Configuring an Exchange Hybrid Deployment Migrating to Office 365 (Exchange Online) (Part 9)

by [Published on 12 Feb. 2013 / Last Updated on 29 May 2013]

In this part of the article series we will import and assign a third party certificate to IIS and SMTP on the Exchange 2010 hybrid servers.

If you would like to read the other parts of this article series please go to:

Introduction

In part 8 of this multi-part article series revolving around Exchange hybrid deployment based migrations to Office 365 or more precisely Exchange Online, we looked at what deploying Exchange 2010 hybrid servers will provide us with in terms of features and functionality. In addition, we configured the two Exchange 2010 Hybrid Deployment servers in a Windows Network Load Balancing (WNLB) farm.

In this part 9, we will continue where we left off in part 8. That is we will import and assign a third party certificate to IIS and SMTP on the Exchange 2010 hybrid servers. Moreover, we will configure the miscellaneous Exchange URLs on these servers to point to “hybrid.office365lab.dk”, which is the hybrid deployment coexistence FQDN, I have chosen for this specific environment.

Let’s get going…

Import & Enable Third Party Certificate on Hybrid Servers

When configuring a hybrid deployment, one of the requirements is a SSL certificate from a trusted 3rd party certificate provider. This certificate will be used to secure the communication between the on-premise Exchange 2010 hybrid servers, Exchange clients and Exchange Online.

Note:
We already have a SSL certificate from a trusted 3rd party certificate provider installed on the two Exchange 2007 servers in our on-premise environment. Since this is a wildcard certificate, we can use it for the hybrid servers without having to add an additional FQDN (hybrid.office365lab.dk) to it. This would of course have been required if we used an SAN certificate.

To use the wildcard certificate that is used for the Exchange 2007 servers, we need to export it to a file. Since we do not have a certificate wizard to do this (an Exchange 2010 feature only), we must use the Exchange Management Shell (EMS). So first, open the EMS and then type the following command in order to get the thumbprint for the certificate:

Get-ExchangeCertificate | fl Issuer, CertificateDomains, RootCAType, Thumbprint

Image
Figure 1:
Listing certificates on the Exchange 2007 servers

We can see there are two certificates installed on the respective Exchange 2007 multi-role server, one self-signed SAN certificate and a wildcard certificate from a trusted 3rd party CA provider. To export the wildcard certificate, we’ll use this command:

Export-ExchangeCertificate –Thumbprint <insert thumbprint> -BinaryEncoded:$true –Path c:\certificates\export.pfx –PasswordLGet-Credential).password

Enter any text in the User name field (this value is not stored/saved in the exported certificate) and then the password you wish to protect the exported certificate with.

Image
Figure 2:
Exporting the wildcard certificate from an Exchange 2007 server

With the certificate exported, switch over to one of the Exchange 2010 hybrid servers and open the Exchange Management Console (EMC). In the EMC, select “Server Configuration” and then right-click on one of the hybrid servers in the result pane. In the context menu that appears, select “Import Exchange Certificate” as shown in Figure 3.

Image
Figure 3:
Importing the wildcard certificate on the Exchange 2010 Hybrid Servers

In the “Import Exchange Certificate” wizard, point to the exported certificate and then specify the password used to protect it.

Click “Next”.

Image
Figure 4:
Import Exchange Certificate wizard - Introduction

On the “Select Servers” page, make sure to add both hybrid servers and then click “Next”.

Image
Figure 5:
Import Exchange Certificate wizard – Select Servers

On the “Import Exchange Certificate”, click “Import” to import the certificate.

Image
Figure 6:
Import Exchange Certificate wizard – Configuration Summary

Finally, click “Finish” to exit the wizard.

Image
Figure 7:
Import Exchange Certificate wizard – Completion page

Now that we have imported the certificate on both hybrid servers, it’s time to assign it to the required Exchange services. To do this, right-click on the certificate in EMC and then select “Assign Services to Certificate” in the appearing context menu.

