Using Exchange Server 2010 with Forefront Threat Management Gateway (TMG)

Yup, this is why I stopped throwing up Windows 7 postings. For the past two to three weeks, I have been testing and deploying an Exchange 2010 environment. Sadly, while doing this the RC came out. Yet, another thing I need to circle around to.

Anyhow, because I like sharing. I wanted to make a couple comments about the deployment:

To start off, for this deployment I decided to use a single wild card certificate. For example, the certificate subject name is set to something like O=My Company Inc.,C=JP and a subject alternative name is set to something like DNS NAME=*.companyabc.com (BTW - this is just my preference).

For those not familiar with wild card certificates, as the name might suggest, these type of certificates allow you to have one certificate for any number of sub-domains under a parent domain. In other words, a wild card certificate allows you to use a single certificate for all of your various Exchange services. Not to mention, you can also use just one certificate on your TMG implementation for any number of other web based services.

Now... when purchasing your wild card certificate... wait... did I say purchase? Here is my opinion. Unless you really need your certificate to be publicly trusted (yeah because everyone trusts VeriSign). Then you should bite the bullet and deploy some form of "internally trusted" PKI within your organization.

Trust me... it's not only Exchange that will be needing certificates. :>) And, be doing this and not paying outrageous prices, you will save yourself a boatload of money.

The next item I wanted to comment on is about an annoying ISA and TMG issue. I was really hoping that they fixed this in TMG. But, like in its previous brethren, TMG still requires that a friendly name be specified for any certificates you try to use. Otherwise, you get a strange error stating the key usage type is wrong (or something to that effect).

Hopefully, they fix that by RTM.

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson's latest publications:

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.