If you are using $400 certificates for your deployments then you are throwing client money away. I use RapidSSL certificates for mine and they work fine. With the Pocket PC devices you need to import the root certificate but that is easily done. Anyone who is serious about the security of their network should only be deploying commercial certificates. It not only looks better but avoids the security messages when users browse to the site from an internet cafe or other machine where the certificate is not installed. You should see what Internet Explorer 7.0 does when you access a site with a home grown certificate. Simon. -- Simon Butler MCP, MCSA, MVP:Exchange Amset IT Solutions Ltd. e: simon@xxxxxxxxxxxx w: www.amset-it.com w: www.amset.info ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Sherry Sent: 28 April 2006 17:10 To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: https based oma on .local domains? For external devices, like Outlook (via RPC over HTTP) or Smart Phones, to access your front-end server you will need a public certificated that matches the external DNS address the devices are using. The other alternative is to use an internal certificate and install it on all devices, but this can be a real pain and isn't worth the $400 or so dollars a public certificate cost. RPC over HTTP & Smart Phone both require that the certificate be valid. This means that it matches the DNS address the client is using the access the server, and the root CA for the certificate can be verified or the CA chain has been installed already on the device. So the best solution would be to put a public certificate, issued for mail.yourdomain.com, on user server and, as Mark said, tell people to access the server at mail.yourdomain.com. You would use this same address in Outlook for RPC over HTTPs and ActiveSync for smart phones Jason Sherry - Pro Exchange http://www.theproexchange.com ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Mark Morgan Sent: Thursday, April 27, 2006 4:36 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: https based oma on .local domains? you can create a yourdomain.com zone in your dns create a mail.yourdomain.com a and mx record and then issue a cert to the mail.yourdomain.com name instead of the mail.domain.local. -----Original Message----- From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx]On Behalf Of Ara Avvali Sent: Thursday, April 27, 2006 2:32 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] https based oma on .local domains? Good afternoon everyone, Since our internal domain is .local based and certificate is assigned to mail.domain.local, we get warning and click "YES" on OWA which is fine. But this stops rpc/http work so I am wondering if it is going to cause problem for OMA/https. Can I use https for oma in this scenario or have to go with http? Appreciated Exchange 2003 sp2 on 2003 Sp1 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 4/26/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 4/26/2006