CAS and Certifcate configuration with disjointed name space


I am currently deploying Exchange 2010 in a 2 node 3 roles (cas, hub and mailbox) on each server in our environment for the exchange side.  I have DAGs configured and am using round robin DNS for CAS availability.  We will lbe deploying Threat Management Gateway.

We have dijointed name space which make this even more challenging.  I have the internal active directory domain as and the owa url is suppose to be and the primary email is another domain which is And we will be adding receiving domains in the future that will have to provde internal and external CAS services (OWA, Out look anywhere and active sync) for.

I have both server configured with a 3rd party SSL certificate and I have all of the CAS components configured as well and I am having various issues from internal certificate errors to external autodiscover not working.

My 3rd party certificate is configured with the

My CAS Server configuration is as follows

Autodiscover internal and external =

Webservice Virtual Directory =

OAB Virtual Directory =

Note that we are receiving email and need to autodiscover for and out internal AD domain is

I know I am not going to be able to provision a certificate with the internal domain of because we do not own it so adding the servers fqdn to the certificate is out of the question right?

What should my internal and external directories configurations be in order to have autodiscover and outlook anywhere work internallly?

And for owa, active sync, auto discover and outlook anywhere be for external access.

Thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If i was at your place, i would generate the following cert :

Common name =  (always the external OWA access URL)
SANs : , autodiscover.otherprimaryemaildomainsthatyouwilladdinthefuture

Create an internal DNS zone for each external EMAIL DNS and for
-> Set the A records you need, in there (ie: www, portal, and so on)
-> set the "email" and "autodiscover" records to point to your internal server IP

Then, launch the following commands :

Get-OABVirtualDirectory  | Set-OABVirtualDirectory -externalurl  /OAB -internalurl -RequireSSL:$true
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -internalurl  -externalurl -BasicAuthentication:$True

Get-CLientAccessserver | Set-ClientAccessServer -AutodiscoverServiceInternalUri

That will be enough :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.