In a discussion about SSL certificates for Exchange 2013 servers the question of whether to include server names in the SSL certificate often comes up.
In this article I’m going to demonstrate how you can deploy an SSL certificate for a simple Exchange 2013 organization without including the server names in the certificate. I’m using Exchange Server 2013 in this example but it also applies to Exchange Server 2016.
But first let’s be clear – including server names in your SSL certificate is supported. For many small organizations, particularly those with a single server, it will look like less effort to just include the server name in the certificate.
However, that is not best practice.
In addition to using as few certificates as possible, you should also use as few host names as possible. This practice can save money. Many certificate providers charge a fee based on the number of host names you add to your certificate.
The most important step you can take to reduce the number of host names that you must have and, therefore, the complexity of your certificate management, is not to include individual server host names in your certificate’s subject alternative names.
As Rajith points out here this best practice is important for larger organizations to reduce costs, reduce administrative overheads, and because in larger scale environments services are configured with namespaces that resolve to load-balanced IP addresses and so on. In addition, using server names in URLs is going to cause problems for you with future migrations.
Since those issues apply to almost every Exchange Server environment, this is a topic worth covering in more detail.
Namespaces for Exchange Server 2013/2016
In Microsoft’s words:
The host names you must include in your Exchange certificates are the host names used by client applications to connect to Exchange.
More specifically, it is the host names client uses to make TLS/SSL connections to Exchange services. Those services include:
- Outlook Anywhere
- Outlook Web App
- Exchange Control Panel
- Exchange ActiveSync
- Exchange Web Services
- Offline Address Book
POP, IMAP and UM also have certificate requirements but can be enabled to use separate SSL certificates, whereas the above services all use the same certificate. So for this article I will ignore POP, IMAP and UM.
Sticking to a simple scenario we will plan to use one namespace for all of the services. So the hostnames/URLs to be configured are:
- Outlook Anywhere – mail.exchange2013demo.com
- MAPI – https://mail.exchange2013demo.com/mapi
- Outlook Web App – https://mail.exchange2013demo.com/owa
- Exchange Control Panel – https://mail.exchange2013demo.com/ecp
- Exchange ActiveSync – https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync
- Exchange Web Services – https://mail.exchange2013demo.com/EWS/Exchange.asmx
- Offline Address Book – https://mail.exchange2013demo.com/OAB
- AutoDiscover – https://mail.exchange2013demo.com/Autodiscover/Autodiscover.xml
Split DNS for Exchange Server 2013/2016
For many organizations the use of split DNS for your Exchange namespace goes hand in hand with eliminating server names from SSL certificates.
Split DNS allows your internal clients to receive a different answer to their DNS lookups than an external client would receive. In effect you have your Exchange namespace (in this example exchange2013demo.com) hosted on your internal DNS server, with records configured to point to internal IP addresses.
[PS] C:\>Resolve-DnsName mail.exchange2013demo.com Name Type TTL Section IPAddress ---- ---- --- ------- --------- mail.exchange2013demo.com A 3600 Answer 192.168.0.187 mail.exchange2013demo.com A 3600 Answer 192.168.0.188
If you’re wondering why mail.exchange2013demo.com has two A records it is because I am using DNS round robin to load balance the name, as demonstrated in this article on Client Access server high availability.
Meanwhile you also have the Exchange namespace hosted on your public DNS servers, with records configured to point to external IP addresses.
C:\>nslookup mail.exchange2013demo.com Non-authoritative answer: Name: mail.exchange2013demo.com Address: 188.8.131.52
Configuring Hostnames and URLs in Exchange Server 2013/2016
Although some of the hostnames and URLs are configurable using the Exchange Admin Center, some others require you to use PowerShell. So for the sake of simplicity I will use PowerShell to configure all of the services.
Remember we are looking at a simple scenario of two servers in a single site as shown in the diagram above, so you will see me piping commands such as Get-OWAVirtualDirectory into other commands to administer multiple objects at the same time.
Note: If you have multiple servers in different sites then you may wish to configure servers individually instead of in bulk, as different sites may have different namespace requirements in your organization.
Configuring Outlook Anywhere
To review the current configuration use Get-OutlookAnywhere.
[PS] C:\>Get-OutlookAnywhere | Select Server,ExternalHostname,Internalhostname Server ExternalHostname InternalHostname ------ ---------------- ---------------- E15MB1 mail.exchange2013demo.com E15MB2 mail.exchange2013demo.com
I’ve already configured the internal host name for Outlook Anywhere in my test lab, but you might see your server’s host names in there instead.
To configure the internal and external host names use Set-OutlookAnywhere.
[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.exchange2013demo.com -InternalHostname mail.exchange2013demo.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
Note that in addition to setting the host names you must also explicitly set the SSL requirement for both internal and external clients (default for internal is False, which is fine, but I am enforcing it in this example), and either a default authentication method or an external authentication method (set to NTLM in this example).
To review the current configuration use Get-MAPIVirtualDirectory.
[PS] C:\>Get-MapiVirtualDirectory | Select Server,ExternalURL,InternalURL | fl Server : E15MB1 ExternalUrl : https://mail.exchange2013demo.com/mapi InternalUrl : https://e15mb1.exchange2013demo.com/mapi Server : E15MB2 ExternalUrl : https://mail.exchange2013demo.com/mapi InternalUrl : https://e15mb2.exchange2013demo.com/mapi
To configure the URLs use Set-MAPIVirtualDirectory.
