When deploying an Exchange server, be it any version between 2007 and 2016, you have been deploying a certificate to replace the self signed one that is automatically created during installation with one from a commercial or internal certification authority.
In most of the deployment I have been working with it is common practice to request a subject alternative name certificate containing both internal and external exchange names unfortunately effective October 31st this will not be possible anymore due a change in the CAB forum so you will need to replace any Exchange certificate containing the internal name of the server.
Requisites to Replace Exchange Certificate Name
The first step to replace the Exchange Certificate Name is making sure proper resolution is in place so that clients will be able to resolve the CAS Server name and URL address of the various services.
Let’s assume your internal domain name is helocheck.lab and the external domain name is helocheck.com chances are that your internal Web services URL will be similar to https://<Internal Server Name>.helocheck.lab/autodiscover/autodiscover.xml to be compliant this needs to be changed to something like https://autodiscover.helocheck.com/autodiscovdr/autodiscover.xml with the clients being able to resolve this to the internal IP Address of the CAS Server (in case of Exchange 2007-2013).
In addition to having proper name resolution in place you will also need to request a new Exchange certificate containing all appropriate domain names in it but I will assume this step has already been taken care of.
Replace Exchange Certificate Name Configuration
Once proper name resolution is in place and the new certificate has been installed on the server you will need to change Exchange configuration so to remove any reference to internal name this is easily achieved through PowerShell
# Replace Exchange Certificate Name for Autodiscover internal URL Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml # Replace Exchange Certificate Name for EWS internal URL Set-WebServicesVirtualDirectory -Identity "HostNameEWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx # Replace Exchange Certificate Name for OAB internal URL Set-OABVirtualDirectory -Identity "HostNameoab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Depending on the configuration you are working with you will also need to run the following commands
# Replace Exchange Certificate Name for ActiveSync internal URL Set-ActiveSyncVirtualDirectory -Identity "HostNameMicrosoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync # Replace Exchange Certificate Name for OWA internal URL Set-OWAVirtualDirectory -Identity "HostNameowa (Default Web Site)" -InternalUrl https://mail.yourdomain.com/owa # Replace Exchange Certificate Name for ECP internal URL Set-ECPVirtualDirectory -Identity "HostNameecp (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ecp # Replace Exchange Certificate Name for RPC internal URL Set-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" -InternalHostname mail.yourdomain.com -InternalClientsRequireSsl $true
Once the above commands have been run to make the configuration immediately effective simply recycle to MSExchangeAutodiscoverAppPool open [IIS Manager] → [Application Pools] right-click on MSExchangeAutodiscoverAppPool and finallz select Recycle.