Best practices for buying a digital certificate for Exchange 2013
Good dayfriends,
Could you indicateme which are the bestpractices when buying
a public digital certificatefor use onExchangeServer 2013.
I'd be interested in knowing your opinion about
using wildcardor SAN certificates.
Likewise what are the best recommendations
to include names and why they should or
should not include the internal FQDN
of my servers.
Currently I have an infrastructure that has two
MailBox servers,two CAS servers and an EDGE
2010 server, but I'm planning update it to Exchange 2013.
I searched what are the best
practices according to Microsoft but
have found little information.
I would appreciate
if you can post links like
Microsoft KBs and other technical documents that
discuss the above mentioned.
Thanking your
invaluable support.
Greetings.
Hi,
Personal suggestion, we can use two namespaces for your Exchange 2013:
Autodiscover.domain.com (Used for autodiscover service)
Mail.domain.com (used for all Exchange services external and internal URLs)
Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
Digital Certificates Best Practices part in the following technet article:
http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
Additionally, here are some other scenarios about certificate planning in Exchange 2013:
http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
Regards,
Winnie Liang
TechNet Community Support
Similar Messages
-
Best practice or successful deployments of certificates with Biztalk 2013
Hi,
I am the security resource for our org, not a BizTalk resource.
As an organisation we are deploying BizTalk to work with a number of solutions. For integrity and confidentiality we would like to use certificates for the BizTalk data flows. Whilst I've found lots of articles on the BizTalk integration of the
certificates, I'm struggling to find best practice/successful deployment documents on Biztalk+Certificates.
Our BizTalk consultant is requesting that the S/MIME certificates have a group FQDN as the common name; normally an S/MIME certificate has an individual’s email address. The engineers have attempted to do this using Microsoft's AD services internally
by creating a new template, but as yet have not been successful.
Any assistance or advice would be gratefully received.
ThanksTo the best of my knowledge, BizTalk does not impose any restrictions on certificate types.
BizTalk uses certificates demanded by the Interface or provider. For e.g.: if consuming a web service over SSL, BizTalk only requires that the certificate be trusted either through a valid trust chain or explicitly. Similarly when required to present a certificate
as part of a interface for purposes of client authentication, the certificate has to be available in the certificate store of the account associated with the BizTalk Host Instance. When exposing services, BizTalk does not care if the certificate used for SSL
is self-signed or SAN based hosted on the NLB or external server, etc.
The reason for asking for a SAN S/MIME certificate for use within BizTalk may be driven from the need to restrict the number of certificates required while accessing multiple e-mail accounts through the BizTalk POP adapter. Since the certificate configuration
is at a port level, each port could technically have different user specific certificates all of which may be hosted under same certificate store. The problem arises if the Microsoft CA is configured in an Active Directory integrated mode where it will not
permit multiple certificates to be issued against ONE Account. If however the CA is deployed in a Standalone mode then multiple user certificates can be issued without any connection to the underlying AD accounts and each can have a different e-mail address
associated with it.
Regards. -
My primary reason for buying an iPad is for travel in Europe. I live in an area of the US where Verizon rules. Is Verizon's 3G model good for international travel? I'm hearing conflicting views. Any advice appreciated.
Verizon uses CDMA.
The rest of the world uses GSM.
The wifi will work, if you find a hotspot.
The 3G will not, unless south Korea moves to Europe. -
How to create a Self-Signed Digital Certificate in Office 2013
In office 2010 we had a "Digital Certificate for VBA Projects" tool for creating self-signed certificates. How do we do this with the newer Office 2013 suite?
Eugene,
This answer is wrong. The Answer from rLogic above is better. Things in fact
have changed. The article: Digitally sign your macro project
is fine for Office 2010 but not for Office 2013. The article: Digitally sign your macro project tells you to do this:
Windows 7, Windows Vista, or Windows XP
Click Start, point to All Programs, click Microsoft Office, click Microsoft
Office Tools, and then click Digital Certificate for VBA Projects.
The Create Digital Certificate dialog box appears.
</section>
But, you can't follow these instructions if you have office 2013. In Office
2013 Digital Certificate for VBA
no longer exists in the Microsoft
Office Tools folder. You need to hunt for
"C:\Program Files\Microsoft Office
15\root\office15\SELFCERT.EXE"
and then run that .exe by clicking on it. Then you can follow the rest of the instructions
in Digitally sign your macro project -
Best practice to implement different Xcelsius dashboard for different users
I'm implementing an Xcelsius dashboard that requires to show each individual user with different content (e.g. When a user logins in, the dashboard shows her name and job title, her performance and her subordinate's performance). I'm just wondering what's the best practice to implement scenario like this? Thanks.
Hi Thomas
What you are looking at is "Row Level Security" within BusinessObjects and the options you have are determined by what type of data you are reporting off of (relational data, OLAP data, BW data, etc.)
