I use often use split-DNS in my setups but in a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network (domain.local), the other used by the external network (domain.com). Bing/Google if you need more info….
On Exchange 2007/2010 the internalURL and externalURL settings are used by the autodiscover service to tell Outlook/mobile clients where they should connect. Internal is for LAN users and External is for the rest of the world.
So if I install the cert on Exchange : *.domain.com everything will work from the outsite but internal users will receive a cert error.
So basicly the domain.local users are trying to connect to exchange that has domain.com certification !
This can be avoided by changing internal ulrs to match the external urls (same as on external cert) but this is so easy with these four PowerShell commands.
- Set-WebServicesVirtualDirectory -Identity “SERVERNAME\EWS (Default Web Site)” -InternalUrl https://SERVERNAME.DOMAIN.COM/ews/exchange.asmx
- Set-OABVirtualDirectory -Identity “SERVERNAME\oab (Default Web Site)” -InternalUrl https://SERVERNAME.DOMAIN.COM/oab
- Set-UMVirtualDirectory -Identity “SERVERNAME\unifiedmessaging (Default Web Site)” -InternalUrl https://SERVERNAME.DOMAIN.COM/unifiedmessaging/service.asmx
- Set-ClientAccessServer -Identity SERVERNAME -AutodiscoverServiceInternalUri https://SERVERNAME.DOMAIN.COM/autodiscover/autodiscover.xml
SERVERNAME : replace with you Exchange server name
DOMAIN.COM :replace with your external domain name 🙂
The internal name can be on the public cert, as long as your internal domain isn’t publicly routable.
You can get a SAN certificate with alternative names of domain.local if you dont have/like split DNS.