Exchange SSL error for internal users. Works fine for external

Due to the new rules about SSL for internal domains I have a problem.  We just replaced our SSL on our exchange server and lost the ability to have internal domain on it.  We are now getting SSL errors on everyone using outlook.

Anyone have a solution to this as we have many clients that will run into this issue moving forward.
sidelogicIT ManagerAsked:
Who is Participating?
diperspConnect With a Mentor Commented:
You just need to update your internal URLs.  Also need to setup (Or whatever is on your cert) to resolve internally to the Exchange server's internal IP.  Let me know if you need help on doing this in DNS.

On your 2010 server, run these powershell commands from Exchange Shell -

Get-ClientAccessServer | fl *uri
Get-WebServicesVirtualDirectory | fl *lurl
get-OabVirtualDirectory | fl *url

Some or all of these are probably pointing to exchange.domain.local and need to be changed to  To fix these, first record the results from above for backup purposes.  Then -

Set-ClientAccessServer -Identity [Exchange Netbios] -AutodiscoverServiceInternalUri https://mail.[DOMAIN].com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "[Exchange Netbios]\EWS (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "[Exchange Netbios]\oab (Default Web Site)" -InternalUrl https://mail.[DOMAIN].com/oab

I set ALL of these (Internal and external) to as internally should be resolving to the internet IP of your mail server anyway.  Usually this is set correctly already for the externals, so the above commands (For set-web and set-oab) are only setting the internals.  If your externals are wrong, fix those as well.

Also check in Exchange Console that things are set correctly under Server Config\Client Access and then check each of the tabs at the bottom of the screen (OWA, ECP, ActiveSync, etc.) and make sure internal and external point to (Without altering the rest of the url, such as /owa /ecp, etc.)
Since your internal hostnames are not in new certifiacte SAN names, you are getting errros

You can use SRV records for client discovery instead of Autodiscover to eliminate cert errors

Also i suggest you to change your internal URLs to match with external URLs (Split DNS) to avoid cert errors

Simon Butler (Sembee)ConsultantCommented:
Internal SRV records are NOT required, and a waste of time unless you don't have on the certificate AND you have clients on your network which are not members of the domain.

The changes required are pretty straight forward - I have outlined them here:


Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

sidelogicIT ManagerAuthor Commented:
That worked great!  Sembe your link took me to no article so you may want to check on that...
Simon Butler (Sembee)ConsultantCommented:
The EE system got in the way as it was missing an extra slash. It should have been

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.