Saving on certificates in an multi-tenant Exchange environment

By default, alot of companies buy certificates for Exchange based on the domains that are added to Exchange.
While a company is expanding, it can be very expensive.

In an organization using enormous amounts of domains, it can be challenging to keep up with certificates.
These issues you don’t have with Office 365, since Microsoft is responsible for Autodiscover.

When hosting your own multi-tenant Exchange environment, you can actually use an SRV record instead of an CNAME or A record.
This way it will announce that the corresponding service is hosted elsewhere.

This way you only need the (likely wildcard) certificate of the providing company.
Example:
You have an serviceprovider called Adatum Services, which hosts autodiscover.adatumservices.com.
The IT admin adds a domain (contosoconsultancy.com) to the multi-tenant Exchange environment.
Instead of adding an A record to the Exchange Client Access Server, you add an SRV record telling the Outlook client that the Autodiscover service is hosted elsewhere: on autodiscover.adatumservices.com.

The record for contosoconsultancy.com would look as:
Name: @
Protocol: TCP
Port: 443
Service: _Autodiscover
Target: autodiscover.adatumservices.com
Priority: 10
Weight: 1

Now you don’t have to make changes to your certificates, everytime an domain is added to your Exchange environment.

Posted in Collaboration, Exchange (General)