Post-installation tasks for Exchange Server 2013 mail flow and client access, including how to configure an SSL certificate.
After you've installed Microsoft Exchange Server 2013 in your organization, you need to configure Exchange Server 2013 for mail flow and client access. Without these additional steps, you won't be able to send mail to the Internet and external clients such as Microsoft Outlook and Exchange ActiveSync devices won't be able to connect to your Exchange organization.
The steps in this topic assume a basic Exchange deployment with a single Active Directory site and a single simple mail transport protocol (SMTP) namespace.
Important
This topic uses example values such as Ex2013CAS, contoso.com, mail.contoso.com, and 172.16.10.11. Replace the example values with the server names, FQDNs, and IP addresses for your organization.
For additional management tasks related to mail flow and clients and devices, see Mail flow and Clients and mobile.
What do you need to know before you begin?
Estimated time to complete this task: 50 minutes
Procedures in this topic require specific permissions. See each procedure for its permissions information.
You might receive certificate warnings when you connect to the Exchange admin center (EAC) website until you configure a secure sockets layer (SSL) certificate on the Client Access server. You'll be shown how to do this later in this topic.
Each organization requires at a minimum one Client Access server and one Mailbox server in the Active Directory forest. Additionally, each Active Directory site that contains a Mailbox server must also contain at least one Client Access server. If you're separating your server roles, we recommend installing the Mailbox server role first.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Step 1: Create a Send connector
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Send connectors" entry in the Mail flow permissions topic.
Before you can send mail to the Internet, you need to create a Send connector on the Mailbox server. Do the following.
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Enter your username and password in Domain\user name and Password and then click Sign in.
Go to Mail flow > Send connectors. On the Send connectors page, click New .
In the New send connector wizard, specify a name for the Send connector and then select Internet. Click Next.
Verify that MX record associated with recipient domain is selected. Click Next.
Under Address space, click Add . In the Add domain window, make sure SMTP is selected in the Type field. In the Fully Qualified Domain Name (FQDN) field, enter *. Click Save.
Make sure Scoped send connector isn't selected and then click Next.
Under Source server, click Add . In the Select a Server window, select a Mailbox server. After you've selected the server, click Add and then click OK.
Click Finish.
Note
A default inbound Receive connector is created when Exchange 2013 is installed. This Receive connector accepts anonymous SMTP connections from external servers. You don't need to do any additional configuration if this is the functionality you want. If you want to restrict inbound connections from external servers, modify the Default Frontend <Client Access server> Receive connector on the Client Access server.
How do you know you've successfully created an outbound Send connector?
To verify that you have successfully created an outbound Send connector, do the following steps:
In the EAC, verify the new Send connector appears in Mail flow > Send connectors.
Open Outlook Web App and send an email message to an external recipient. If the recipient receives the message, you've successfully configured the Send connector.
Step 2: Add additional accepted domains
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Accepted domains" entry in the Mail flow permissions topic.
By default, when you deploy a new Exchange 2013 organization in an Active Directory forest, Exchange uses the domain name of the Active Directory domain where Setup /PrepareAD was run. If you want recipients to receive and send messages to and from another domain, you must add the domain as an accepted domain. This domain is also added as the primary SMTP address on the default email address policy in the next step.
Important
A public Domain Name System (DNS) MX resource record is required for each SMTP domain for which you accept email from the Internet. Each MX record should resolve to the Internet-facing server that receives email for your organization.
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Enter your username and password in Domain\user name and Password and then click Sign in.
Go to Mail flow > Accepted domains. On the Accepted domains page, click New .
In the New accepted domain wizard, specify a name for the accepted domain.
In the Accepted domain field, specify the SMTP recipient domain you want to add. For example, contoso.com.
Select Authoritative domain and then click Save.
How do you know you've successfully added additional accepted domains?
In the EAC, verify the new accepted domain appears in Mail flow > Accepted domains.
Step 3: Configure the default email address policy
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Email address policies" entry in the Email address and address book permissions topic.
If you added an accepted domain in the previous step and you want that domain to be added to every recipient in the organization, you need to update the default email address policy.
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Enter your username and password in Domain\user name and Password and then click Sign in.
Go to Mail flow > Email address policies. On the Email address policies page, select Default Policy and then click Edit .
On the Default Policy Email Address Policy page, click Email Address Format.
Under Email address format, click the SMTP address you want to change and then click Edit .
On the Email address format page in the Email address parameters field, specify the SMTP recipient domain you want to apply to all recipients in the Exchange organization. This domain must match the accepted domain you added in the previous step. For example, @contoso.com. Click Save.
Click Save
In the Default Policy details pane, click Apply.
Note
We recommend that you configure a user principal name (UPN) that matches the primary email address of each user. If you don't provide a UPN that matches the email address of a user, the user will be required to manually provide their domain\username or UPN in addition to their email address. If their UPN matches their email address, Outlook Web App, ActiveSync, and Outlook will automatically match their email address to their UPN.
How do you know you've successfully configured the default email address policy?
To verify that you have successfully configured the default email address policy, do the following steps:
In the EAC, go to Recipients > Mailboxes.
