When you have an Internet facing Exchange 2010 Client Access Server you most likely will have a 3rd party certificate installed on this CAS Server. Every time the certificate is requested it is checked for validity, and this is checked against a webserver of the Certificate Authority.
When you have TMG (Threat Management Gateway) Server in front of the CAS Server all HTTP(S) traffic is routed via the TMG Server. The TMG Server is the default gatway on the network interface and in Internet Explorer you have to configure the TMG server as the HTTP proxy.
This works fine for normal HTTP traffic, but when you install a certificate on the Client Access Server it will fail with a "The certificate is invalid for Exchange Server usage" error message. This is caused by the fact that the CA checking is not regular HTTP traffic and therefore ignores the Internet Explorer settings.
To resolve this issue the WinHTTP proxy needs to be set which can be done using the NETSH utility. Just enter the following command:
netsh winhttp set proxy :8080 ";;"
netsh winhttp set proxy TMG2010:8080 ";CAS2010.labs.local;labs.local"
and the NETSH command will automatically show the results of the command:
Current WinHTTP proxy settings:
Proxy Server(s) : TMG2010:8080
Bypass List : ;cas2010.labs.local;labs.local