Sunday, February 2, 2014

How to Use a Simple SSL Certificate for Exchange (Without SAN or Wildcard)

The usual recommendation for configuring Microsoft Exchange Server was to use a public CA, SAN certificate or UC certificate in order to avoid issues with Outlook and mobile clients. While that works, I think it's not very efficient as the typical SAN certificate is in the ~$300 per year range. A cheaper way to configure Exchange, starting from Exchange 2010 and working for Exchange 2013 also is to set internal URLs the same as the external ones (ex: mail.company.com) and to publish the autodiscover service through the same mail.company.com hostname. While this currently throws a warning if using the Exchange Connectivity Test from Microsoft, it works just fine with Outlook and mobile clients (no issue whatsoever with OWA).

In order to change the internal URLs, you can use the following PowerShell commands:

$urlpath = Read-Host "Type internal Client Access FQDN starting with http:// or https://" 
Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “$urlpath/autodiscover/autodiscover.xml” 
Set-webservicesvirtualdirectory –Identity * –internalurl “$urlpath/ews/exchange.asmx” 
Set-oabvirtualdirectory –Identity * –internalurl “$urlpath/oab” 
Set-owavirtualdirectory –Identity * –internalurl “$urlpath/owa” 
Set-ecpvirtualdirectory –Identity * –internalurl “$urlpath/ecp” 
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "$urlpath/Microsoft-Server-Activ

Finally, you can purchase a simple SSL certificate which should be three to four times cheaper per year.

Don't forget to Share and Like.

Thanks!