[PS] C:\>Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/mapi -InternalUrl https://mail.exchange2013demo.com/mapi
Configuring Outlook Web App
To review the current configuration use Get-OWAVirtualDirectory.
[PS] C:\>Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl Server : E15MB1 ExternalUrl : https://mail.exchange2013demo.com/owa InternalUrl : https://e15mb1.exchange2013demo.com/owa Server : E15MB2 ExternalUrl : https://mail.exchange2013demo.com/owa InternalUrl : https://e15mb2.exchange2013demo.com/owa
To configure the URLs use Set-OWAVirtualDirectory.
[PS] C:\>Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/owa -InternalUrl https://mail.exchange2013demo.com/owa WARNING: You've changed the InternalURL or ExternalURL for the OWA virtual directory. Please make the same change for the ECP virtual directory in the same website. WARNING: You've changed the InternalURL or ExternalURL for the OWA virtual directory. Please make the same change for the ECP virtual directory in the same website.
Configuring the Exchange Control Panel
As you can see when configuring the OWA URLs the ECP URLs must be configured to match. To configure the ECP URLs use the Set-ECPVirtualDirectory cmdlet.
[PS] C:\>Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/ecp -InternalUrl https://mail.exchange2013demo.com/ecp
I needed to perform an IISreset on my servers for this one to take effect properly.
Configuring Exchange ActiveSync
To review the existing configuration use Get-ActiveSyncVirtualDirectory.
[PS] C:\>Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl Server : E15MB1 ExternalUrl : InternalUrl : https://e15mb1.exchange2013demo.com/Microsoft-Server-ActiveSync Server : E15MB2 ExternalUrl : InternalUrl : https://e15mb2.exchange2013demo.com/Microsoft-Server-ActiveSync
To configure the new URLs use Set-ActiveSyncVirtualDirectory.
[PS] C:\>Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.exchange2013demo.com/Microsoft-Server-ActiveSync
Configuring Exchange Web Services
To review the existing configuration use Get-WebServicesVirtualDirectory.
[PS] C:\>Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl Server : E15MB1 ExternalUrl : https://mail.exchange2013demo.com/EWS/Exchange.asmx InternalUrl : https://e15mb1.exchange2013demo.com/EWS/Exchange.asmx Server : E15MB2 ExternalUrl : https://mail.exchange2013demo.com/EWS/Exchange.asmx InternalUrl : https://e15mb2.exchange2013demo.com/EWS/Exchange.asmx
To configure the new URLs use Set-WebServicesVirtualDirectory.
[PS] C:\>Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/EWS/Exchange.asmx -InternalUrl https://mail.exchange2013demo.com/EWS/Exchange.asmx
Configuring the Offline Address Book
To review the existing configuration use Get-OABVirtualDirectory.
[PS] C:\>Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl Server : E15MB1 ExternalUrl : InternalUrl : https://e15mb1.exchange2013demo.com/OAB Server : E15MB2 ExternalUrl : InternalUrl : https://e15mb2.exchange2013demo.com/OAB
To configure the new URLs use Set-OABVirtualDirectory.
[PS] C:\>Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.exchange2013demo.com/OAB -InternalUrl https://mail.exchange2013demo.com/OAB
Configuring the AutoDiscover SCP
The final configuration is the AutoDiscover service connection point. Unlike the other host names and URLs this is not configured on a virtual directory (don’t be fooled by the URLs shown when you run Get-AutoDiscoverVirtualDirectory).
Instead we need to use Get-ClientAccessServer to see the existing configuration.
[PS] C:\>Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI Name AutoDiscoverServiceInternalUri ---- ------------------------------ E15MB1 https://e15mb1.exchange2013demo.com/Autodiscover/Autodiscover.xml E15MB2 https://e15mb2.exchange2013demo.com/Autodiscover/Autodiscover.xml
To configure the new URI use Set-ClientAccessServer.
[PS] C:\>Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.exchange2013demo.com/Autodiscover/Autodiscover.xml
Configuring an SSL Certificate
With all of the namespaces configured the next steps are:
- Generate a Certificate Request for Exchange 2013 (or 2016) that only includes the minimum required names (in this case mail.exchange2013demo.com and autodiscover.exchange2013demo.com).
- Submit the certificate request to your chosen CA to acquire the SSL certificate. I recommend Digicert for their competitive pricing, good support, flexible licensing, and free re-issues if you happen to make an error. Or if you’re using a private CA refer to these steps.
- Complete the pending certificate request
- Export/import an SSL certificate to multiple Exchange 2013 servers (if you have multiple servers)
- Assign the SSL certificate to services in Exchange 2013
Testing the New Configuration
To be confident that the new configuration is working you can run a series of tests.
- On a client with no existing Outlook profile launch Outlook and confirm that the profile is configured automatically and without any certificate warnings.
- Use the Outlook “Connection Status” dialog to verify that Outlook is connecting only to the namespaces you configured.
- Use the “Test E-Mail AutoConfiguration” test in Outlook to verify all services are accessible without error.
- Connect to OWA internally and externally and verify there are no certificate warnings.
- Within OWA navigate to Options and make a change such as enabling out of office.
- Connect to the Exchange Admin Center and verify it works without certificate warnings.
- Run external tests using the Remote Connectivity Analyzer website.