Exchange, when first installed, uses FQDN’s as Access URLs by default.

This means internal Mail clients will use something like exserver1.contoso.internal, while external clients will need to use mail.contoso.com.

This will mean, that you will either have to configure multiple ip addresses on you exchange server and then configure separate SSL Certificates to avoid errors, or live with the certification errors.

But there is a simpler way, and it allows you to use a single SSL Certificate internally as well as externally.

Here’s how. Open Exchange Management Shell and run the following commands. Make a note of the values shown and save them as a backup.

Get-OutlookAnywhere | Select Server,Identity,ExternalHostname,Internalhostname

Get-OwaVirtualDirectory | Select Identity,ExternalURL,InternalURL | fl

Get-ECPVirtualDirectory | select Identity,ExternalURL,InternalURL| fl

Get-ActiveSyncVirtualDirectory | Select Identity,InternalUrl,ExternalUrl| fl

Get-WebServicesVirtualDirectory | Select Identity,ExternalURL,InternalURL | fl

Get-OabVirtualDirectory | Select Identity,InternalURL,ExternalURL| fl

Get-ClientAccessServer | Select Name, Identity,AutoDiscoverServiceInternalURI | fl

Then start setting the Values to a common URL. Here we are going to use mail.contoso.com.

Note the Get-xxx | before the Set-xxx command. This is so if you have multiple servers in your Organization, the Values are set for all servers automatically.

If you want to avoid this, remove the Get-xxx | in front of the commands, and use the Identity value to specify which server to configure. (just enter the command without the get-xxx and you will be asked for the identity)

Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.contoso.com -InternalHostname mail.contoso.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.contoso.com/owa -InternalUrl https://mail.contoso.com/owa

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.contoso.com/ecp -InternalUrl https://mail.contoso.com/ecp

Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.contoso.com/EWS/Exchange.asmx -InternalUrl https://mail.contoso.com/EWS/Exchange.asmx

Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.contoso.com/OAB -InternalUrl https://mail.contoso.com/OAB

Then set the SCP Records straight. These are the records in Active Directory, that the client searches for when autodiscovery is attempted internally.

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.contoso.com/Autodiscover/Autodiscover.xml

To make sure all settings have been applied, specifically the Autodiscovery URLs, start the following command in an elevated command prompt on the CAS(right click cmd.exe and select “run as administrator”)

iisreset /noforce

Now that we have set the Access URLs, we need to make sure that the internal clients can actually resolve mail.contoso.com and are pointed to a CAS Server.

To enable this, head over to your DNS Server. In case your internal and external domains are the same, you will simply need to add an A Record in your contoso.com Zone pointing mail.contoso.com to the ip of your cas server.

If your internal and external domains are not the same, e.g. contoso.com externally and contoso.internal internally, add a new zone to your DNS server and name it contoso.com

Then add the mail.contoso.com record in there.

Now all that is left is to install an SSL Certificate that contains contoso.com as a value. I’d suggest a wildcard certificate with the name *.contoso.com

Now that we made sure the internal clients can actually resolve mail.contoso.com, we can now start to configure our outlook clients. Should they already be configured, open the account settings, and click on “Repair”. Autodiscovery will then repair the account and point to the right places.

To make sure or check the connections outlook makes, simply press the Ctrl Key while right clicking on the Outlook icon in your Taksbar, and select “Connection status”. Should one of the connections not contain the new name mail.contoso.com, then you will need to revisit the above commands and make sure you set all the URLs correctly.