Exchange 2010 Change SSL

AlliedAdmin used Ask the Experts™
We just renewed our exchange 2010 ssl and since you can't use internal address on the SSL we are getting an error when outlook is connecting to exchange.  I've changed all internal URL to use our webmail FQDN which is on the SSL cert. We are still getting the following error (see snap shots below) that references the original internal netbios name (server.domain.loc)

One thing i noticed when testing the new internal URLS is it asks for a username/password when going to it with a browser. when i use the internal netbios name it loads right up....

"You do not have permission to view this directory or page."

"his XML file does not appear to have any style information associated with it. The document tree is shown below."

Outlook 2010 error
Outlook 2007 Error
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Do you have reverse proxy (load-balancer) or is your exchange open straight from outside?
If you do, put the outside certificate on it and not on your exchange servers, if you don't I think you can copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly and configure internal url's in the exchange (autodiscover.xml) to point to the same fqdn's as outside.

Good luck.


No reverse proxy (load-balancer) and email is internal/external is routed through a spam firewall. I changed the internal URL's using this guide.
same as i said, the article tells you to change your internal fqdn's to the public domain:
what it doesnt tell you is that all your INTERNAL users will go from now on to your exchange server through your firewall since they will resolve the exchange to its external address (thus overloading your firewall for no good reason) this is why i suggested:
copy your outside dns zone to your internal dns, change the addresses related to your exchange accordingly (to the internal IP addresses)... this will not overload your firewall.
Good luck :D
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples


Tru,  We have internal DNS setup... would resolve to internal IP address...  that's not he issue i'm trying to fix.  thanks for your help though.
Ok, so when you run:
Get-WebServicesVirtualDirectory |fl identity,internalurl
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Get-OwaVirtualDirectory|select InternalUrl
Get-OabVirtualDirectory|select InternalUrl
Get-ecpVirtualDirectory|select InternalUrl
Get-MailboxDatabase|select rpcclientaccessserver

they point to your "external" fqdn?
Add a SRV record to your external DNS domain

  This is a sample of what it should look like if you mail server was

 For GoDaddy under the SRV (Service)
 _autodiscover _tcp  @ 0 0 443 1 hour

 For DynDNS 14400 SRV 0 0 443

 For GoDadddy the setup is

 Name: @
 Protocol: _tcp
 Service: _autodiscover
 Priority: 0
 Weight: 0
 Port: 443
 TTL: 1 Hour

 For DynDns Setup
 Host name is _autodiscover._tcp
 TTL is: 14400
 Record Type is: SRV
 Data is:  0 0 443

Do not attempt to add this record to your Active Directory DNS

 In your active directory add the following zone in your active directory Forward Lookup Zones as a Primary Zone
 add in an "A Record" in the zone with a blank name and an IP  address of your internal exchange server.
 Once it is in, ping from a workstation and it should return your internal IP address of your exchange server. If someone from the outside should pings it should return your public IP address.

 On the workstation you are testing from run a elevated command prompt (Admin) flush you DNS with the following command (restarting the workstation will also flush you DNS cache).

 IPCONFIG /flushdns
 You should no longer get the warning when you start Outlook.


All but the last one points to the fqdn

Get-MailboxDatabase|select rpcclientaccessserver


I'm starting to wonder if a restart is in order. Don't know how many random MS issues I've fixed by simply restarting the server lol



i tried that as a quick work around using the article below and it didn't work.  Given the fact the end user would just get a different error message i didn't investigate further.

"Note When the SRV record is used by an Outlook client, the user may receive the following message that advises the user of the redirection that is about to occur. We recommend that the user select the Don't ask me about this website again check box so that the message is not displayed again."
You can use this tool from Digicert to fix your setting on the Exchange server
Just set the rpcclientserver to the mailbox databases through Powershell
Get-Mailboxdatabase | Set-Mailboxdatabase -RpcClientAccessServer fqdnoftheserver
If you are still getting the message after adding the ALL of the DNS records then something is not set right on your Exchange server. The tool I posted from Digicert should show you where the problem is. .


Thanks all for you help,  i reran all the commands and restarted the server. After the restart everything seems to be working perfectly!    thanks all!


Glad I could help, thanks for the feedback.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial