Web Services and Other Client Access Host Name Configuration on Exchange 2013/2016 Server

Home > Exchange 2013/2016

Web Services and Other Client Access Host Name Configuration on Exchange 2013/2016 Server

Short URL: http://semb.ee/hostnames2013

Other Versions of Exchange

This article is available for other versions of Exchange:

Exchange 2007
Exchange 2010

Introduction

It is no longer possible to get an SSL certificate that expires after November 2015 from a commercial providers with internal server names on them. Therefore external names will need to be used internally as well as externally. This will require modifications to the configuration of Exchange so that the correct information is issued by Autodiscover and clients are able to connect on the new URLs.

Prerequisites

A Split DNS system will also be required so that the external name resolve internally.

These changes should be made AFTER an SSL certificate has been acquired with the relevant host names on it. The modifications shown remove the need for the FQDN of the server to be used, instead use a generic URL.

Implementation With a Load Balancer

When you are going to implement a load balancer, initially point the host names at the relevant Client Access Server role, once you are satisfied they are working correctly, configure the load balancer with port 443 and then adjust the DNS entries to match.
The URLs should be unique per AD site. Do not attempt to use the same URL across multiple sites. However all servers in the same AD site with the same load balancer should have the same URL set in their properties.

Client Access URLs

The client access URLs are what autodiscover gives to the clients, and also what is sent to the client web browser when access is made through the wrong server. These can be changed through ECP. However some changes have to be made through Power Shell, these are outlined below.

On servers where you have a single server holding all of the roles, set both the internal and external name to the external SSL certificate name - so replace host.domain.local with mail.example.net. Do take care to leave the rest of the URL as per the defaults.

Autodiscover URL

If you are using a single server or all servers are in the same AD site, then the following commands can be used:

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml

However if you are using multiple servers in multiple AD sites, then you need to set the commands as per the box below, replacing "CAS-Server" with the real name of the server that holds the CAS role.

Set-ClientAccessServer -Identity "CAS-Server" -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml

Web Services URL

As with Autodiscover, if you are using a single server then the following commands can be used:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.example.net/ews/exchange.asmx

However if you are using multiple servers, then you need to set the commands as per the box below, replacing "CAS-Server" with the real name of the server that holds the CAS role.

Set-WebServicesVirtualDirectory -Identity "CAS-Server\EWS (Default Web Site)" -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.example.net/ews/exchange.asmx

MAPI Virtual Directory URL

The MAPI virtual directory is used by the new client access protocol MAPI over HTTPS. As before if you are using a single server then the following commands can be used:

Get-MAPIVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://mail.example.net/mapi/ -ExternalUrl https://mail.example.net/mapi/

However if you are using multiple servers, then you need to set the commands as per the box below, replacing "CAS-Server" with the real name of the server that holds the CAS role.

Set-MAPIVirtualDirectory -Identity "CAS-Server\MAPI (Default Web Site)" -InternalUrl https://mail.example.net/mapi/ -ExternalUrl https://mail.example.net/mapi/

Outlook Anywhere URL

Right click on the Client Access Server and choose Properties. Click on the tab Outlook Anywhere and adjust the URL to match the external name on the SSL certificate.

Cycle the Exchange Services

After making the changes, cycle the Exchange services to ensure that the changes are live.

Script for the the required changes

Using the power of PowerShell, the above changes can be easily scripted.
Copy the text below in to a new notepad document and modify the two lines at the top - remember to leave the " in place. Then it as a file name ending in ps1 - for example URLs.ps1 on the Exchange server itself.

Start Exchange Management Shell and run this command first:

Set-ExecutionPolicy "RemoteSigned"

That will allow the script to be run, as it isn't signed.
Then you can run the script - the best way is to CD to the directory and then use tab - and EMS will recognise the script.

This script is suitable for running in a domain with multiple Exchange installations, and would need to be customised for each server. Therefore the easiest thing to do is put a copy of the script on each server. Then if you need to change the URL in the future, or for testing it is very quick to do.

Script notes:

Written for Exchange 2013 SP1 and higher.
It will set the MAPI virtual directory to NTLM and negotiate authentication
It sets Outlook Anywhere to NTLM authentication, and internal and external clients require SSL.

#Change this value to match the name of the external certificate
$URLName="mail.example.co.uk"
#Change this value to match the real name of the server
$ComputerName="exch-001"

Get-WebServicesVirtualDirectory -Server $ComputerName | Set-WebServicesVirtualDirectory -InternalUrl https://$URLNAME/ews/exchange.asmx -ExternalURL https://$URLNAME/ews/exchange.asmx
Set-OWAVirtualDirectory -identity "$computername\owa (Default Web Site)" -InternalURL https://$URLNAME/owa -ExternalURL https://$URLNAME/owa
Get-OABVirtualDirectory -Server $ComputerName | Set-OABVirtualDirectory -InternalURL https://$URLNAME/OAB -ExternalURL https://$URLNAME/OAB
Get-ECPVirtualDirectory -Server $ComputerName | Set-ECPVirtualDirectory -InternalURL https://$URLNAME/ECP -ExternalURL https://$URLNAME/ECP
Get-MAPIVirtualDirectory -Server $ComputerName | Set-MAPIVirtualDirectory -InternalURL https://$URLNAME/MAPI -ExternalURL https://$URLNAME/MAPI -IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server $ComputerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$URLNAME/Microsoft-Server-ActiveSync -ExternalURL https://$URLNAME/Microsoft-Server-ActiveSync
Set-OutlookAnywhere -identity "$computername\RPC (Default Web Site)" -ExternalHostname $URLNAME -InternalHostname $URLNAME -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Set-ClientAccessServer -Identity $ComputerName -AutodiscoverServiceInternalUri https://$URLNAME/Autodiscover/Autodiscover.xml

Testing

To test the configuration, use Outlook 2007 or higher on a workstation.
Start Outlook and wait for it to connect.

Then hold down CTRL and right click on the Outlook icon in the system tray next to your clock. Choose "Test Email AutoConfiguration..." Then select the option to test the configuration.
Should you have everything configured correctly, then all of the URLs should appear as your external certificate name and you do not get any certificate prompts.

MSSTD URL

If the URL for Outlook Anywhere under MSSTD is not correct, then you may have to set that manually.
To do that, use the following command in EMS:

Set-OutlookProvider expr -CertPrincipalName:"msstd:mail.example.net"

Exchange 2013/2016