This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 46%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi,
Urgent help is needed.
We have published EWS and SMTP on two separate pairs of Exchange 2016 mailbox servers (2 Public IPs) and using a single SAN certificate with the subject name mail.domain.com and autodiscover and SMTP FQDNs in SAN. Looking to deploy classic full hybrid.
EWS: mail.domain.com Public IP1
SMTP: smtp.domain.com Public IP2
While running HCW, what should we enter in the Organization FQDN? Is this EWS FQDN or the SMTP FQDN?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Hi @Tech10 ,
I'm here to confirm with you if your issue has been resolved.
If the problem is successfully solved, you can share your solution or accept the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thats for SMTP. By the way, there is no need to seperate them out.
I would recommend using the same endpoint (mail.domain.com) for both EWS and SMTP.
Thank you. This is the security requirement to split EWS and SMTP. I would prefer the same as you mentioned. Is the SMTP fqdn in SAN of the cert fine or is it required to be in subject name?
Based on your comment, is the below process correct? Appreciate it if you can glance through and advise.
SSL Cert:
Subject: domain.com
SAN: mail.domain.com, autodiscover.domain.com, smtp.domain.com
My assumption here is that HCW will do the autodiscovery by itself to discover mail.domain.com FQDN. We just pick separate servers for SMTP and cert and use smtp.domain.com when it prompts for the Organization FQDN. We don't need to mention mail.domain.com at any stage during the HCW setup.
The reason why I am running through this process is to ensure that the HCW will set this environment correctly, especially the other things it does such as shared domain name space, federation, Modern Auth etc. I am wondering if I need to use mail.domain.com with HCW and change the smart host on the O365 once it runs or follow the above.
Which one will be the right approach?
Pl. advise.
I would make the subject: smtp.domain.com
What does your external DNS autodiscover.domain.com record point to?
Autodiscover point to public IP1 (same as EWS).
SSL Cert subject name based on the MS article you shared earlier is domain.com. Shall I switch it to smtp.domain.com?
https://learn.microsoft.com/en-us/exchange/certificate-requirements
Thanks
You can use contoso.com. I prefer the specific FQDN plus and additional SAN names, but really up to you.
Either will work.
Autodiscover URL points to the public IP1 (same as EWS).
I really appreciate your time looking into the scenario. Please let me know if the rest of the configuration done by HCW (full classic hybrid) such as federation, Modern Auth etc. uses Organization FQDN in the wizard that I plan to specific which is smtp.domain.com. It has only port 25 open while mail.domain.com has 443.
Hi,
If Andy‘s reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well. If you still have further questions or concerns, feel free to post back.