Monday 7 March 2016

Replace Your Certificates for Internal Names - Exchange 2010

Great article I used for doing the job:
https://blog.digicert.com/replace-internal-names-certificates-part-2/#internal_name_tool

Alternatively, here's the offline version of the page

  1. Run these commands:
    1. Get-ClientAccessServer -Identity HostName | fl AutodiscoverServiceInternalUri
    2. Get-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" | fl InternalUrl
    3. Get-OabVirtualDirectory -Identity "HostName\oab (Default Web Site)" | fl InternalUrl
    4. Depending on your environment, you may need to run some additional commands:
    5. Get-ActiveSyncVirtualDirectory -Identity "HostName\Microsoft-Server-ActiveSync (Default Web Site)" | fl InternalUrl
    6. Get-OwaVirtualDirectory -Identity "HostName\owa (Default Web Site)" | fl InternalUrl
    7. Get-EcpVirtualDirectory -Identity "HostName\ecp (Default Web Site)" | fl InternalUrl
    The output from these commands that you want to record may look something like this:
    1. AutoDiscoverServiceInternalUri : https://internalname/Autodiscover/Autodiscover.xml
    2. InternalUrl : https://internalname/EWS/Exchange.asmx
    3. InternalUrl : https://internalname/OAB
    4. InternalUrl : https://internalname/Microsoft-Server-ActiveSync
    5. InternalUrl : https://internalname/owa
    6. InternalUrl : https://internalname/ecp
    Note: If any command returns blank or with a publicly registered hostname, you probably don’t need to reconfigure that setting (i.e. run the “set” command for that setting).
    OutlookAnywhere Setting
    In many Exchange environments, the OutlookAnywhere InternalHostname setting on your Exchange server is not configured. So if you didn’t configure it, don’t worry about updating this setting.
    For those of you who did configure it or for those of you who don’t know if the setting was configured, you can run a command to check and/or record the setting (in case a roll back is needed).
    1. Run the following command:
      Get-OutlookAnywhere -Identity "HostName\Rpc (Default Web Site)" | fl InternalHostname, InternalClientsRequireSsl
    2. The output from this command that you want to record may look something like this:
      InternalHostname : InternalHostname
      InternalClientsRequireSsl : True
    3. If the InternalHostname is blank, if the InternalHostname is a publicly registered domain name, or if InternalClientsRequiredSsl isFalse, you probably don’t need to reconfigure this setting (run the “set” command for that setting).
  2. Reconfigure Your Exchange Server Settings
    After verifying and recording your Exchange settings, run the following commands, as needed, to reconfigure your settings:
    Note: If any of the “get” commands returned blank or with a publicly registered hostname, you probably don’t need to run the “set” command for that setting.
    Run these commands:
    1. ClientAccessServer
      Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml
    2. WebServicesVirtualDirectory
      Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx
    3. OABVirtualDirectory
      Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
    Depending on your environment, you may need to run some additional commands:
    1. ActiveSyncVirtualDirectory
      Set-ActiveSyncVirtualDirectory -Identity "HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"
    2. OWAVirtualDirectory
      Set-OWAVirtualDirectory -Identity "HostName\owa (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/owa"
    3. ECPVirtualDirectory
      Set-ECPVirtualDirectory -Identity "HostName\ecp (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/ecp"
    4. OutlookAnywhere
      Set-OutlookAnywhere -Identity "HostName\Rpc (Default Web Site)" –InternalHostname mail.yourdomain.com -InternalClientsRequireSsl $true
      *Note: Depending on their configuration, you may not need to update this setting.
  3. Recycle IIS Application Pools
    Finally, to force these commands to take effect, you must make IIS push your changes by recycling the application pools.
    1. Open IIS Manager and run as administrator.
      In the Windows Start menu or from the Start screen, type inetmgr.
    2. In the Connections tree, expand “Your server name” > Application Pools.
    3. In the Application Pools center pane, right-click onMSExchangeAutodiscoverAppPool and then click Recycle.

      application-pools-1

  4. You are Done!
    Your clients will connect to the Autodiscover service, learn the new settings, and connect to the Exchange server using the external name.
    No more certificate name mismatch error!

How to Roll Back to Your Previous Settings

If necessary, after you reconfigure your Exchange server settings, you can roll back to your previous settings.
  1. On your Exchange Client Access Server (CAS), open Exchange Management Shell (EMS) and run it as administrator.
  2. Roll Back Your Exchange Server Settings
    After verifying and recording your Exchange settings, run the following commands, as needed, to roll back your settings. Refer to the details you recorded when running the “get” commands.
    Run these commands:
    1. ClientAccessServer
      Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://internalname/autodiscover/autodiscover.xml
    2. WebServicesVirtualDirectory
      Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://internalname/ews/exchange.asmx
    3. OABVirtualDirectory
      Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://internalname/oab
    Depending on your environment, you may need to run some additional commands:
    1. ActiveSyncVirtualDirectory
      Set-ActiveSyncVirtualDirectory -Identity "HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://internalname/Microsoft-Server-ActiveSync"
    2. OWAVirtualDirectory
      Set-OWAVirtualDirectory -Identity "HostName\owa (Default Web Site)" -InternalUrl "https://internalname/owa"
    3. ECPVirtualDirectory
      Set-ECPVirtualDirectory -Identity "HostName\ecp (Default Web Site)" -InternalUrl "https://internalname/ecp"
    4. OutlookAnywhere
      Set-OutlookAnywhere -Identity "Hostname\Rpc (Default Web Site)" -InternalHostname internalname -InternalClientsRequireSsl $true
      *Note: Depending on their configuration, you may not need to roll back this setting.
  3. Recycle IIS Application Pools
    Finally, to force these commands to take effect, you must make IIS push your changes by recycling the application pools.
    1. Open IIS Manager and run as administrator.
      In the Windows Start menu or from the Start screen, type inetmgr.
    2. In the Connections tree, expand “Your server name” > Application Pools.
    3. In the Application Pools center pane, right-click onMSExchangeAutodiscoverAppPool and then click Recycle.

      application-pools-1

  4. You are done. Your settings should be rolled back.

No comments:

Post a Comment