The easiest way to configure the Exchange 2013 Virtual Directories is by using the ‘Configure External Access Domain’ wizard in the new Exchange Admin Center GUI. The Wizard will automatically configure all of the Exchange 2013 External URL’s to use the DNS hostname you specify. Note: In most cases the default internal URL’s are acceptable and can be left alone.
Why I wrote this article? Most of the available docs are for the command line based Exchange Management Shell (EMS) or have bad examples showing the internal URL’s and external URL’s set to the same thing, which I don’t agree with as a standard practice.
Follow these easy steps to configure the external Virtual Directories using the EAC GUI:
- open Exchange Admin Center, https://EX2013-SRVR-NAME/ecp
- click Servers > Virtual directories
- click Configure external access domain
- under Select the Client Access servers to use with the external URL, click Add
- select the server(s) you want to configure and then click Add. Click OK.
- enter the external dns hostname that you will use for external email access, this is what people will put in the servername field on their mobile device or in OWA (mail.domain.com is pretty standard).
Note: You will need to obtain a third party SSL Certificate for this dns hostname.
Congrats, the Exchange 2013 external URL’s have now been set.
The internal URL’s are set to the Computer Name of the Exchange 2013 server during installation. This is typically fine in most environments. That said, If you have an environment where you don’t own the internal AD DNS domain name and cannot include it in your SSL certificate then you may need to set your internal URL’s to the same hostname as your external URL’s. This is somewhat out of the scope of this article, however I wanted to point it out in case you run into it later.
At this point your Exchange Server 2013 Virtual Directories are configured.
Next: if you haven’t already done so you need to install an Exchange 2013 SSL certificate.
After your certificate is installed I’d recommend performing some testing and then you may want to setup redirection of http to https for OWA.
I am completely stumped on redirection and proxying. My issue only impacts OWA, but has our entire migration stalled. We have an Exchange 2010 server that has been in production for years and want to migrate to 2013. We need OWA with FBA to work. we will need 2013 to proxy or forward 2010 mailbox users to the legacy OWA site until their mailboxes are moved. If I go to https://mail.contoso.com/owa and enter credentials for a 2013 mailbox user, I am looking at their inbox a second later. If I visit the same URL and enter credentials for a 2010 user, I get a 500 error. Looking at the 2013 httpproxy log, I have a giant paragraph, whose only real useful information is “Unable to locate a suitable backend service for SID…” followed by a SID. I am 99% sure the issue is authentication, but I have flipped the settings over and over with every possible combination of Basic, Windows, FBA, Digest, and I have made sure in IIS that WIndows authentication either does not include Negotiate or that Negotiate is after NTLM in the provider order. I have tried making sure the externalURL is $null on 2010 and the internalurl is the legacy url. I have tried making sure that the internalclientauthentication methods and the externalauthenticationmethods include Basic and FBA, as well as WindowsAuthentication in some cases and NTLM in others. I’m starting to wonder if the settings I need are outside of the OWA Virtual directory. Any ideas?
Hi, it may be hard to explain in writing but reach out if you need more help or would like me to write an article on this. Before we get started, make sure you are running a relatively recent cumulative update of Exchange 2013 and that your Exchange 2010 is running a rollup level compatible with Exchange 2013 co-existence. Moving on to how to fix this: Exchange 2013 has the capability to proxy ActiveSync, and redirect OWA, EWS, POP3 and IMAP requests to legacy Exchange 2007/2010 for users who still have their mailboxes on Exchange 2007/2010. In order to use this feature you will need to setup a legacy DNS record both internally and externally that represents the IP address of the legacy Exchange 2007/2010 Server for example legacy.contoso.com. I recommend that Exchange 2013 be provisioned with a new External internet IP address and it will takeover the production external DNS A record, mail.contoso.com, that you currently use for Exchange 2007/2010. On your legacy 2007/2010 server, the external OWA URL in the Exchange virtual directories should point to legacy.contoso.com. This point is absolutely critical, as 2013 reads this value to determine what URL to redirect the users to. Note, the internal OWA URL on your legacy 2007/2010 server should be either the internal AD computer name of the legacy 2007/2010 server or be legacy.contoso.com (this point generally depends on your SSL certs etc). Note it may be advised to rollback any authentication and other experimental tweaks that you made, as any single wrong setting on those can cause everything not to work.
more information: https://technet.microsoft.com/en-us/library/dn130105(v=exchg.150).aspx