A Practical Look at Migrating From Exchange 2003 to Exchange 2007 (Part 8)

If you would like to read the other parts in this article series please go to:


We left part seven of this article series having created the certificates for the Client Access Servers. This was done by creating the certificate request file and processing this request file via the Windows Certificate Authority website. At the end of part seven we were left with a file called certnew.cer which contained our newly created certificate. All that remained for me to do at this point was to import the certificate into the Client Access Server and then enable it. This part of the article series will show you how I did this and then move on to cover a new topic, enabling of Outlook Anywhere.

Importing and Enabling the Certificates

The certificate creation process detailed in part seven of this article series completed the certificate issuing process but of course it still has not been imported into Exchange at this point. Neither had the certificate been enabled after importing. You can perform these two tasks individually if you like, or pipe the results of one into the other. For example, I ran the Import-ExchangeCertificate cmdlet and piped the results into the Enable-ExchangeCertificate, electing to enable the certificate for the IIS and SMTP services. You can see the result of this cmdlet in Figure 34. As I was overwriting the default self-signed SSL certificate for the SMTP service, I was prompted to confirm this overwriting process as you can also see in the figure. Do not forget to include the POP, IMAP or UM services if you are enabling your certificate for those services.

Figure 34: Importing and Enabling The Certificate

Once imported and enabled, I checked the properties of the certificate for correctness. You can use Internet Information Services Manager to do this, or perhaps the Certificates snap-in. I suspect that most administrators know how to use the Internet Information Services Manager snap-in, so here is the process to check the certificate using the Certificates snap-in.

  1. Click Start, then Run, type mmc into the run window and choose OK.
  2. In the resulting window, which should be called Console1, click File and then choose the Add/Remove Snap-in option.
  3. From the resulting window, click the Add button which will bring up the Add Standalone Snap-in window. Choose the Certificates snap-in and then click the Add button.
  4. You will now be presented with the Certificates snap-in window, from which you should choose the Computer account option. Once chosen, click Next.
  5. In the Select Computer window, choose Local computer and then click Finish.
  6. You will now be back at the Add Standalone Snap-in window. Since you do not require any more snap-ins, click the Close button.
  7. Now back at the Add/Remove Snap-in window, click OK.
  8. The main Console1 window is shown again, but this time with the Certificates snap-in loaded. Expand the Certificates object and then expand the Personal certificate store located underneath it. Once you have done this, select the Certificates object and you should now see the certificates listed like in the example shown in Figure 35.

Figure 35: Certificate Store

  1. Double-click the certificate that you have just created and examine its properties to make sure that they are correct and valid. For example, on the Details tab scroll down until you find the Subject Alternative Name field and you should see the various names that the certificate is configured with. An example is shown below in Figure 36.

Figure 36: Certificate Subject Alternate Names

Since I had implemented two separate servers running the Hub Transport and Client Access Server roles, I had to perform this entire procedure again on the other server. Of course, I had to ensure that parameters of the New-ExchangeCertificate cmdlet, such as the DomainName parameter, had the correct names relevant to this other server. For example, this parameter would need to include the NetBIOS and FQDN names of this server, such as hubcas2 and hubcas2.neilhobson.com.

Enabling Outlook Anywhere

If you have been reading all of this article series you may remember that way back in the first part I mentioned the fact that the RPC over HTTP proxy service was installed onto the Client Access Servers since Outlook Anywhere was to be used. Installing this component was a vital part to the successful working of Outlook Anywhere. Another key part was the enabling of the Outlook Anywhere service on the Client Access Servers. To do this, I personally used the Exchange Management Console although of course the Exchange Management Shell can be used too. Here is the steps I took to enable Outlook Anywhere using the Exchange Management Console:

  1. I first navigated to the Server Configuration area in the left-hand pane and under this selected Client Access.
  2. I then right-clicked the relevant Client Access Server and chose Enable Outlook Anywhere from the context menu.
  3. The Enable Outlook Anywhere wizard was then displayed as you can see from Figure 37. All I then did was type in the external Outlook Anywhere host name. I chose to use autodiscover.neilhobson.com to reduce the number of certificates used externally, although of course, you can set this as you see fit. Some organizations choose to use different external DNS names that reflect the service they provide, such as outlook.neilhobson.com for example. Since I was using ISA Server 2006 I was also able to offer NTLM authentication but note that there are requirements in this area, such as the use of Kerberos Constrained Delegation (KCD).

Figure 37: Enabling Outlook Anywhere

Now, this article series is already getting quite long and I need to ensure the focus stays on Exchange. However, I’m well aware that publishing technologies such as Outlook Anywhere requires additional skill areas in products like ISA Server 2006. You can find more information on this area in a blog called Me, Myself and ISA which is written by a work colleague of mine Jason Jones. Jason is a ForeFront MVP and explains much more information on publishing Exchange 2007 in his blog post here.

Setting ExternalURLs

I am going to finish part eight of this article series by covering the setting of the parameter known as the ExternalUrl parameter on various components. The Outlook Anywhere client needs to connect to various services such as Exchange Web Services, Offline Address Book and also Unified Messaging. The Exchange Web Services provide functionality such as the Out of Office message. To connect to these services, the Outlook Anywhere client first locates the autodiscover service which, in my example, was available via the URL https://autodiscover.neilhobson.com/autodiscover/autodiscover.xml. This XML file then contains the URLs to the aforementioned services. To set these URLs involves running several Exchange Management Shell cmdlets. The cmdlets I ran were:

Set-WebServicesVirtualDirectory –Identity ‘HUBCAS1\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.neilhobson.com/ews/exchange.asmx

This cmdlet sets the Web Services virtual directory to be externally accessible via the URL that you can see in the cmdlet. Of course, this had to be run against both CAS servers, remembering to change the –Identity parameter to match the relevant CAS server.

Set-OabVirtualDirectory –Identity ‘HUBCAS1\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.neilhobson.com/oab

This cmdlet is very similar to the previous cmdlet but of course it now references a different service in the Offline Address Book. In this particular project I was not using the Unified Messaging service so I did not have to run the final cmdlet shown below, but, I did it anyway to ensure that the configuration was present should the Unified Messaging server role be installed. The final cmdlet ran was:

Set-UmVirtualDirectory –Identity ‘HUBCAS1\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.neilhobson.com/unifiedmessaging/service.asmx


That concludes part eight of this article series, where we have finished the process of replacing the self-signed certificates on the CAS servers by importing and enabling the new certificates created via the internal Windows Certificate Authority. We have also covered the enabling of Outlook Anywhere and the setting of the various external URLs that Outlook uses for features such as the Out of Office assistant and the Offline Address Book. I will be wrapping up this article series in part nine.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top