Managing Certificates in Exchange Server 2013 (Part 5)

If you would like to read the other parts in this article series please go to:


So far, in our series we deployed the certificate and configured the Autodiscover component to support our internal and external clients. In this article we will be covering the required steps to update the URLs used by Outlook either internally or externally. The new URLs will match the entries that we have in our new Public certificate.

Managing External Access…

The external configuration is the simplest of all three components because everything can be done from a single wizard.

You may have noticed that the new Exchange Server 2013 deployment wizard is simpler than its predecessors and it does not ask you anymore about the External Access Domain during the process. Nowadays, we need to configure that after installing the product and that is exactly what we are going to do in this section.

In order to configure all external URLs we can use a simple wizard that configures everything related to the external address. Logged on from Exchange Admin Center, click servers and then Virtual directories. Click on the second icon that has Configure External Access domain as a description, as shown in Figure 01.

Figure 01

On the new page, we can configure several servers at the same time. Click the Add button which is presented by the + sign, and select the Exchange Server 2013 (only Client Access Server role servers will be listed since we have a single server in the current environment). After selecting the server, we need to specify the external name, which in our article series is and click save (Figure 02), and wait a few moments for the changes to be applied on the selected server/s. In the new dialog box, just click close.

Figure 02

A restart of IIS using iisreset /noforce would be good to refresh and speed up our testing process. Let’s open an Outlook client and run the Test E-mail AutoConfiguration and on the HTTP area which is related to external access we will notice that all URLs for all services are using the new name that we have just specified in the previous wizard, as shown in Figure 03.

Figure 03

Now that we know that the URLs are available for the clients, we can use ExRCA and run a couple of tests to make sure that everything is working properly from the outside.

Let’s run these two tests: Outlook Anywhere (RPC over HTTP) and Exchange Active Sync because they run the Autodiscover as part of their process as well,. All tests should pass at this moment, if they do not, please check the information on the to pin point the issue. In our article series, we can see the results for the Outlook Anywhere test in Figure 04 and if we analyze all the steps further, we can see all protocols, connections and so forth.

Figure 04

If you are not sold yet, just create a new account on any device that you may have handy, create a new Exchange account, and provide your e-mail address and password (Figure 05). As an exercise we are going to use an iPhone device. After typing in the required information just click next.

Figure 05

As soon as we hit next in the previous step, a new page will be shown for a few seconds (Figure 06) and the last page of the wizard will appear automatically (Figure 07).

Figure 06

On the last page from the device, the end-user can define which components will be synchronized, just click save and the user will be able to access e-mail through ActiveSync.

Based on default settings, if you have changed your ActiveSync policy to block or quarantine your end-users will not have access to ActiveSync until further changes from the administrator side.

Managing Internal URLs…

The last piece of the puzzle is to configure the internal URLs to reflect the changes as we have done with Autodiscover and external access. After completing this section our end-users will not be prompted by certificate errors and such changes can be done either using Exchange Management Shell or Exchange Admin Center. Since we have been using Exchange Admin Center during this entire series, we will continue using it for the rest of this article series and this step is not going to be any different. Shall we start?

Logged on at the Exchange Admin Center, click servers, and then virtual directories tab, as shown in Figure 07. On this page, we can narrow down by server (select the server name in the drop-down Select Server). In our case we have a single server but it does not matter.

Figure 07

In order to change, we just need to select a listed entry, and then click the first button of the toolbar (Edit). We can then just copy and paste the content from the External URL field to the Internal URL field. We need to do the same process for the following items:

  • OAB
  • EWS
  • OWA
  • ECP

If we double click any of the items being listed on the page, we will have a new page where we can add the information as in Figure 08. We can see the values updated for the OAB Virtual Directory.

Figure 08

After performing these changes, we can execute iisreset /noforce and start the test on the client side. If we run the Test E-mail AutoConfiguration tool the URLs will be using the value that we have just entered (Figure 09).

Figure 09


In this article, we configured the web services to use the proper names supported by our public certificate and as part of the process we went over the process of testing all settings using ExRCA (Exchange Remote Connectivity Analyzer) and Active Sync.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top