A lot of my customers are coming up on cert renewals for Exchange...must be that time of the year.
One of said customers, preemptively updated the certificate on their F5 Load Balancers without renewing and installing the Exchange certs. This resulted in Outlook credential prompts for the bulk of their users.
That's because clients will authenticate against the LB/reverse proxy (depending on your SSL settings) but when the LB passes traffic to Exchange, there's a cert mismatch, resulting in prompts.
In the interim, they had to failover the databases to another DAG node that was homed on another F5, remove those servers from the LB rotation and then finally revert the cert to previous one.
So...don't update one cert and then the other - do them all at once. The easiest way is export the cert from an Exchange server and import it onto your Load Balancer (Kemp makes this easy, not sure about other providers).
No comments:
Post a Comment