HOTSPOT
You deploy an Exchange Server 2016 organization. The organization contains two servers. The servers are
configured as shown in the following table.
The default self-signed certificates are installed on both servers.
All of the users in the organization work from home and from customer locations.
You purchase a Layer 7 hardware-based load balancer. You configure SSL bridging without session affinity for
Outlook on the web connections. The load balancer has an internal fully qualified domain name (FQDN) of
lb1.contoso.local.
DNS servers are configured to resolve mail.contoso.com names to the external IP address of the load
balancer.
You need to recommend which names must be included in the certificates installed on the load balancers and
the Exchange servers.
What should you recommend for each certificate? To answer, select the appropriate options in the answer
area.
Hot Area:
This is ass backwards.
mail.contoso.com
ex01.contoso.local
ex02.contoso.local
https://technet.microsoft.com/en-us/library/jj898588(v=exchg.160).aspx
5
0
change of heart.
mail.contoso.com
ex01.contoso.com
ex02.contoso.com
.local will cause issues with attempting to get a cert from a global provider. It does not mention that we have a CA organization, which you could in fact create a cert for a .local host
0
3
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
0
0
https://www.globalsign.com/en/blog/certificates-for-internal-servers/
anybody have any input on this one? We don’t have a CA…
0
0
1. SSL Bridging means that the load balancer only load balancing trafic, doesn’t encrypt/decrypt so no certificate for it (check SSL Bridg vs SSL Terminaison vs SSL Offloading for more understanding).
2. The encryption/decryption is done by servers who handle certificate, so they need to have they fqdn mail.contoso.com
2. At any moment they say that certificate is Provided by a Public CA (so certificate with .local is possible).
The provided answers are true ..
Here the scenario:
I connect from my Home Computer , the flow goes to the FW that handles the Public IP @ , which redirects to the load balancer with its local FQDN (since the certificate includes loadbalancer .local FQDN it works smoothjly with no warning).
Arriving to the the LB, it redirects to one of the servers .
The servers handles the mail.contoso.com certificate so it’s OK.
Note: you may wonder the used CA is internal because is includes .local , so My workgoup home computer doesn’t trust it it’ can’t work,
Well , it’s works but we just have a red warning in the browser, and to resolve this, insert the Internal Root CA in your Home computer Trusted Root CA
2
0
I’ll go for:
mail.contoso.com
ex01.contoso.local
ex02.contoso.local
3
0
Its confusing.. 🙁
We can’t assume ex01/ex02.contoso.com so the options are ruled out so as LB1.contoso.com
I’ll also go for:
mail.contoso.com
ex01.contoso.local
ex02.contoso.local
3
0
I want to go for that answer to, it just goes completely again MS best practices… :/ Thanks for your help on the forum
0
0
mail.contoso.com
ex01.contoso.local
ex02.contoso.local
Stated in the technet article: SSL should terminate at the load balancer as this offers a centralized place to correct SSL attacks. So a certificate is not needed from a global provider for the Exchange servers.
First answer is mail.contoso.com
The question states The default self-signed certificates are installed on both servers.
So not needing SSL on the servers because the Layer 7 load balancer handles all SSL request and the servers have the default self-signed certificates.
ex01.contoso.local
ex02.contoso.local
https://technet.microsoft.com/en-us/library/jj898588(v=exchg.160)
11
0
Perfect !!
mail.contoso.com
ex01.contoso.local
ex02.contoso.local
2
0
Agree. It’s another complete fail for whoever provided the test answers. The worst exam I have seen for this. I expect to have to research the answers to understand the technology but it would be good to have a little confidence in the answers provided!
0
0
correct ans.
mail.contoso.com LB will handle ssl
ex01.contoso.local
ex02.contoso.local
no cert like lb.contoso.local can be requested from CA (digicert,verisign,…)
0
0