try to use RPC to connect first as the url is resolvable, then waits for the timeout to kick in as the connection won’t be possible before establishing the connection using RPC over HTTPS. For a small shop or ones that doesn’t have Outlook Anywhere configured, this won’t be a big issue.
So, it is good to have your CAS array url to be something internal, like outlook.hew.local and configure an “A” record in the internal DNS pointing to the load balanced IP address.
Now, the next question that confuses admins is whether the NLB cluster name and SAN array name should be the same. NO, it doesn’t have to be. This means that the NLB cluster name and CAS server NETBIOS/FQDN doesn’t have to be part of the SAN cert as well. Make sure that the Exchange web services url and Autodiscoverserviceinternaluri are configured properly.
In short, the following is what you need on an Exchange 2010 SAN certificate (single site solution).
- OWA/EAS/OA/EWS url (like mail.domain.com, some companies go for one url per service).
- Autodiscover.domain.com, where domain.com is the email domain part of your user’s email address.
- Legacy.domain.com, if you are co-existing or thinking of co-existing Exchange 2010 with earlier versions.
No need for CAS array urls, NLB cluster names, CAS server NETBIOS or FQDNs! Hope this clears some confusion.