Hidden Microsoft

Tyson Kopczynski

Previous Article Next Article

Using Exchange Server 2010 with Forefront Threat Management Gateway (TMG)

By tyson.kopczynski on Tue, 06/09/09 - 10:25am.

Yup, this is why I stopped throwing up Windows 7 postings. For the past two to three weeks, I have been testing and deploying an Exchange 2010 environment. Sadly, while doing this the RC came out. Yet, another thing I need to circle around to.

Anyhow, because I like sharing. I wanted to make a couple comments about the deployment:

To start off, for this deployment I decided to use a single wild card certificate. For example, the certificate subject name is set to something like O=My Company Inc.,C=JP and a subject alternative name is set to something like DNS NAME=*.companyabc.com (BTW - this is just my preference).

For those not familiar with wild card certificates, as the name might suggest, these type of certificates allow you to have one certificate for any number of sub-domains under a parent domain. In other words, a wild card certificate allows you to use a single certificate for all of your various Exchange services. Not to mention, you can also use just one certificate on your TMG implementation for any number of other web based services.

Now... when purchasing your wild card certificate... wait... did I say purchase? Here is my opinion. Unless you really need your certificate to be publicly trusted (yeah because everyone trusts VeriSign). Then you should bite the bullet and deploy some form of "internally trusted" PKI within your organization.

Trust me... it's not only Exchange that will be needing certificates. :>) And, be doing this and not paying outrageous prices, you will save yourself a boatload of money.

The next item I wanted to comment on is about an annoying ISA and TMG issue. I was really hoping that they fixed this in TMG. But, like in its previous brethren, TMG still requires that a friendly name be specified for any certificates you try to use. Otherwise, you get a strange error stating the key usage type is wrong (or something to that effect).

Hopefully, they fix that by RTM.

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson's latest publications:

Windows PowerShell Unleashed (2^ndEdition)
Windows Server 2008 Unleashed (Yes, I did help on this book)

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

Tags

About Hidden Microsoft

With more than ten years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Information Assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 R2 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and provides feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at CCO. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC) and SANS Certified Incident Handler (GCIH), and the MCTS (Application Platform, Active Directory, and Network Infrastructure).

Certifications: