question

LMS-8913 avatar image
0 Votes"
LMS-8913 asked joyceshen-MSFT commented

Modify Exchnage 2016 external URLs

Hi

We have modified internal URLs, user's primary mail address & UPN to @newdomain.com. Now we plan to modify external URLs to match the same. Below is the plan

  1. Since we allowed only Outlook 2016 clients, do we need to configure Internal & External ClientAuthenticationMethods to Negotiate?

Get-OutlookAnywhere | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate -ExternalClientAuthenticationMethod Negotiate

Following are current settings
SSLOffloading : True
ExternalClientAuthenticationMethod : Ntlm
* InternalClientAuthenticationMethod : Ntlm

Do we need to modify IISAuthenticationMethods for better security?
* IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

We have to modify below host names to match new domain, right?
ExternalHostname : mail.olddomain.com
InternalHostname : mail.olddomain.com

  1. Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:.newdomain.com
    Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:
    .newdomain.com
    Set-OutlookProvider -Identity WEB -CertPrincipalName msstd:.newdomain.com
    As of now it's configured as msstd:
    .olddomain.com for EXCH & EXPR and Null / empty for WEB. So shall we configure as above?

  2. Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ActiveSyncServer 'https://mail.newdomain.com/Microsoft-Server-ActiveSync' -ExternalUrl 'https://mail.newdomain.com/Microsoft-Server-ActiveSync'

Below are the current settings
ActiveSyncServer : https://mail.olddomain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://mail.olddomain.com/Microsoft-Server-ActiveSync

  1. Get-ecpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/ecp'

Below are current
* ExternalUrl : https://mail.olddomain.com/ecp

Do we need to modify any of below authentication methods for better security, external access to ecp has been blocked on firewall

InternalAuthenticationMethods : {Basic, Fba}
MetabasePath : IIS://MBSRV1.MYDOMAIN.COM/W3SVC/1/ROOT/ecp
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False

  1. Get-oabVirtualDirectory | Set-oabVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/oab'
    Below are current settings

Do we need to modify any of below authentication methods?
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}

  1. Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/owa'
    Below are current settings

Here we have one Q:- How can we disable the default selection "Private Computer" with OWA?


Do we need to modify any of below authentication methods?
OwaVersion : Exchange2013
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False

  1. Autodiscover already configured as $Null as seen below
    InternalUrl :
    ExternalUrl :

Do we need to modify any of below authentication methods?

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

  1. Get-mapiVirtualDirectory | Set-mapiVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/mapi'

Below are current settings
* ExternalUrl : https://mail.olddomain.com/mapi

Do we need to modify any of below settings?
IISAuthenticationMethods : {Ntlm, Negotiate}
InternalAuthenticationMethods : {Ntlm, Negotiate}
ExternalAuthenticationMethods : {Ntlm, Negotiate}

  1. Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl 'http://mail.newdomain.com/powershell'

Below are current settings
* InternalUrl : http://mail.newdomain.com/powershell

Above setting / Internal URL has already updated, but not secure, shall we configure RequireSSL & make url https?
* ExternalUrl : https://mail.olddomain.com/powershell

Do we need to modify any of below authentication methods?
RequireSSL : False
CertificateAuthentication : True
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : False
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : False
AdfsAuthentication : False

  1. Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory -ExternalUrl 'https://mail.newdomain.com/EWS/exchange.asmx'
    Below are current settings

Since we have hardware load balancer we configured with host names
InternalNLBBypassUrl : https://mbsrv1.mydomain.com/ews/exchange.asmx
InternalNLBBypassUrl : https://mbsrv2.mydomain.com/ews/exchange.asmx

Do we need to modify any of below authentication methods?

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

  1. Fqdn is not configured with send connectors, is it required? We have Ironport as smarthost

  2. Remove internal server details
    Get-SendConnector -Identity InternetConnector-Outside | Remove-ADPermission -User 'Nt Authority\Anonymous Logon' -ExtendedRights 'ms-Exch-Send-Headers-Routing'
    Will this cause any issues with 3rd party filters with external recipients / domains

Waiting for suggestions

Thanks in advance

office-exchange-server-administration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LMS-8913

Any progress about your issue?

0 Votes 0 ·

Hi @LMS-8913

Do suggestions below help?

0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @LMS-8913

We could refer to the link Exchange Autodiscover – A Guide to Making Exchange Work Properly

For Exchange 2016

Set-OutlookAnywhere -Identity 'SERVER\Rpc (Default Web Site)' -SSLOffloading $true -ExternalClientAuthenticationMethod Negotiate -InternalClientAuthenticationMethod Negotiate -IISAuthenticationMethods Basic,NTLM,Negotiate

The authentication method configured in my environment:

80896-qa-2021-03-24-10-35-23.png

80867-qa-2021-03-24-10-40-22.png

For the powershell virtual directory, yes we could configure it as https

80961-qa-2021-03-24-10-48-30.png

No need to modify authentication methods for webservicesVirtualDirectory.

You identify one or more smart hosts to use for the Send connector by an individual IP address (for example 10.1.1.1), a fully qualified domain name (FQDN) (for example spamservice.contoso.com), or combinations of both types of values. If you use an FQDN, the source Exchange server for the Send connector must be able to resolve the FQDN (which could be an MX record or an A record) by using DNS.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LMS-8913 avatar image
0 Votes"
LMS-8913 answered joyceshen-MSFT commented

Thank You

We have done with all except OutlookAnywhere External & Internal host names. With autodiscover we can see it as below

<Protocol>
<Type>EXHTTP</Type>
<Server>mail.olddomain.com</Server>
<SSL>On</SSL>

Since we didn't find any MS reference / forums to change these values, we kept the old domain names. So shall we change it?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.