Exchange, when first installed, uses FQDN’s as Access URLs by default.

This means internal Mail clients will use something like exserver1.contoso.internal, while external clients will need to use

This will mean, that you will either have to configure multiple ip addresses on you exchange server and then configure separate SSL Certificates to avoid errors, or live with the certification errors.

But there is a simpler way, and it allows you to use a single SSL Certificate internally as well as externally.

Here’s how. Open Exchange Management Shell and run the following commands. Make a note of the values shown and save them as a backup.

Get-OutlookAnywhere | Select Server,Identity,ExternalHostname,Internalhostname

Get-OwaVirtualDirectory | Select Identity,ExternalURL,InternalURL | fl

Get-ECPVirtualDirectory | select Identity,ExternalURL,InternalURL| fl

Get-ActiveSyncVirtualDirectory | Select Identity,InternalUrl,ExternalUrl| fl

Get-WebServicesVirtualDirectory | Select Identity,ExternalURL,InternalURL | fl

Get-OabVirtualDirectory | Select Identity,InternalURL,ExternalURL| fl

Get-ClientAccessServer | Select Name, Identity,AutoDiscoverServiceInternalURI | fl

Then start setting the Values to a common URL. Here we are going to use

Note the Get-xxx | before the Set-xxx command. This is so if you have multiple servers in your Organization, the Values are set for all servers automatically.

If you want to avoid this, remove the Get-xxx | in front of the commands, and use the Identity value to specify which server to configure. (just enter the command without the get-xxx and you will be asked for the identity)

Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname -InternalHostname -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl -InternalUrl

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl -InternalUrl

Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl -InternalUrl

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl -InternalUrl

Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl -InternalUrl

Then set the SCP Records straight. These are the records in Active Directory, that the client searches for when autodiscovery is attempted internally.

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri

To make sure all settings have been applied, specifically the Autodiscovery URLs, start the following command in an elevated command prompt on the CAS(right click cmd.exe and select “run as administrator”)

iisreset /noforce

Now that we have set the Access URLs, we need to make sure that the internal clients can actually resolve and are pointed to a CAS Server.

To enable this, head over to your DNS Server. In case your internal and external domains are the same, you will simply need to add an A Record in your Zone pointing to the ip of your cas server.

If your internal and external domains are not the same, e.g. externally and contoso.internal internally, add a new zone to your DNS server and name it

Then add the record in there.

Now all that is left is to install an SSL Certificate that contains as a value. I’d suggest a wildcard certificate with the name *

Now that we made sure the internal clients can actually resolve, we can now start to configure our outlook clients. Should they already be configured, open the account settings, and click on “Repair”. Autodiscovery will then repair the account and point to the right places.

To make sure or check the connections outlook makes, simply press the Ctrl Key while right clicking on the Outlook icon in your Taksbar, and select “Connection status”. Should one of the connections not contain the new name, then you will need to revisit the above commands and make sure you set all the URLs correctly.