Modify Exchnage 2016 external URLs

LMS 156 Reputation points
2021-03-23T09:19:13.57+00:00

Hi

We have modified internal URLs, user's primary mail address & UPN to @newdomain.com. Now we plan to modify external URLs to match the same. Below is the plan

  1. Since we allowed only Outlook 2016 clients, do we need to configure Internal & External ClientAuthenticationMethods to Negotiate?

Get-OutlookAnywhere | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate -ExternalClientAuthenticationMethod Negotiate

Following are current settings
* SSLOffloading : True
* ExternalClientAuthenticationMethod : Ntlm
* InternalClientAuthenticationMethod : Ntlm

Do we need to modify IISAuthenticationMethods for better security?
* IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

We have to modify below host names to match new domain, right?
* ExternalHostname : mail.olddomain.com
* InternalHostname : mail.olddomain.com

  1. Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:.newdomain.com
    Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:
    .newdomain.com
    Set-OutlookProvider -Identity WEB -CertPrincipalName msstd:.newdomain.com
    As of now it's configured as msstd:
    .olddomain.com for EXCH & EXPR and Null / empty for WEB. So shall we configure as above?
  2. Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ActiveSyncServer 'https://mail.newdomain.com/Microsoft-Server-ActiveSync' -ExternalUrl 'https://mail.newdomain.com/Microsoft-Server-ActiveSync' Below are the current settings

Below are current
* ExternalUrl : https://mail.olddomain.com/ecp

Do we need to modify any of below authentication methods for better security, external access to ecp has been blocked on firewall

InternalAuthenticationMethods : {Basic, Fba}
MetabasePath : IIS://MBSRV1.MYDOMAIN.COM/W3SVC/1/ROOT/ecp
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False

  1. Get-oabVirtualDirectory | Set-oabVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/oab'
    Below are current settings

Do we need to modify any of below authentication methods?
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}

  1. Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/owa'
    Below are current settings

Here we have one Q:- How can we disable the default selection "Private Computer" with OWA?

Do we need to modify any of below authentication methods?
OwaVersion : Exchange2013
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False

  1. Autodiscover already configured as $Null as seen below
    InternalUrl :
    ExternalUrl :

Do we need to modify any of below authentication methods?

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

  1. Get-mapiVirtualDirectory | Set-mapiVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/mapi'

Below are current settings
* ExternalUrl : https://mail.olddomain.com/mapi

Do we need to modify any of below settings?
IISAuthenticationMethods : {Ntlm, Negotiate}
InternalAuthenticationMethods : {Ntlm, Negotiate}
ExternalAuthenticationMethods : {Ntlm, Negotiate}

  1. Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl 'http://mail.newdomain.com/powershell'

Below are current settings
* InternalUrl : http://mail.newdomain.com/powershell

Above setting / Internal URL has already updated, but not secure, shall we configure RequireSSL & make url https?
* ExternalUrl : https://mail.olddomain.com/powershell

Do we need to modify any of below authentication methods?
RequireSSL : False
CertificateAuthentication : True
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : False
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : False
AdfsAuthentication : False

  1. Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/EWS/exchange.asmx'
    Below are current settings

Since we have hardware load balancer we configured with host names
InternalNLBBypassUrl : https://mbsrv1.mydomain.com/ews/exchange.asmx
InternalNLBBypassUrl : https://mbsrv2.mydomain.com/ews/exchange.asmx

Do we need to modify any of below authentication methods?

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

  1. Fqdn is not configured with send connectors, is it required? We have Ironport as smarthost
  2. Remove internal server details
    Get-SendConnector -Identity InternetConnector-Outside | Remove-ADPermission -User 'Nt Authority\Anonymous Logon' -ExtendedRights 'ms-Exch-Send-Headers-Routing'
    Will this cause any issues with 3rd party filters with external recipients / domains

Waiting for suggestions

Thanks in advance

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,284 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,636 Reputation points
    2021-03-24T02:58:09.697+00:00

    Hi @LMS

    We could refer to the link Exchange Autodiscover – A Guide to Making Exchange Work Properly

    For Exchange 2016

    Set-OutlookAnywhere -Identity 'SERVER\Rpc (Default Web Site)' -SSLOffloading $true -ExternalClientAuthenticationMethod Negotiate -InternalClientAuthenticationMethod Negotiate -IISAuthenticationMethods Basic,NTLM,Negotiate

    The authentication method configured in my environment:

    80896-qa-2021-03-24-10-35-23.png

    80867-qa-2021-03-24-10-40-22.png

    For the powershell virtual directory, yes we could configure it as https

    80961-qa-2021-03-24-10-48-30.png

    No need to modify authentication methods for webservicesVirtualDirectory.

    You identify one or more smart hosts to use for the Send connector by an individual IP address (for example 10.1.1.1), a fully qualified domain name (FQDN) (for example spamservice.contoso.com), or combinations of both types of values. If you use an FQDN, the source Exchange server for the Send connector must be able to resolve the FQDN (which could be an MX record or an A record) by using DNS.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     

    0 comments No comments

  2. LMS 156 Reputation points
    2021-04-04T08:19:49.987+00:00

    Thank You

    We have done with all except OutlookAnywhere External & Internal host names. With autodiscover we can see it as below

    <Protocol>
    <Type>EXHTTP</Type>
    <Server>mail.olddomain.com</Server>
    <SSL>On</SSL>

    Since we didn't find any MS reference / forums to change these values, we kept the old domain names. So shall we change it?