Migrating to Exchange 2010 (Part 2) – Certificates

Depending on your installation of Exchange 2010 and what internal and external services you want to provide, you’ll likely need a new SSL certificate from a 3rd party provider. You probably already have a basic mail.company.com certificate, but that’s just not going to cut it anymore. 
If youl’ll be supporting mailboxes on a previous version of Exchange or providing access to supporting Outlook Anywhere, you’ll likely need additional host names on your certificate, like legacy.company.com and autodiscover.company.com. This will require a SAN (Subject Alternate Name) certificate. 
Exchange supports different URLs for internal and external access and after a typical installation, your internal URLs will be set to the FQDN of the server name (server.company.com) and external URLs will be set to whatever host name you specify during the install of the CAS server, like mail.company.com. 
In order for us to get a shiny new SAN certificate, we had to revoke our existing mail.company.com while we were waiting for the new certificate to be issued. This would cause some temporary certificate problems with anyone who tried to use Outlook Web Access, but since this was a weekend project and I already declared the entire weekend as a maintenance window I wasn’t too concerned about it. 
Meanwhile, I moved all my users mailboxes to the new server. All the Outlook clients were happy with the server’s self-signed certificate, which was great, since our 3rd party certificate provider took a few days to finish issuing the new cert. Once the new certificate came, I loaded it onto the mail server and authorized it for IIS to use.

My OWA certificate errors disappeared, but shortly there after we started getting reports of Outlook 2007 complaining about the certificate having a different name than what it was expecting. This was because we didn’t include the server name as part of the certificate, but all the internal URLs referenced the FQDN of the server’s real name.   

Some of the internal URLs can be change in the Exchange Management Console, but there are a few that are easily overlooked since you can only change them using PowerShell, particularly the URLs for Autodiscover and EWS (Exchange Web Service). 
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.company.com/ews/exchange.asmx
Then be sure to recycle your MSExchangeAutodiscoverAppPool in IIS.  You can read more about this issue in Microsoft’s KB 940726.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s