Chat now with support
Chat with Support

Coexistence Manager for Notes 3.8.2 - FBC Scenarios Guide

About the CMN Documentation Introduction On-premises Exchange or hybrid O365 using shared (single) namespace On-premises Exchange or hybrid O365 using separate namespaces Non-hybrid O365 using shared (single) namespace Non-hybrid O365 using separate namespaces Appendix: FBC Planning Worksheet Appendix: Troubleshooting the FBC

4-2: Obtain and install web services certificates

CMN Web Server components must accept SSL connections from the mail systems. The server on which these components are installed must have a certificate that Exchange trusts. The single certificate must cover the primary domain and all subdomains supported by the Notes Server. The certificate is valid for the Autodiscover and EWS web services.

You can obtain a certificate from either of two sources:

If you need a multi-domain certificate: See To create a SAN certificate.

When you receive the certificate, you must install it on the appropriate server.

The Free/Busy Connector can facilitate the exchange of free/busy information among multiple subdomains supported by both the Exchange and Domino servers. For a multi-domain scenario, ensure the certificate used on the CMN Web Server has subject alternate names for all associated autodiscover host names.

2
From the Actions Pane, select Create Certificate Request.
3
Enter autodiscover.<smtpdomain> or <smtpdomain> for the primary domain and all required subdomains. Then click Next.
2
From the Actions Pane, select Complete Certificate Request.
1
From the Connection pane in IIS, select Default Web Sites.
2
From the Actions pane, select Bindings.
3
Select Add. Select https as the type for a secure site, and enter the IP address and port number.
2
From the Directory Security tab, select Server Certificate to open the Web Server Certificate Wizard.
3
Click Next.
4
Select Create a new certificate request, and click Next.
5
Select Prepare the request now, but send it later, and click Next.
6
Accept the defaults. Ensure Select cryptographic service provider (CSP) for this certificate is checked, and click Next.
7
Select Microsoft RSA SChannel Cryptographic Provider, and click Next.
9
Enter autodiscover.<smtpdomain>or— <smtpdomain> as the common name, for the primary domain and all required subdomains. Then click Next.
12
Review the information, and click Next. Then click Finish.
2
From the Directory Security tab, select Server Certificate to open the Web Server Certificate Wizard, and click Next.
3
Select Process the pending request and install the certificate, and click Next.
6
9
Select the Require secure channel check box, and click OK.
1
From a web browser, enter https://<Local_Certification_Authority_computer>/certsrv
2
Click Request a certificate, then Advanced certificate request.
3
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5
Copy and paste the text from the certificate request into the Saved Request box when you selected Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
6
In the Certificate Template box, select Web Server. Click Submit.
7
Select Base 64 Encoded, then select Download certificate.

Go to the web site of the public CA, and follow their instructions to request a certificate.

This procedure lets you configure a single certificate to answer for multiple addresses. For your single-namespace environment, this creates a certificate that will cover both Autodiscover and the root domain.

First, you must enable the SAN (Subject Alternate Name) flag on your CA. On the machine running CA services, run these commands at the command prompt to enable the flag:

When the SAN flag is enabled, you can create the certificate:

1
Open IIS on the machine running F/B and select the server. Scroll to the bottom, open Server Certificates, and click on Create Certificate Request.
2
For the common name, enter something appropriate for your larger domain. For example, for a domain alejandro.xyzcorp.com, the common name on the certificate is *.xyzcorp.com. (This is somewhat generic, as we will later add specific namespaces to the certificate.)
5
Open the certificate web enrollment page for the CA of your domain—e.g., https://hostname/certsrv. Then select Request a Certificate, and then select Advanced Certificate Request.
6
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
7
In the Base-64-encoded certificate request box, paste all of the text that you copied from the text file in step 4 above.
8
For the Certificate Template, select Web Server.
9
In the Additional Attributes box, enter any alternate-domain information in this format:
... with &dns=dns.name appended for each alternate domain you want the certificate to handle.
12
Go back to IIS and click Complete Certificate Request.
13
For the Filename containing the certification authority’s response, click the Browse button and select the certificate you just saved. (Be sure to change the file type to *.* instead of *.cer, or you won’t see the file you saved—since it is a .P7B extension.) Type a friendly name that is easy to remember and identify so you can find it later on the list. You should then see your new certificate on the list.
15
Click the Details tab, and scroll down to Subject Alternative Name. Highlight this field, and you should see all of your domains in the Details box.

Now bind your certificate to the HTTPS protocol on the default first website:

2
In the Actions pane on the right, select Bindings.
3
Select https and click Edit.
4
In the Edit Site Binding window, in the SSL certificate drop-down list: Select the certificate you just created.
5

4-3: Configure trusted sites for computers hosting F/B components

NOTE: This step does not apply if you will use Exchange public folders to enable CMN F/B features for Outlook 2003 clients, unless you will also use Microsoft’s Autodiscover and EWS for an Exchange 2007 server with Outlook 2003 clients. The public-folders configuration scenarios are explained in step 3 above.

Log in as the CMN account to be used with the F/B Connector (if you haven’t already). Then, in Internet Options (via Windows Control Panel or IE Tools):

1
Click the Security tab, then select Trusted sites and click the Custom level... button.
2
In Settings, scroll down to User Authentication | Logon, and click the radio button for Automatic logon with current user name and password.
3
Click OK to save the selection and return to the Security tab.
5
Click OK to save your new Security settings and dismiss the Internet Options dialog box.

4-4 (optional): Configure logging for F/B components

By default, CMN is installed with the log4net utility to generate log files of CMN components’ activity. This information is critical to diagnosing any configuration issues that may arise. Logging is enabled by default for all CMN components.

The default configurations will be suitable for most organizations and circumstances, but you can customize logging features. The log4net utility may be configured to work a particular way with each CMN component. Configuration instructions are nearly identical for all components, so we present the instructions separately, in Appendix C of the User Guide.

4-5: Configure CMN's FBC for shared/single namespace (equivalent domains)

CMN supports equivalent domain names (single, shared namespace) for Domino mail users and on-premises Exchange mail users. Equivalent domains are mapped to the primary domain in the Exchange server or Domino server. You can use a PowerShell cmdlet to perform this mapping (repeat for each equivalent domain):

Related Documents