Web Services and Other Client Access Host Name Configuration on Exchange 2007 Server
Short URL: http://semb.ee/hostnames2007
On this Page
- Other versions of Exchange
- Introduction
- Requirements
- Initial Configuration Internal Operation
- Script for Exchange Server Configuration
- External Configuration
Other Versions of Exchange
This article is available for other versions of Exchange:
Introduction
From November 2015, you will no longer be able to get SSL certificates from commercial providers with internal server names on them. Therefore external names will need to be used internally as well as externally. This will require modifications to the configuration of Exchange so that the correct information is issued by Autodiscover and clients are able to connect on the new URLs.
Requirements
- Exchange 2007 SP1 or higher
- Outlook 2007 SP1 or higher - This is a HARD requirement if you are going to use Outlook Anywhere and use a single name SSL certificate, as the settings used were introduced in the Service Pack.
- SRV record support at your external DNS host - again this is a HARD requirement to use Outlook Anywhere with a single name SSL certificate and you should not start on these changes unless you can set these types of records.
If you do not have SRV support at your external DNS host then you should not make these changes. It does rely on the SRV records to work correctly.
You have two options.- Transfer to another domain name service provider that supports SRV records, such as GoDaddy https://CertificatesForExchange.com .
- Purchase a SAN certificate, which contains the additional names required.
- Commercial SSL certificate
If you need to purchase a single name SSL certificate then you can do so from https://CertificatesForExchange.com however if you already have a regular SSL certificate - perhaps from an Exchange 2003 deployment, then that certificate can be used.
Initial Configuration - for Internal Operation
The first thing to do is get it working internally. There are a number of reasons for this, the main one being that the entire environment is under your control and can be checked thoroughly as you go along. These settings also apply if you are going to use Exchange 2007 exclusively internally, so no Outlook Anywhere or ActiveSync use.
- Setup Split DNS
You need to setup a split DNS system so that your external name on the certificate resolves internally to the internal IP address of the Exchange server.
For example, if your certificate was issued to mail.example.net and your Exchange server was on 192.168.11.2 then you would need to ensure that mail.example.net resolves internally to 192.168.11.2. To ensure that DNS works correctly for the zone, you may have to put in additional entries - for example "www" to allow www.example.net to resolve. Refer to our split DNS instructions here: Split DNS.
- Autodiscover DNS settings - optional
To use Autodiscover internally (for non domain clients or ActiveSync), you need to make some additional settings in the internal DNS zone.- Remove any existing entries for autodiscover from the DNS zone.
- Second, in the DNS zone, right click on the Zone and choose "Other New Records". Choose "Service Location (SRV)"
Fig 1: Select Resource Record Type - Remove the field that comes up by default (_finger) and replace with _autodiscover. For the protocol choose _tcp (which should be the default). Leave priority and weight as the default (0) and set the port as 443.
Finally set the host as mail.example.net
Fig 2: New Resource Record Do not attempt to use another port. As with Outlook Anywhere, it is hard coded to use port 443. Using another port does not enhance your network security, as you do not get security by obscurity.
- Certificate Settings in Exchange 2007.
You need to ensure that your external certificate is imported in to Exchange correctly, so that it is used for all services.
This section will impact on the users and could also impact on email delivery, therefore it should be done out of hours.
If you haven't already, get your certificate from your preferred supplier and import it in to IIS. Ensure that it works using OWA without any prompts for certificate errors.
- In Exchange Management Shell, type get-exchangecertificate. You will then see a list of certificates that are installed on the server.
- Then type "Enable-exchangecertificate -thumbprint xxxxxx -services SMTP,IIS,POP,IMAP" - copying the thumbprint from the first command.
To copy the thumb print, right click in the PowerShell window and choose Mark. Then select the thumbprint and press enter. This copies it to the clipboard. Type the command. When you get to the part where you need to paste the thumbprint, in the top left corner, choose Edit, Paste.
- Run IISRESET for the new certificate to take effect.
