Plan, Install, Configure and

Manage Client Access: Plan and Configure Namespaces and

Client Services

Plan and configure namespaces and client services

This objective may include but is not limited to:

– Design namespaces for client connectivity

– Configure URLs

– Plan for certificates

– Configure authentication methods

– Implement autodiscovery for a given namespace

•The Company:

•SpyTechPrime

•Problem:

•They want secure accessibility for their Exchange environment

•Goal:

•To implement a solid SAN cert from a CA for SSL CAS connectivity

Scenario: Spy Technology Surveillance Co.

A namespace is a logical structure represented by a DNS domain name

There are different organizational models for namespace design including:

– Single physical site with a single namespace like mail.exchangexchange.com

– Single namespaces with multiple sites or proxy sites

– Regional namespaces

– Multiple forests

Once you have your namespace design decisions in place you can move forward with DNS configuration(s), digital certificate(s) and client configurations

Understanding Namespaces

You secure the traffic between Client Access servers and clients through Secure Socket Layers (SSL)

You want to make sure you use proper certificates in a production environment

There is a self-signed cert used by the Client Access server to start but you should remove this and go with a certificate assigned by a Certificate Authority (CA) on the Client Access server

Certificate Configuration

Much depends on how you want persons to access the services on your server

For example, if you use OWA and want users to use a URL like https://mail.domainname.com or if they use POP and you want to use the name POP.domainname.com and so forth (all names have to be in the certificate)

Autodiscover (if used) must also be in the certificate

Certificate Names

You can go with a separate cert for each name (which is complicated and not recommended)

You can go with a certificate that uses multiple subject alternative names (SAN) so that all the names listed are accounted for when clients connect (which is typically what is used with Exchange)

You might want to go with a wildcard cert (like *.domainname.com) but not all clients support these and they are considered a security issue

Individual Certs, SAN Certs or Wildcard Certs

In addition to certification configuration you can adjust authentication options as well

Options for authentication include:

Integrated Windows authentication

Digest authentication

Basic authentication

Forms-based authentication

Forms-based is enabled by default but should be changed on non-Internet facing CAS servers

Authentication Settings

We obtained and configured a CA approved SSL certificate and then assigned services to it

We also discussed different authentication options

Scenario: SpyTechPrime

Additional Research

•Understanding Client Access Server Namespaces

• http://technet.microsoft.com/en-us/library/dd351198(v=exchg.141).aspx

•Setting Up Single Namespace in Exchange 2013

• http://3techies.com/?p=194

•Robert’s Rules of Exchange Namespace Planning

• http://blogs.technet.com/b/exchange/archive/2010/11/22/robert-s-rules-of-exchange-namespace-planning.aspx