See also: http://www.mustbegeek.com/configure-url-redirection-in-exchange-2013/

See also: Windows SSL Certificates

Let's Encrypt: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server

For Exchange, you will need a SAN/UC certificate supporting multiple host names.

MS Exchange Certs: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28329448.html

https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=48761&prog_id=wittyweb&pl_id=418873&isc=ssl-01

• You need a SAN certificate
  • QuickSSL Premium
• mail.yourdomain.com
  • autodiscover.yourdomain.com
  • yourdomain.com

This mitigates the Poodle vulnerability on all Windows services.

Disable SSL 3.0 in Windows by modifying the Windows Registry using regedit:

HKLM → System → CurrentControlSet → Control → SecurityProviders → SCHANNEL → Protocols → SSL 3.0 → Server

• Enabled = 0

If the complete registry key path does not exist, you can create it.

Restart the machine for the setting to take effect.

SBS has some nice tools for SSL certificates.

http://technet.microsoft.com/en-us/library/cc527486%28v=ws.10%29.aspx

http://social.technet.microsoft.com/Forums/exchange/en-US/6d000de1-4549-4135-946a-4c5abeac4859/outlook-2010-certificate-alert-when-connecting-to-exchange-2010-server?forum=exchange2010

http://support.microsoft.com/kb/940726

http://social.technet.microsoft.com/Forums/exchange/en-US/48980a0f-5732-40e1-9dc2-e61a5fd550b9/redirect-default-website-of-exchange-2010-to-owa-login-page?forum=exchange2010

https://technet.microsoft.com/en-us/library/aa998359%28v=exchg.150%29.aspx

This will redirect requests to OWA via SSL:

1. In IIS under Default Web Site open up the HTTP Redirect
2. Select Redirect requests to this destination: and type the following URL: https://webmail.mydomain.com/owa.
3. Select Only redirect requests to content in this directory (not subdirectories)
4. Leave the Status code as Found (302)
5. Click on Apply

Once the above steps are completed, go through the following virtual directories.

In the HTTP Redirect section, remove the following check mark Redirect requests to this destination and Apply the changes.

• aspnet_client
• Autodiscover
• ecp
• EWS
• Microsoft-Server-ActiveSync
• OAB
• Powershell
• Rpc

Please Note: The Exchange, Exchweb, and Public virtual directories should redirect to /owa.

Finally, restart IIS with iisreset command and test the various URLs.

Needs verification! Not valid for Exchange 2013.

Change the mail.yourdomain.com part to match the name in your SSL certificate.

Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl "https://mail.yourdomain.com/autodiscover/autodiscover.xml"

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri "https://mail.yourdomain.com/autodiscover/autodiscover.xml"

Set-webservicesvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/EWS/Exchange.asmx"

Set-oabvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/oab"

Set-owavirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/owa"

Set-ecpvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/ecp"

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Once the commands above have been done:

Restart IIS:

iisreset

If you can't restart IIS:

1. Open IIS Manager.
2. Expand the local computer, and then expand Application Pools.
3. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

https://testconnectivity.microsoft.com/

Use a strong password:

cd $env:ExchangeInstallPath\Scripts
get-mailboxServer | .\new-testcasconnectivityuser.ps1

Get-ExchangeCertificate | fl

Test-WebServicesConnectivity | fl

Test-OutlookConnectivity -Protocol HTTP

Enable-OutlookAnywhere -Server "Exchange" -ExternalHostname "mail.icahealth.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

Test-OutlookWebServices -ClientAccessServer "Exchange"

http://blog.jamzarwebdesign.com.au/?p=245

http://www.windowsinfo.eu/?p=236

1. Copy 3 cert files to server, certname.crt, certname.key, certnam_ca.crt
2. Open https://www.sslshopper.com/ssl-converter.html
3. Choose Type to Convert To: PFX/PKCS#12
4. Certificate File to convert: certname.crt
5. Private Key file: certname.key
6. Chain Certificate file: certname_ca.crt
7. Click Convert Certificate and download

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "E:\Cert_Location\your_cert_name.pfx" -Encoding byte -ReadCount 0))

Get-ExchangeCertificate | fl

Get-ExchangeCertificate

Set-ImapSettings -X509CertificateName yourarecord.yourdomain.com

Set-PopSettings -X509CertificateName yourarecord.yourdomain.com

Get-PopSettings

Get-ImapSettings

1. Restart-Service MSExchangePOP3
2. Restart-Service MSExchangeImap4

https://blog.cpolydorou.net/2018/03/configuring-certificate-on-exchange.html

Get-ReceiveConnector
Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl

Set the correct SSL certificate used by the Default Frontend (SMTP on port 25) connector:

Get-ExchangeCertificate
$cert = Get-ExchangeCertificate -Thumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$cert | fl Thumbprint,Issuer,Subject
$tls = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" -TlsCertificateName $tls
Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl

Test from a Linux host:

openssl s_client -connect exchange.yourdomain.tld:25 -starttls smtp < /dev/null

Read this entire page first: https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html

Renew the expired/expiring certificate in EAC:

EAC → Servers → Certificates

You will need to copy the thumbprint of the new MESAC to be used in the following EMS commands.

Substitute your new thumbprint.

Get-AuthConfig

$thumb = "1DB0B9BC4195B1F5EDFC4CDED5106B9F4069FFF1"
$date = get-date

Set-AuthConfig -NewCertificateThumbprint $thumb -NewCertificateEffectiveDate $date

Set-AuthConfig -PublishCertificate

Set-AuthConfig -ClearPreviousCertificate

iisreset

If it is still not working properly, you might try rebooting the server.

Do not delete the last self-signed cert.

Delete all unused commercial certs to avoid confusion as to which cert is being applied where.

List all certs and their details:

get-exchangecertificate | fl cert*,services,thumb*,subject

Import-ExchangeCertificate -Server $ServerName -FileName $CertificateImport
Enable-ExchangeCertificate -Thumbprint $certPrint.Thumbprint -Services POP,IMAP,IIS,SMTP -Confirm

Enable-ExchangeCertificate -Server '<your-server-name>' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint '<your thumbprint>'