- URL Adjustment
After setting the certificate in Exchange, you need to adjust the URLs to match. These are in a number of places.
- Client Receive Connector
Adjust the CLIENT Receive Connector in Server configuration, Hub Transport. Change the FQDN to match your external certificate. To use the example above - mail.example.net . DO NOT Change the Default Receive Connector.
Fig 3: Client Receive Connector Properties - Client Access URLs
Next thing to change is the client access URLs. These are what autodiscover gives to the clients, and also what is sent to the client web browser when access is made through the wrong server.
On servers where you have a single server holding all of the roles, set both the internal and external name to the external SSL certificate name - so replace host.domain.local with mail.example.net. Do take care to leave the rest of the URL as shown.
Fig 4: Properties of the OWA Virtual Directory 
Fig 5: Properties of the Microsoft Server ActiveSync Virtual Directory 
Fig 6: Properties of the OAB Virtual Directory
If you look at POP3 and IMAP in the Client Access area, you should find that the certificate has already been set to your external certificate name - this was set when the service was enabled.
Fig 7: IMAP 4 Properties (Identical to POP3 Properties)
- Autodiscover URL
If you are using a single server, then the following commands can be used:
However if you are using multiple servers, then you need to set the commands as follows:
Replace "CAS-Server" with the real name of the server that holds the CAS role.
- Web Services URL
As with Autodiscover, if you are using a single server then the following commands can be used:
However if you are using multiple servers, then you need to set the commands as follows:
Replace "CAS-Server" with the real name of the server that holds the CAS role.
- Outlook Anywhere URL.
Right click on the Client Access Server and choose Properties. Click on the tab Outlook Anywhere and adjust the URL to match the external name on the SSL certificate.
- Client Receive Connector
- Cycle the Exchange Services
After making the changes, cycle the Exchange services to ensure that the changes are live.
Script for the Above
Using the power of PowerShell, the above changes can be easily scripted.
Copy the text below in to a new notepad document and modify the two lines at the top - remember to leave the " in place. Then it as a file name ending in ps1 - for example URLs.ps1 on the Exchange server itself.
Then use Exchange Management Shell to run it. The best way is to CD to the directory and then use tab - and PowerShell will recognise the script.
Testing
To test the configuration, use Outlook 2007 or higher on a workstation.
Start Outlook 2007/2010 and wait for it to connect.
Then hold down CTRL and right click on the Outlook icon in the system tray next to your clock. Choose "Test Email AutoConfiguration..." Then select the option to test the configuration.
Should you have everything configured correctly, then all of the URLs should appear as your external certificate name and you do not get any certificate prompts.
MSSTD URL
If the URL for Outlook Anywhere under MSSTD is not correct, then you may have to set that manually.
To do that, use the following command in EMS:
External Configuration
For this method to work externally, you need to make the following changes
- Open port 443 on the firewall.
This is the only port that is required for Exchange web based services. You do not need to open any other ports - certainly not 80 or anything in the 6xxx range that you may have read elsewhere.
For Exchange to operate fully it only requires two, at most three ports to be open - 443 (https), 25 (SMTP), 587 (legacy TLS/SSL port).
You only need to open port 110 (POP3) and 143 (IMAP) if you are supporting those protocols. - Add Autodiscover A record, or SRV DNS records to the external DNS configuration.
References
Elsewhere on this site
Split DNS: http://exchange.sembee.info/network/split-dns.asp
Multiple Name SSL Certificates: http://exchange.sembee.info/2007/install/multiplenamessl.asp
Author's Blog
Unified Messaging Requires the Server Name in the SSL Certificate: http://blog.sembee.co.uk/post/Unified-Messaging-Requires-the-Server-Name-in-the-SSL-Certificate.aspx
Third Party Sites
Certificate Supplier: https://CertificatesForExchange.com
Microsoft Knowledgebase
Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"
http://support.microsoft.com/kb/940726
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881
Requires Outlook 2007 SP1 or higher or this roll up: http://support.microsoft.com/kb/939184 (June 27th 2007)