First I would like to say that our domain is a .local and not a FQDN in active directory. Ex. john.local
Exchange 2010 sp1
Originally setup with a self signed cert
OWA is using http
mobile clients are not using ssl (but we would like to turn this on)
Things we have tried:
Creating a signed Certificate (for this we did have change the entries to be .com to be able to get a certificate)
1- Backup the existing directories from the exchange management shell
Get-WebServicesVirtualDirectory | Select InternalUrl,BasicAuthenticationExternalUrl,Identity | Format-List
Get-OabVirtualDirectory | Select InternalURL,ExternalURL,Identity | FL
Get-ActiveSyncVirtualDirectory | Select InternalUrl,ExternalUrl,Identity | fl
2- Set the directories to use .com names
Set-WebServicesVirtualDirectory -Identity "EXCH-1\EWS (Default Web Site)" -InternalURL https://exchange.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OabVirtualDirectory -Identity "EXCH-1\OAB (Default Web Site)" -InternalUrl https://exchange.domain.com/OAB
set-ActiveSyncVirtualDirectory -Identity "EXCH-1\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://exchange.domain.com/Microsoft-Server-ActiveSync"
3- Enable outlook anywhere and configure it
Use the EMC to enable Outlook Anywhere
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Anywhere configuration settings" entry in the Client Access Permissions topic.
a. In the console tree, navigate to Server Configuration > Client Access.
b. In the action pane, click Enable Outlook Anywhere.
c. In the Enable Outlook Anywhere wizard, type the external host name or URL for your organization in the box under External host name.
This is the URL, for example site.contoso.com, that users will use to connect to the Exchange server by using Outlook Anywhere.
d. Select an available external authentication method. You can select Basic authentication or NTLM authentication.
Basic authentication sends the user name and password in clear text. It also requires that users enter domain, user name, and password every time that they connect to the Exchange server. When you use NTLM authentication, the user's credentials are never sent over the network. Instead, the client computer and the server exchange hashed values of the user's credentials. NTLM can also use the current Windows operating system logon information.
Even though it's more secure, NTLM may not work with firewalls that examine and modify traffic. You can use an advanced firewall server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 together with NTLM authentication for Outlook Anywhere.
Negotiate Ex authentication is an authentication type that's reserved for future Microsoft use and should not be used. Use of this setting will cause authentication to fail.
e. If you're using an SSL accelerator and you want to use SSL offloading, select the check box next to Allow secure channel (SSL) offloading.
Select this check box if you'll be using a separate server to handle Secure Sockets Layer (SSL) encryption and decryption. When you use SSL offloading, the firewall in front of the Client Access server ends the SSL session and then establishes a new non-SSL session to the Exchange server.
Don't use this option unless you're sure that you have an SSL accelerator that can handle SSL offloading. If you don't have an SSL accelerator that can handle SSL offloading, and you select this option, Outlook Anywhere won't function correctly.
f. Click Enable to apply these settings and enable Outlook Anywhere.
g. Click Finish to close the Enable Outlook Anywhere wizard.
4- Change the default cert to the new SSL cert
5- Assign services to the new cert
6- Verify that the default website is using the new SSL cert and that there is an https binding with the new cert
This is a production environment also