For instance, if you are using relational data with a Universe you could setup a database table with the BusinessObjects username to correspond with their e-mail address or other unique identifier. From there, you could add security to your universe using the @variable('BOUSER')
That way, any objects created off of the universe (whether it is a Crystal Report, Web Intelligence, BI Web Service, QaaWS, LiveOffice, etc.) will filter the data based on this security model. So any Xcelsius dashboard based on this underlying data will also be filtered.
And that is just one of the options you have, depending on your data source. -
Best practice to Deployment Oracle WebCenter Suite for enterpsie
I have a lead with enterprise client; and we need to proposed to this client best practice to deploy high availability on cluster environment contains the following components:
- oracle web center content: it will used for WebCenter portal (spaces) repository for x-trantent portal as well as it will used to build internet website using WCM
- oracle WebCenter portal; to build x-intranet portal
- oracle access manager for single sign on authentication
- oracle web tier for HTTP server and web cache.
i reviewed the enterprise deployment "http://docs.oracle.com/cd/E23943_01/core.1111/e12037/intro.htm" and contains rich information on the configuration.
However; my question is could you provide us a best practice to deploy above components on a high availability cluster environment "on a Linux environment prefared" to support and tested around 20k users? By the way client already had oracle exadata 11g server and it will used for this deployment.AW,
One way is creating EJBs.Please refer to the threads below for that
https://forums.sdn.sap.com/click.jspa?searchID=2936002&messageID=1082087
You can create a javabean and you can import that as a model .
Check the following project which will generate javabean (MaX DB)
https://www.sdn.sap.com/irj/sdn/softwaredownload?download=/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/business_packages/a1-8-4/simple_javabean_generator_project.zip
This project will generate a javaben out of the tables in MAXDB.
You can follow any one of the above.
Regards,Anilkumar -
Any best practice/suggestion on giving Id's for UI Component
Hi,
I came to know that for better performance, id's on naming containers shall be less than 7 characters in length.
What about UI Components other than container components?
Is there any best practice available for giving Id's for UI Components and its length?
Do we face any issue if we give ids with more than 7 characters (just to make the id meaningful one)?
Thanks in Advance
Raguramana quotation from
Oracle® Fusion Middleware Performance and Tuning Guide book
11g Release 1 (11.1.1)
E10108-02
>
The "id" attribute should not be longer than 7 characters in length. This is
particularly important for naming containers. A long id can impact
performance as the amount of HTML that must be sent down to the
client is impacted by the length of the ids. -
All,
My screen needs to be replaced on my late 2007 Macbook. I am willing to do the work myself, but need help in finding the correct model screen to buy. Where would be the best place to buy?Depending on your geographical location, region, country, etc, part
sources will vary. So this is an open question. An independent
authorized Apple trained repair specialist or service facilitiy may
be able to get the part(s) and do the service. That is an old MB
and a regular Apple Store may be able to diagnose or estimate
a repair cost; but it also could be too old for that route to repair.
A best place to buy a part could be anywhere one is for sale;
there are several online and some ship almost world-wide.
If you are in north America, there are some who also may ship
to other areas, but then there is shipping, taxes, duty fees, etc.
You may be able to narrow down the part numbers and such
by looking into online parts resellers, an example may be
powerbookmedic.com, powermax.com, wegenermedia, etc.
There may be a part number reference in iFixit.com guides.
A service part such as main original hardware is more difficult
than a replacement hard disk drive or optical drive. Availability
varies, so without knowing where you are, I can't speculate as
to that, or any price structure. Authorized repair centers may
be found in the main online Apple links for service centers.
Sorry to not be of much help -
Looking for best practices when creating DNS reverse zones for DHCP
Hello,
We are migrating from ISC DHCP to Microsoft DHCP. We would like the DHCP server to automatically update DNS A and PTR records for computers when they get an IP. The question is, what is the best practice for creating the reverse look up zones in DNS? Here
is an example:
10.0.1.0/23
This would give out IPs from 10.0.1.1-10.0.2.254. So with this in mind, do we then create the following reverse DNS zones?:
1.0.10.in-addr.arpa AND 2.0.10.in-addr.arpa
OR do we only create:
0.10.in-addr.arpa And both 10.0.1 and 10.0.2 addresses will get stuffed into those zones.
Or is there an even better way that I haven't thought about? Thanks in advance.Hi,
Base on your description, creating two reverse DNS zones 1.0.10.in-addr.arpa and 2.0.10.in-addr.arpa, or creating one reverse DNS zone 0.10.in-addr.arpa, both methods are all right.
Best Regards,
Tina -
Best Practices to update Cascading Picklist mapping for Account record type
1. Most of the existing picklist values name in parent and related picklist has been modified in external app master list, so the same needs to be updated in CRMOD.