Select a mailbox and then, in the recipient details pane, verify that the User mailbox field has been set to <alias>@<new accepted domain>. For example, david@contoso.com.
Optionally, create a new mailbox and verify the mailbox is given an email address with the new accepted domain by doing the following:
Go to Recipients > Mailboxes, click New and then select User mailbox.
On the new user mailbox page, provide the information required to create a new mailbox. Click Save.
Select the new mailbox and then, in the recipient details pane, verify that the User mailbox field has been set to <alias>@<new accepted domain>. For example, david@contoso.com.
Step 4: Configure external URLs
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "<Service> virtual directory settings" entry in the Clients and mobile devices permissions topic.
Before clients can connect to your new server from the Internet, you need to configure the external domains, or URLs, on the Client Access server's virtual directories and then configure your public domain name service (DNS) records. The steps below configure the same external domain on the external URL of each virtual directory. If you want to configure different external domains on one or more virtual directory external URLs, you need to configure the external URLs manually. For more information, see Virtual directory management.
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Enter your username and password in Domain\user name and Password and then click Sign in.
Go to Servers > Servers, select the name of the Internet-facing Client Access server and then click Edit .
Click Outlook Anywhere.
In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.contoso.com.
While you're here, let's also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail.contoso.com.
Click Save.
Go to Servers > Virtual directories and then click Configure external access domain .
Under Select the Client Access servers to use with the external URL, click Add
Select the Client Access servers you want to configure and then click Add. After you've added all of the Client Access servers you want to configure, click OK.
In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.contoso.com. Click Save.
Note
Some organizations make the Outlook Web App FQDN unique to protect users against changes to underlying server FQDN changes. Many organizations use owa.contoso.com for their Outlook Web App FQDN instead of mail.contoso.com. If you want to configure a unique Outlook Web App FQDN, do the following steps after you completed the previous step. This checklist assumes you have configured a unique Outlook Web App FQDN.
Select owa (Default Web Site) and click Edit .
In External URL, type https://, then the unique Outlook Web App FQDN you want to use, and then append /owa. For example, https://owa.contoso.com/owa.
Click Save.
Select ecp (Default Web Site) and click Edit ..
In External URL, type https://, then the same Outlook Web App FQDN that you specified in the previous step, and then append /ecp. For example, https://owa.contoso.com/ecp.
Click Save.
After you've configured the external URL on the Client Access server virtual directories, you need to configure your public DNS records for Autodiscover, Outlook Web App, and mail flow. The public DNS records should point to the external IP address or FQDN of your Internet-facing Client Access server and use the externally accessible FQDNs that you've configured on your Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.
FQDN
DNS record type
Value
Contoso.com
MX
Mail.contoso.com
Mail.contoso.com
A
172.16.10.11
Owa.contoso.com
CNAME
Mail.contoso.com
Autodiscover.contoso.com
CNAME
Mail.contoso.com
How do you know you've successfully configured external URLs?
To verify that you have successfully configured the external URL on the Client Access server virtual directories, do the following steps:
In the EAC, go to Servers > Virtual directories.
In the Select server field, select the Internet-facing Client Access server.
Select a virtual directory and then, in the virtual directory details pane, verify that the External URL field is populated with the correct FQDN and service as shown below:
To verify that you have successfully configured your public DNS records, do the following steps:
Open a command prompt and run nslookup.exe.
Change to a DNS server that can query your public DNS zone.
In nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.
In nslookup, type set type=mx and then look up the accepted domain you added in Step 1. Verify that the value returned matches the FQDN of the Client Access server.
Step 5: Configure internal URLs
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "<Service> virtual directory settings" entry in the Clients and mobile devices permissions topic.
Before clients can connect to your new server from yourintranet, you need to configure the internal domains, or URLs, on the Client Access server's virtual directories and then configure your private domain name service (DNS) records.
The procedure below lets you choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange server or whether they should use a different URL. What you choose depends on the addressing scheme you have in place already or that you want to implement. If you're implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange server because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For more information about administering DNS zones, see Administering DNS Server.
Configure internal and external URLs to be the same
Open the Exchange Management Shell on your Client Access server.
Store the host name of your Client Access server in a variable that will be used in the next step. For example, Ex2013CAS.
$HostName = "Ex2013CAS"
Run each of the following commands in the Shell to configure each internal URL to match the virtual directory's external URL.
Set-EcpVirtualDirectory "$HostName\ECP (Default Web Site)" -InternalUrl ((Get-EcpVirtualDirectory "$HostName\ECP (Default Web Site)").ExternalUrl)
Set-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)" -InternalUrl ((get-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)").ExternalUrl)
Set-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl ((Get-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)").ExternalUrl)
Set-OabVirtualDirectory "$HostName\OAB (Default Web Site)" -InternalUrl ((Get-OabVirtualDirectory "$HostName\OAB (Default Web Site)").ExternalUrl)
Set-OwaVirtualDirectory "$HostName\OWA (Default Web Site)" -InternalUrl ((Get-OwaVirtualDirectory "$HostName\OWA (Default Web Site)").ExternalUrl)
Set-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)" -InternalUrl ((Get-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)").ExternalUrl)
While we're in the Shell, let's also configure the Offline Address Book (OAB) to allow Autodiscover to select the right virtual directory for distributing the OAB. Run the following commands to do this.
