Goal / Scope
The purpose of this article is to provide a method for leveraging a single name certificate with Exchange 2010 without getting errors and warnings and potentially having some services fail altogether. Please NOTE: It is Microsoft recommended best practice to use a SAN (Subject Alternative Name) certificate with Exchange. However, if for some reason this is not an option, maybe due to cost, or wanting to leverage an existing certificate, the process below will allow a single name certificate to be used with Exchange.
Below are some of the things that need to be in place for this configuration to be successful.
- An external DNS provider that supports SRV records. You’ll need to insert an SRV record of _autodiscover._tcp.domain.com in DNS for this to work
- Outlook 2007 with the update rollup released June 27, 2007 (Discussed in this Microsoft KB article) to provide support for Exchange Autodiscover via SRV lookup
- An SSL certificate for mail.domain.com
Methodology / Process Steps
In the examples shown below, [domain.com] is the domain name, [mail.domain.com] is the URL being set for all services and EXCHANGE is the NetBIOS name of the Exchange server.
- Point external DNS for mail.domain.com to the external IP address of the Exchange server.
- Create the SRV record _autodiscover._tcp.domain.com with content of [mail.domain.com] on port 443. Your DNS provider might also have you enter it like this:
Service: _autodiscover Protocol: _tcp Port Number: 443 Host: [mail.domain.com]
- Point internal DNS for [mail.domain.com] to the internal IP address of the Exchange server.
Set the Internal URLs.
Note: These examples can be copied and pasted into a text editor. Simply replacing [mail.domain.com] with the correct FQDN of the Exchange server and paste the new commands directly into a PowerShell window on the Exchange 2010 server.
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –InternalUrl "https://mail.domain.com/Autodiscover/Autodiscover.xml" Get-ClientAccessServer | Set-ClientAccessServer –AutodiscoverServiceInternalUri "https://mail.domain.com/Autodiscover/Autodiscover.xml" Get-WebservicesVirtualDirectory | Set-WebservicesVirtualDirectory –InternalUrl "https://mail.domain.com/Ews/Exchange.asmx" Get-OabVirtualDirectory | Set-OabVirtualDirectory –InternalUrl "https://mail.domain.com/Oab" Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –InternalUrl "https://mail.domain.com/Owa" Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –InternalUrl "https://mail.domain.com/Ecp" Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"
Set the External URLs.
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –ExternalUrl "https://mail.domain.com/Autodiscover/Autodiscover.xml" Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory –ExternalUrl "https://mail.domain.com/Ews/Exchange.asmx" Get-OabVirtualDirectory | Set-OabVirtualDirectory –ExternalUrl "https://mail.domain.com/Oab" Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –ExternalUrl "https://mail.domain.com/Owa" Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –ExternalUrl "https://mail.domain.com/Ecp" Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"
- Verify everything was set correctly
Get-AutodiscoverVirtualDirectory | ft Identity,InternalURL,ExternalUrl Get-webservicesVirtualDirectory | ft Identity,InternalURL,ExternalUrl Get-OabVirtualDirectory | ft Identity,InternalURL,ExternalUrl Get-OwaVirtualDirectory | ft Identity,InternalURL,ExternalUrl Get-EcpVirtualDirectory | ft Identity,InternalURL,ExternalUrl Get-ActiveSyncVirtualDirectory | ft Identity,InternalURL,ExternalUrl
- Verify everything is working by using the Exchange Remote Connectivity Analyzer located at https://www.testexchangeconnectivity.com
Known Issues / Troubleshooting
This section is for the issues that have well defined and tested solutions.
Problem: | Certificate errors are still present, services fail to function properly like OAB for example
Solution: | Use the Outlook Connectivity Test (found by pressing Ctrl on the keyboard and right clicking the Outlook icon with the mouse. One of the options will be “Test E-mail AutoConfiguration …”. After supplying username and password information, it attempt an autodiscover email configuration and supply results of the test in the window. “Connection Status” is also a useful utility and can be opened using the same method. This will display the connection status of the Outlook client.
The PowerShell code used in this guide was taken directly from this article: