Hi
We have modified internal URLs, user's primary mail address & UPN to @newdomain.com. Now we plan to modify external URLs to match the same. Below is the plan
- Since we allowed only Outlook 2016 clients, do we need to configure Internal & External ClientAuthenticationMethods to Negotiate?
Get-OutlookAnywhere | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate -ExternalClientAuthenticationMethod Negotiate
Following are current settings
* SSLOffloading : True
* ExternalClientAuthenticationMethod : Ntlm
* InternalClientAuthenticationMethod : Ntlm
Do we need to modify IISAuthenticationMethods for better security?
* IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
We have to modify below host names to match new domain, right?
* ExternalHostname : mail.olddomain.com
* InternalHostname : mail.olddomain.com
- Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:.newdomain.com
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:.newdomain.com
Set-OutlookProvider -Identity WEB -CertPrincipalName msstd:.newdomain.com
As of now it's configured as msstd:.olddomain.com for EXCH & EXPR and Null / empty for WEB. So shall we configure as above?
- Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ActiveSyncServer 'https://mail.newdomain.com/Microsoft-Server-ActiveSync' -ExternalUrl 'https://mail.newdomain.com/Microsoft-Server-ActiveSync' Below are the current settings
Below are current
* ExternalUrl : https://mail.olddomain.com/ecp
Do we need to modify any of below authentication methods for better security, external access to ecp has been blocked on firewall
InternalAuthenticationMethods : {Basic, Fba}
MetabasePath : IIS://MBSRV1.MYDOMAIN.COM/W3SVC/1/ROOT/ecp
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
- Get-oabVirtualDirectory | Set-oabVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/oab'
Below are current settings
Do we need to modify any of below authentication methods?
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
- Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/owa'
Below are current settings
Here we have one Q:- How can we disable the default selection "Private Computer" with OWA?
Do we need to modify any of below authentication methods?
OwaVersion : Exchange2013
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
- Autodiscover already configured as $Null as seen below
InternalUrl :
ExternalUrl :
Do we need to modify any of below authentication methods?
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
- Get-mapiVirtualDirectory | Set-mapiVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/mapi'
Below are current settings
* ExternalUrl : https://mail.olddomain.com/mapi
Do we need to modify any of below settings?
IISAuthenticationMethods : {Ntlm, Negotiate}
InternalAuthenticationMethods : {Ntlm, Negotiate}
ExternalAuthenticationMethods : {Ntlm, Negotiate}
- Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl 'http://mail.newdomain.com/powershell'
Below are current settings
* InternalUrl : http://mail.newdomain.com/powershell
Above setting / Internal URL has already updated, but not secure, shall we configure RequireSSL & make url https?
* ExternalUrl : https://mail.olddomain.com/powershell
Do we need to modify any of below authentication methods?
RequireSSL : False
CertificateAuthentication : True
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : False
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : False
AdfsAuthentication : False
- Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/EWS/exchange.asmx'
Below are current settings
Since we have hardware load balancer we configured with host names
InternalNLBBypassUrl : https://mbsrv1.mydomain.com/ews/exchange.asmx
InternalNLBBypassUrl : https://mbsrv2.mydomain.com/ews/exchange.asmx
Do we need to modify any of below authentication methods?
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
- Fqdn is not configured with send connectors, is it required? We have Ironport as smarthost
- Remove internal server details
Get-SendConnector -Identity InternetConnector-Outside | Remove-ADPermission -User 'Nt Authority\Anonymous Logon' -ExtendedRights 'ms-Exch-Send-Headers-Routing'
Will this cause any issues with 3rd party filters with external recipients / domains
Waiting for suggestions
Thanks in advance