Reconfiguring Microsoft Exchange Server To Use SAN Certificate With Only External Domain Names

Categories: Exchange

A typical Microsoft Exchange solution for SMEs might look like this:

Consequently a Subject Alternative Name (SAN) certificate will probably contain the following entries:

itexch01.itfountain.local
itexch02.itfountain.local
autodiscover.itfountain.com
mail.itfountain.com

The internal names are usually used for the Client Access Server (CAS) role and is what Outlook will connect to. For this reason the internal server names must be present in the certificate or Outlook will generate a warning like the following:

From November 2015 Certificate Authorities (CA) are prohibited from issuing certificates with internal domain names (https://cabforum.org/internal-names/).

To resolve this issue Exchange CAS internal URLs have to be changed to external fully qualified domain name (FQDN) such as mail.itfountain.com. A new DNS zone must be created and mail.itfountain.com must point to the internal IP of the CAS. The internal URL/URI used by Exchange must point to the newly created A record. After this is done a new certificate without the internal names can be used.

N.B. Don’t create zone for the actual domain i.e. itfountain.com or you will have to add all the existing A records in.

DNS Configuration

Launch DNS manager on your Active Directory (AD) server

Create a new zone in Forward Lookup Zones

I am going to name this zone mail.itfountain.com as I will name my CAS array that and point all the necessary internal URLs/URIs to this as well.

Create a new blank A record and point to the internal IP of the CAS array

Exchange Configuration

Once the DNS is done all the internal URLs/URIs in Exchange must be changed.

Check Exchange server details and where the roles are

Get-ExchangeServer | fl name, admindisplayversion, serverrole, site

Name                                  : ITFEXCH01
AdminDisplayVersion : Version 14.3 (Build 123.4)
ServerRole                         : Mailbox, ClientAccess, HubTransport
Site                                      : ITFOUNTAIN.local/Configuration/Sites/Default-First-Site-Name

Name                                  : ITFEXCH02
AdminDisplayVersion : Version 14.3 (Build 123.4)
ServerRole                         : Mailbox, ClientAccess, HubTransport
Site                                      : ITFOUNTAIN.local/Configuration/Sites/Default-First-Site-Name

Check the details of the CAS Array

Get-ClientAccessArray

Name Site Fqdn Members
——– —— ——– ————-
mail Default-First-Sit… itfcas.itfountain.local {ITFEXCH01, ITFEXCH02}

Get the details of the CAS role

Get-ClientAccessServer | fl name, auto*, iden*

Name : ITFEXCH01
AutoDiscoverServiceCN : ITFEXCH01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://ITFEXCH01.ITFOUNTAIN.LOCAL/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
Identity : ITFEXCH01

Name : ITFEXCH02
AutoDiscoverServiceCN : ITFEXCH02
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://autodiscover.itfountain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
Identity : ITFEXCH02

Get Web Services Virtual Directory details

Get-WebServicesVirtualDirectory | fl iden*, int*, ext*

Identity : ITFEXCH01\EWS (Default Web Site)
InternalNLBBypassUrl : https://itfexch01.itfountain.local/ews/exchange.asmx
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl : https://itfexch01.itfountain.local/ews/exchange.asmx
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
ExternalUrl : https://mail.itfountain.com/ews/exchange.asmx

Identity : ITFEXCH02\EWS (Default Web Site)
InternalNLBBypassUrl : https://itfexch02.itfountain.local/ews/exchange.asmx
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl : https://itfexch02.itfountain.local/ews/exchange.asmx
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
ExternalUrl : https://mail.itfountain.com/ews/exchange.asmx

Check Offline Address Book Virtual Directory

Get-OabVirtualDirectory | fl iden*, int*, ext*

Identity : ITFEXCH01\OAB (Default Web Site)
InternalUrl : https://itfexch01.itfountain.local/oab
InternalAuthenticationMethods : {WindowsIntegrated}
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
ExternalUrl : https://mail.itfountain.com/OAB
ExternalAuthenticationMethods : {WindowsIntegrated}

Identity : ITFEXCH02\OAB (Default Web Site)
InternalUrl : https://itfexch02.itfountain.local/oab
InternalAuthenticationMethods : {WindowsIntegrated}
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
ExternalUrl : https://mail.itfountain.com/OAB
ExternalAuthenticationMethods : {WindowsIntegrated}

So from the above commands we know the following needs to be changed:

AutodiscoverServiceInternalUri of the CAS
InternalURL of the WebServicesVirtualDirectory
InternalURL of OABVirtualDirectory

For completeness we will also recreate the CAS array as mail.itfountain.com

Remove CAS Array

Remove-ClientAccessArray

Recreate CAS Array with new name

New-ClientAccessArray

Restart IIS

iisreset

Check that all mailbox databases are part of the newly created CAS array

Get-MailboxDatabase | fl name,Rpc*

Name : IT Fountain UK
RpcClientAccessServer : mail.itfountain.com

Name : IT Fountain International
RpcClientAccessServer : mail.itfountain.com

Name : ITFGB
RpcClientAccessServer :

Looks like ITFGB is not part of the CAS array so will have to be set

get-mailboxdatabase | set-mailboxdatabase -rpcclientaccessserver “mail.itfountain.com”

Set the internal URLs to mail.itfountain.com

Set-ClientAccessServer -Identity ITFEXCH01 -AutodiscoverServiceInternalUri https://mail.itfountain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “ITFEXCH01\EWS (Default Web Site)” -InternalUrl https://mail.itfountain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “ITFEXCH01\oab (Default Web Site)” -InternalUrl https://mail.itfountain.com/oab

Restart IIS

iisreset

Repeat these steps on the other Exchange server.

New Certificate

Launch Exchange Management Console, from server configuration launch the new certificate wizard

Generate a new request (CSR) to include the domains autodiscover.itfountain.com and mail.itfountain.com

Submit the CSR to your CA to obtain the new certificate, once you receive the certificate complete the request to install the new certificate.

Assign all necessary Exchange Services to the new certificate, in my case IMAP, POP, IIS and SMTP. Export the certificate from the first Exchange server and install it on the second Exchange server and the load balancers.

Do all the necessary testing.

Tags: Exchange, SAN Certificate, SSL

IT Fountain

Fountain of IT Knowledge

Navigation

Reconfiguring Microsoft Exchange Server To Use SAN Certificate With Only External Domain Names

Related

No comments yet.

Leave a Reply Click here to cancel reply.

Share this:

Related

No comments yet.

Leave a Reply Click here to cancel reply.