Since Nov 1, 2015 it was not possible to include .local domains inside externally used SSL certificates. This created a small problem for a lot of existing Exchange servers as more often than not, the UCC SSL cert would have the local server name and the external name applied. What was necessary was for the internal clients to access the Exchange server using the external FQDN. Once you have successfully applied the new SSL certificate, all the services inside Exchange need to be told to use the FQDN. To do this, a simple set of Powershell scripts can be used. In our example, the fqdn of ‘mail.icebluefrog.com’ was used for external communications. We will now apply this external FQDN to all the internal services on the Exchange 2016 server.
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.icebluefrog.com -InternalHostname mail.icebluefrog.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.icebluefrog.com/owa -InternalUrl https://mail.icebluefrog.com/owa
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.icebluefrog.com/ecp -InternalUrl https://mail.icebluefrog.com/ecp
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.icebluefrog.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.icebluefrog.com/Microsoft-Server-ActiveSync
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.icebluefrog.com/EWS/Exchange.asmx -InternalUrl https://mail.icebluefrog.com/EWS/Exchange.asmx
Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.icebluefrog.com/OAB -InternalUrl https://mail.icebluefrog.com/OAB
Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri https://mail.icebluefrog.com/Autodiscover/Autodiscover.xml
Set-MapiVirtualDirectory -Identity “mapi (Default Web Site)” -InternalUrl https://mail.icebluefrog.com/mapi -ExternalUrl https://mail.icebluefrog.com/mapi -IISAuthenticationMethods Negotiate
Set-OrganizationConfig -MapiHttpEnabled $true
Once everything has run through, you can check that everything has taken effect nicely using the following powershell commands.
Resolve-DnsName mail.icebluefrog.com
Get-OutlookAnywhere | Select Server,ExternalHostname,Internalhostname
Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
Get-EcpVirtualDirectory | ft Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl
Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
Get-ClientAccessService | Select Name,AutoDiscoverServiceInternalURI
Get-MapiVirtualDirectory | Select Name,InternalUrl,ExternalUrl Get-OrganizationConfig | Select Name,MapiHttpEnabled
The output that you see should look something like this.
And with that, you are done. It is often a good idea to reboot the Exchange Server after doing this, just to make sure everything is all good.