After you've configured the internal URL on the Client Access server virtual directories, you need to configure your private DNS records for Outlook Web App, and other connectivity. Depending on your configuration, you'll need to configure your private DNS records to point to the internal or external IP address or fully qualified domain name (FQDN) of your Client Access server. The following are examples of recommended DNS records that you should create to enable internal client connectivity.
FQDN
DNS record type
Value
Mail.contoso.com
CNAME
Ex2013CAS.corp.contoso.com
Owa.contoso.com
CNAME
Ex2013CAS.corp.contoso.com
How do you know you've successfully configured internal URLs?
To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following steps:
In the EAC, go to Servers > Virtual directories.
In the Select server field, select the Internet-facing Client Access server.
Select a virtual directory and then click Edit .
Verify that the Internal URL field is populated with the correct FQDN and service as shown below:
To verify that you have successfully configured your private DNS records, do the following steps:
Open a command prompt and run nslookup.exe.
Change to a DNS server that can query your private DNS zone.
In nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.
Configure different internal and external URLs
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Go to Servers > Virtual directories.
In the Select server field, select the Internet-facing Client Access server.
Select the virtual directory you want to change and click Edit .
In Internal URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN from Ex2013CAS.corp.contoso.com to internal.contoso.com, change the internal URL from https://Ex2013CAS.corp.contoso.com/ews/exchange.asmx to https://internal.contoso.com/ews/exchange.asmx.
Click Save.
Repeat steps 5 and 6 for each virtual directory you want to change.
Note
The ECP and OWA virtual directory internal URLs must be the same.
You can't set an internal URL on the Autodiscover virtual directory.
Finally, we need to open the Shell and configure the Offline Address Book (OAB) to allow Autodiscover to select the right virtual directory for distributing the OAB. Run the following commands to do this.
After you've configured the internal URL on the Client Access server virtual directories, you need to configure your private DNS records for Outlook Web App, and other connectivity. Depending on your configuration, you'll need to configure your private DNS records to point to the internal or external IP address or FQDN of your Client Access server. The following is an example of recommended DNS record that you should create to enable internal client connectivity if you've configured your virtual directory internal URLs to use internal.contoso.com.
FQDN
DNS record type
Value
internal.contoso.com
CNAME
Ex2013CAS.corp.contoso.com
How do you know you've successfully configured different internal and external URLs?
To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following steps:
In the EAC, go to Servers > Virtual directories.
In the Select server field, select the Internet-facing Client Access server.
Select a virtual directory and then click Edit .
Verify that the Internal URL field is populated with the correct FQDN. For example, you may have set the internal URLs to use internal.contoso.com.
To verify that you have successfully configured your private DNS records, do the following steps:
Open a command prompt and run nslookup.exe.
Change to a DNS server that can query your private DNS zone.
In nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.
Step 6: Configure an SSL certificate
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Certificate management" entry in the Mail flow permissions topic.
Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. The following steps show you how to configure an SSL certificate from a third-party certificate authority (CA):
Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
Enter your username and password in Domain\user name and Password and then click Sign in.
Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .
In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
Specify a name for this certificate and then click Next.
If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.
For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:
If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show owa.contoso.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet) should show internal.contoso.com.
These domains will be used to create the SSL certificate request. Click Next.
Add any additional domains you want included on the SSL certificate.
Select the domain that you want to be the common name for the certificate, and then click Set as common name. For example, contoso.com. Click Next.
Provide information about your organization. This information will be included with the SSL certificate. Click Next.
Specify the network location where you want this certificate request to be saved. Click Finish.
After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:
On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
In the certificate request details pane, click Complete under Status.
On the complete pending request page, specify the path to the SSL certificate file and then click OK.
Select the new certificate you just added, and then click Edit .
On the certificate page, click Services.
Select the services you want to assign to this certificate. At minimum, you should select SMTP and IIS. Click Save.
If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.
How do you know you've successfully added new certificates?
To verify that you have successfully added a new certificate, do the following steps:
In the EAC, go to Servers > Certificates.
Select the new certificate and then, in the certificate details pane, verify that the following are true:
Status shows Valid
Assigned to services shows, at minimum, IIS and SMTP.
How do you know this task worked?
To verify that you have configured mail flow and external client access, do the following steps:
In Outlook, on an Exchange ActiveSync device, or on both, create a new profile. Verify that Outlook or the mobile device successfully creates the new profile.
In Outlook, or on the mobile device, send a new message to an external recipient. Verify the external recipient receives the message.
In the external recipient's mailbox, reply to the message you just sent from the Exchange mailbox. Verify the Exchange mailbox receives the message.
Go to https://owa.contoso.com/owa and verify that there are no certificate warnings.
This module examines how clients connect to Microsoft 365. It also provides instruction on how to configure name resolution and Outlook clients, and how to troubleshoot client connectivity.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.