Exchange 2013 with two wildcard certificates for services

Question

We've an Exchange Server with two different DNS names pointing to the same server, the internal and the external name. Something like this:

exchange.domain.com [External Domain]
exchange1.local.domain.com [Internal Domain]

So there are two wildcard certificates for those domains: *.local.domain.com and *.domain.com.

The problem happens when users come to the Exchange Server through the internal domain name. Since I was only able to use the *.domain.com certificate for IIS, I cannot match the internal certificate from clients coming with the internal DNS name.

The question is basically how to match the DNS domain name with the corresponding certificate? Since we can't reissue those certificates to have different SANs this isn't an option.

Thanks in advance.

Answer 1

If you have not Imported your certificate into Exchange, then you will need to open up the EMC, click Server Configuration, then on your Server right click and choose "Import Exchange Certificate".

You can upload multiple Certificates using this method, which will allow your server to choose the correct Cert based on whether your traffic is requesting the local or public address.

Then you will need to be sure your Hub transport/Client Access configurations (etc) are set to use the right URLs matching your SSL Certs.

You will see your choice of certificate(s) reflected in the IIS Default Web Site.

But keep in my to change it you cannot use solely IIS to do so, but instead the by using the method above, if you do change it accidentally from within IIS your server will stop responding to connections as it will have mismatched certificates in IIS/EMC.

Answer 2

You should setup Split-Brain DNS at your internal DNS servers or you should create zone at your internal DNS servers with internal address resolution

exchange.domain.com

Answer 3

You need to set the IIS virtual directory to the correct domain.

With powershell you can validate the URL that way:

Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl

Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl

Get-ECPVirtualDirectory | fl internalurl,externalurl

Get-OabVirtualDirectory | fl internalurl,externalurl

Get-WebServicesVirtualDirectory | fl internalurl,externalurl

You can set the new value that way, with a Set- command:

Get-ActiveSyncVirtualDirectory -server EXCHANGE | Set-ActiveSyncVirtualDirectory -ExternalUrl ‘https://mail.DOMAIN.ca/Microsoft-Server-ActiveSync’ -InternalUrl ‘https://mail.DOMAIN.ca/Microsoft-Server-ActiveSync’

Get-AutodiscoverVirtualDirectory -server EXCHANGE | Set-AutodiscoverVirtualDirectory -ExternalUrl ‘https://mail.DOMAIN.ca/Autodiscover/Autodiscover.xml’ -InternalUrl ‘https://mail.DOMAIN.ca/Autodiscover/Autodiscover.xml’

Get-ECPVirtualDirectory -server EXCHANGE | Set-ECPVirtualDirectory -ExternalUrl ‘https://mail.DOMAIN.ca/ECP’ -InternalUrl ‘https://mail.DOMAIN.ca/ECP’

Get-OabVirtualDirectory -server EXCHANGE | Set-OabVirtualDirectory -ExternalUrl ‘https://mail.DOMAIN.ca/OAB’ -InternalUrl ‘https://mail.DOMAIN.ca/OAB’

Get-WebServicesVirtualDirectory -server EXCHANGE | Set-WebServicesVirtualDirectory -ExternalUrl ‘https://mail.DOMAIN.ca/EWS/Exchange.asmx’ -InternalUrl ‘https://mail.DOMAIN.ca/EWS/Exchange.asmx’

Via the GUI you can look there for a guide

After those change you must issue a iisreset, and restart the outlook client.

Don't forget to create a host record in your local DNS to match the domain name with a local IP, or if you have a firewall that support it you can create a inside NAT rule that when the request is your public exchange IP, it rewrite the destination as the local IP.