Image
Figure 8: Assigning the wildcard certificate to respective services

On the “Select Servers” page, make sure to add both hybrid servers and then click “Next”.

Image
Figure 9:
Assign Services to Certificate wizard – Select Servers page

On the “Select Services” page, tick “Simple Mail transfer Protocol (SMTP)” and “Internet Information Services (IIS)” and then click “Next”.

Image
Figure 10:
Assign Services to Certificate wizard – Select Services page

Finally click “Assign” and then “Finish”.

We have now imported and enable the required third party certificate.

Configure the URLs on the Exchange 2010 Hybrid Servers

With the third party certificate in place, we can now start configuring the Exchange URLs on the two hybrid servers. Basically we just need to point the internal as well as external URL for the respective virtual directories and the internal autodiscover URI to “hybrid.office365lab.dk”.

To do so using the Exchange Management Shell use the following commands for each respective virtual directory:

Outlook Web App (OWA):

Let’s begin with the internal and external URLs for Outlook Web App (OWA). For this we should use:

Set-OwaVirtualDirectory -Identity "EX03\OWA (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA

Set-OwaVirtualDirectory -Identity "EX04\OWA (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA

Image
Figure 11: Configuring the Internal and External URL for the OWA virtual directory

Exchange Control Panel (ECP):

For the Exchange Control Panel (ECP), we should use:

Set-EcpVirtualDirectory -Identity "EX03\ECP (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/ECP  -ExternalURL https://hybrid.office365lab.dk/ECP

Set-EcpVirtualDirectory -Identity "EX04\ECP (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/ECP  -ExternalURL https://hybrid.office365lab.dk/ECP

Image
Figure 12: Configuring the Internal and External URL for the ECP virtual directory

Exchange ActiveSync (EAS):

For the Exchange ActiveSync (EAS), we should use:

Set-ActivesyncVirtualDirectory -Identity “EX03\Microsoft-Server-ActiveSync (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync  -ExternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync

Set-ActivesyncVirtualDirectory -Identity “EX04\Microsoft-Server-ActiveSync (Default Web Site)" -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync  -ExternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync

Image
Figure 13: Configuring the Internal and External URL for the EAS virtual directory

Offline Address Book (OAB):

For the Offline Address Book (OAB), we should use:

Set-OABVirtualDirectory -Identity "EX03\oab (Default Web Site)" -InternalUrl https://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab

Set-OABVirtualDirectory -Identity "EX04\oab (Default Web Site)" -InternalUrl https://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab

Image
Figure 14: Configuring the Internal and External URL for the OAB virtual directory

Exchange Web Services (EWS):

For the Exchange Web Services (EWS), we should use:

Set-WebServicesVirtualDirectory -Identity "EX03\EWS (Default Web Site)" -InternalUrl https://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURL https://hybrid.office365lab.dk/ews/exchange.asmx

Set-WebServicesVirtualDirectory -Identity "EX04\EWS (Default Web Site)" -InternalUrl https://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURL https://hybrid.office365lab.dk/ews/exchange.asmx

Image
Figure 15: Configuring the Internal and External URL for the EWS virtual directory

Internal Autodiscover URI:

For the internal Autodiscover URI, we should use:

Set-ClientAccessServer –Identity EX03 -AutoDiscoverServiceInternalUri: https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml

Set-ClientAccessServer –Identity EX04 -AutoDiscoverServiceInternalUri: https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml

Image
Figure 16:
Configuring the Internal URI for the Autodiscover Service

This concludes part 9 of this multi-part article in which I explain how you configure Exchange hybrid deployment followed by migrating to Office 365 (Exchange Online).

If you would like to read the other parts of this article series please go to:

The Author — Henrik Walther

Henrik Walther avatar

Henrik Walther is a respected writer with special focus on Microsoft Exchange and Office 365/BPOS (Exchange Online) solutions within the unified communications area. Prior to joining Microsoft, he was an eight year Exchange MVP and back in 2006 he took the Microsoft Certified Master: Exchange certification.

Latest Contributions

Advertisement

Featured Links