View
223
Download
0
Category
Preview:
Citation preview
Plan, Install, Configure and
Manage Client Access: Plan and Configure Namespaces and
Client Services
Plan and configure namespaces and client services
This objective may include but is not limited to:
– Design namespaces for client connectivity
– Configure URLs
– Plan for certificates
– Configure authentication methods
– Implement autodiscovery for a given namespace
•The Company:
•SpyTechPrime
•Problem:
•They want secure accessibility for their Exchange environment
•Goal:
•To implement a solid SAN cert from a CA for SSL CAS connectivity
Scenario: Spy Technology Surveillance Co.
A namespace is a logical structure represented by a DNS domain name
There are different organizational models for namespace design including:
– Single physical site with a single namespace like mail.exchangexchange.com
– Single namespaces with multiple sites or proxy sites
– Regional namespaces
– Multiple forests
Once you have your namespace design decisions in place you can move forward with DNS configuration(s), digital certificate(s) and client configurations
Understanding Namespaces
You secure the traffic between Client Access servers and clients through Secure Socket Layers (SSL)
You want to make sure you use proper certificates in a production environment
There is a self-signed cert used by the Client Access server to start but you should remove this and go with a certificate assigned by a Certificate Authority (CA) on the Client Access server
Certificate Configuration
Much depends on how you want persons to access the services on your server
For example, if you use OWA and want users to use a URL like https://mail.domainname.com or if they use POP and you want to use the name POP.domainname.com and so forth (all names have to be in the certificate)
Autodiscover (if used) must also be in the certificate
Certificate Names
You can go with a separate cert for each name (which is complicated and not recommended)
You can go with a certificate that uses multiple subject alternative names (SAN) so that all the names listed are accounted for when clients connect (which is typically what is used with Exchange)
You might want to go with a wildcard cert (like *.domainname.com) but not all clients support these and they are considered a security issue
Individual Certs, SAN Certs or Wildcard Certs
In addition to certification configuration you can adjust authentication options as well
Options for authentication include:
Integrated Windows authentication
Digest authentication
Basic authentication
Forms-based authentication
Forms-based is enabled by default but should be changed on non-Internet facing CAS servers
Authentication Settings
We obtained and configured a CA approved SSL certificate and then assigned services to it
We also discussed different authentication options
Scenario: SpyTechPrime
Additional Research
•Understanding Client Access Server Namespaces
• http://technet.microsoft.com/en-us/library/dd351198(v=exchg.141).aspx
•Setting Up Single Namespace in Exchange 2013
• http://3techies.com/?p=194
•Robert’s Rules of Exchange Namespace Planning
• http://blogs.technet.com/b/exchange/archive/2010/11/22/robert-s-rules-of-exchange-namespace-planning.aspx
Recommended