Outlook cannot connect externaly

Hi All

I am having issues with a new Exchange 2016 deployment on server 2016

Just a little bit of backstory:

- This is a replacement of our old exchange 2010 server which is installed on SBS2008
- We created a new local domain (WIN Server 2016) to which exchange 2016 was added, so it was not a migration from 2010 to 2016
- I have exported the CA signed certificate from 2010 and imported into the exchange 2016 management console

I have set all internal DNS records on the DC. External IP has not changed. Also changed all the routing in the firewall to point to the new exchange server. Send and recieve connectors, accepted domains are all set. I have also set all the Virtual directories to poin the appropriate mail.company.com

Already tried the connectivity tester as shown in the attached files.

The problem:
I can send email from and to addresses inside of the network (to both internal and external mail-addresses, I can access OWA and recieve/send mail on both andoid/ios devices. However outlook clients can only connect to exchange from inside the network, not externally. 2nd problem is that the internal outlook clients get the message: "The name of the security certificate does not match the name of the site".

 I have tried removing the certificate and imported it again but i get the error message:

"A special Rpc error occurs on server *Servername*: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate."

Thanks for your help.
Jeroen KampsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Valentina PerezExchange ServersCommented:
Hi Jeroen,

The users that connect connect are located in Exchange 2010 or 2016?

If you migrated a mailbox...you can connect?

Peter HutchisonSenior Network Systems SpecialistCommented:
MAke sure that you have set the internal/external URLs for the OWA, EAP, EWS/Autodiscover for the new Exchange servers to the corect names so that they match with the SSL/TLS certificate you have.



An external access should be set to the new servers.
timgreen7077Exchange EngineerCommented:
In regards to the cert error you are getting on the internal outlook clients, did you set the autodiscover SCP when you completed your exchange installation. Setting the SCP is one of the first things you want to do so that autodiscover will look at your virtual directory name space that matches your certs instead of looking at the actual server name. Run the following cmd and let me know if the the URI is your actual server name or the name space on your cert:

Get-ClientAccessService -Identity exchangeservername | Select AutodiscoverServiceInternalUri

If the results are the something like https://exchangeserver.localdomain.com/Autodiscover/Autodiscover.xml, this will be why you are getting the cert error. Generally the server name isn't on the cert so when the outlook clients internally attempt to connect it says the server name isnt found.

I'm almost positive your issues have to do with your name space config. To see the rest of the names spaces for the virtual directories go to the following link and download the powershell script "GetExchangeURLs.ps1" It will get name spaces you have set for your virtual directories. It will not make any changes. This will allow us to help better. Here is the link:

Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Jeroen KampsAuthor Commented:
I ran the command and indeed got the exchangename.local as return.

I have manually checked all the virtual directories which point to the external url mail.company.com. I cannot run the powershell script just yet
because the server is currently being controlled remotelly

If the scritpt returns mail.company.com instead of exchangeserver.local i assume that everything is setup correctly? If not how can i fix the naming issue?
Once the remote session is closed i will run the script/
timgreen7077Exchange EngineerCommented:
Run the following to correct:

Set-ClientAccessService -Identity exsevername -AutodiscoverServiceInternalURI https://mail.domain.com/autodiscover/autodiscover.xml

In the above cmdlet where I have "mail.domain.com" this needs to be the name you are using for name space, and make sure the name is also on your cert. It can be something like:

https://autodiscover.domain.com/autodiscover/autodiscover.xml or https://mail.domain.com/autodiscover/autodiscover.xml.

If you have multiple 2016 servers you will need to run this cmdlet for each server.

You will also need to be sure that your internal DNS A records are pointing to the correct server for example. If you choose the following cmdlet:


You have to be sure you have a DNS A record setup as follows:

Host A Record autodiscover.domain.com (This is the IP address of the 2016 exchange server)

So whatever SCP name you choose make sure DNS points to that server or multiple if you have multiple 2016 servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: timgreen7077 (https:#a42459455)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.