CAS and Certifcate configuration with disjointed name space


I am currently deploying Exchange 2010 in a 2 node 3 roles (cas, hub and mailbox) on each server in our environment for the exchange side.  I have DAGs configured and am using round robin DNS for CAS availability.  We will lbe deploying Threat Management Gateway.

We have dijointed name space which make this even more challenging.  I have the internal active directory domain as and the owa url is suppose to be and the primary email is another domain which is And we will be adding receiving domains in the future that will have to provde internal and external CAS services (OWA, Out look anywhere and active sync) for.

I have both server configured with a 3rd party SSL certificate and I have all of the CAS components configured as well and I am having various issues from internal certificate errors to external autodiscover not working.

My 3rd party certificate is configured with the

My CAS Server configuration is as follows

Autodiscover internal and external =

Webservice Virtual Directory =

OAB Virtual Directory =

Note that we are receiving email and need to autodiscover for and out internal AD domain is

I know I am not going to be able to provision a certificate with the internal domain of because we do not own it so adding the servers fqdn to the certificate is out of the question right?

What should my internal and external directories configurations be in order to have autodiscover and outlook anywhere work internallly?

And for owa, active sync, auto discover and outlook anywhere be for external access.

Thanks in advance
Who is Participating?
seb_ackerConnect With a Mentor Commented:
If i was at your place, i would generate the following cert :

Common name =  (always the external OWA access URL)
SANs : , autodiscover.otherprimaryemaildomainsthatyouwilladdinthefuture

Create an internal DNS zone for each external EMAIL DNS and for
-> Set the A records you need, in there (ie: www, portal, and so on)
-> set the "email" and "autodiscover" records to point to your internal server IP

Then, launch the following commands :

Get-OABVirtualDirectory  | Set-OABVirtualDirectory -externalurl  /OAB -internalurl -RequireSSL:$true
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -internalurl  -externalurl -BasicAuthentication:$True

Get-CLientAccessserver | Set-ClientAccessServer -AutodiscoverServiceInternalUri

That will be enough :)
Alan HardistyCo-OwnerCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.