2. If we need to update picklist value, do we need to DISABLE the existing value and CREATE a new picklist.
3. Is there any Best Practices to avoid doing Manual Cascading picklist mapping for Account record type? because we have around 500 picklist values to be mapped with parent and related picklist.
Thanks!Mahesh, I would recommend disabling the existing values and create new ones. This means manually remapping the cascading picklists.
-
How to filter list of digital certificates for signing PDF
Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
The filtered list will appear when users attempt to select a certificate for digitally signing a document.
Thanks.Hi Carla,
Unfortunately, Extended Key Usage is not one of the properties you can enforce.
The things you can set are:
appearanceFilter (i.e. enforce the use of a custom signature appearance)
certspec(i.e. the signing certificate must meet some specific criteria) <<<----- This is what you are more interested in, more below
digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
lockDocument (i.e. enforce any further changes to the document after the signature is applied)
mdp (i.e. the rules for changing the document applied as part of a certifying signature)
reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
subFilter (i.e. require the use of a specific signature format. This is very arcane)
timeStampspec (i.e. require the use of a specific time stamp server)
version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
oid (i.e. require that the Certificate Policy extension contain a specific value)
subject (i.e. require that the document is signed by one specific person using one specific digital ID)
subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
Steve -
Bank of America Digital Certificates for Bank of America Direct & iphone 3G
I did a quick search and didn't see anything that i think i am looking for.
I am trying to access The Bank of America Direct Web Page. To do this from my work computer, I am given a Digital Certificate, that i download to my computer. I am then able to access the website, (after imputing usernames and passwords of course)
At work i use an IBM (LENOVO) ThinkPad.
I know i can export the digital certificte to other computers so that i can access the webpage from home or another desktop if i need to.
Does any know if it is possible to export this digital certificate to the Phone 3G, so that the webpage can be accessed from the safari browser?
Thank you
JoeThanks, but i beleive the BofA Direct website is separate from the general BofA personal account site.
-
Purchasing a digital certificate for SCOM usage
I am having problems with certificiates for SCOM (based on our infrastructure I believe not SCOM) and have asked some questions on it below -
Digital certificate issues
However I would like to break out one question and that is if I dont want to (read cant) use an internal CA at the moment where can I purchase two certificates for SCOM MS and gateway? When I look on the obvious sites such as Entrust and Thawte for instance
it seems easy to order a web SSL certificate for instance but how would I go about ordering the type I need and what sort of information would I need to provide?
Many thanksHi,
This can be a public CA such as VeriSign. Please check if the following post is helpful.
http://social.technet.microsoft.com/Forums/systemcenter/en-US/7e8dde55-6e55-4109-8da5-85a93fa64ea0/using-a-thirdparty-for-ssl-cert-for-scom-gateway?forum=operationsmanagerdeployment
Niki Han
TechNet Community Support -
How to use digital certificate for client authentication in PCK
My sap jca adapter need support digital certificate on client authentication. how to implement it in j2ee or pck?
Message was edited by: Spring Tangrefer the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
please let me know if u dont find relevant information -
Cheapest option for buying Visual Studio 2015 for development
Last year I bought Microsoft Action Pack subscription thinking the software they give me will last forever, but all software downloaded have turned into Trial version as Microsoft says they were for internal use till subscription lasted.
What is the best and cheapest option for buying Visual Studio 2015?
Please advise
This topic first appeared in the Spiceworks CommunityLast year I bought Microsoft Action Pack subscription thinking the software they give me will last forever, but all software downloaded have turned into Trial version as Microsoft says they were for internal use till subscription lasted.
What is the best and cheapest option for buying Visual Studio 2015?
Please advise
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
How to Get data into I_ table which is Created dynamically
Hi Guys , I created one dynamic internal table , now I am want to display same internal table in my ALV? , how can I populate data into this internal table from my internal table based on some condition. My Requirement is? I have to display like this
-
For iPhone 5 with IOS6, all Apps appear ugly page on the screen. There is 2 black banner at top & bottom of the screen. It is totally acceptable. I am your Apple Fans. But this phone make me extremely dissatisfied.
-
APEX version 3.1.2.00.02 I have a interactive report with a few columns of which one is a link. The link is created from page items and column values. The URL for the link might look like f?p=&APP_ID.:8:&SESSION.::&DEBUG.:RP:P8_NAME,P8_SHOW:#NAME#,&P
-
Viewing standard projects created by SAP on IDES server
Hello, I am working on IDES server ECC 6.0. cProject suite 4.5. I am not able to see the sample projects created by SAP because of Authorization problem. Is there any way(Admin Role etc..) by which I will be able to see projects created by SAP? Regar
-
ChaRM and CTS+ integration
Hello Experts, Is it possible to integrate ChaRM with CTS+ ? i.e. Java transports can also be controled from ChaRM same as ABAP. Can anyone list steps needed to perform to achieve this. a Step-by-step guide will be appreciated. Thanks in advance. Reg