The Exchange Server 2013 Client Access Server deployment process is relatively straightforward, but there's a considerable amount of work to do before you can actually use the new servers. Here are the most important configuration tasks you'll have to complete for new Exchange 2013 CAS.
Step-by-step process to configure certificates
After your Exchange CAS is up and running, you'll need to acquire the necessary certificates. Smaller organizations can use the self-signed certificates that are installed by default, but there are limitations with this. For example, self-signed certificates don't work with
The Exchange Administration Center contains a tool to help with the certificate request. You can access it by logging into the EAC and clicking on Servers and selecting the Certificates pane. Click the plus icon to launch the New Exchange Certificate Wizard.
The wizard's initial screen asks you if you want to create a self-signed certificate or if you want to create a request for a certificate from a certification authority. Choose the option to create a certificate request and click Next.
Enter a name for the certificate request and then click Next.
The next screen asks if you want to request a wildcard certificate. Wildcard certificates will work, but they tend to be less secure than SAN certificates. It's best to just click Next.
At this point, you'll be asked which server you want to store the certificate request on. Make your selection and click Next.
Assuming you aren't requesting a wildcard certificate, the next screen asks you to specify the domain you want to include in your certificate request; you must do this for each service you plan to use.
After completing the domains and services list, click Next and you will go to a screen asking for basic information about your organization, such as company name and location. Populate this information and click Next.
Now you'll be asked to verify the name of the new certificate request. Click Finish to create the certificate request file. If you have your own enterprise certificate authority, you can use this file to request a certificate. If you're using a commercial certificate authority, you might be able to upload the file. Some providers don't accept file uploads but will allow you to copy the contents of your certificate request file, which you can view with Notepad, to a Web form.
Once you receive your new certificate, add the certificate to the Client Access Server certificate store in the Exchange CAS.
Configure virtual directories for an Exchange CAS deployment
Once certificates are in place, you'll need to use the Exchange Management Shell to configure Outlook Anywhere connectivity. The actual command you use varies and depends on whether you need to establish internal connectivity or external connectivity. The command below provides internal and external connectivity:
Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname "<the FQDN that will be
used to access your server internally>" -InternalClientAuthenticationMethod Ntlm
-InternalClientsRequireSsl $true -ExternalHostname "<the FQDN that will be used to access your
server from the outside world>" -ExternalClientAuthenticationMethod Basic
-ExternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic
If you don't want to allow external connectivity, omit the ExternalHostname, ExternalClientAuthenticationMethod and ExternalClientsRequireSSL parameters.
You'll also need to configure the ActiveSync virtual directory. Use this command to do so:
Set-ActiveSyncVirtualDirectory -Identity <your CAS
server>\Microsoft-Server-ActiveSync -ExternalUrl "https://<your
The next thing to configure is the Web Services virtual directory. Use this command to do so:
Set-WebServicesVirtualDirectory -Identity "<your Exchange 2013 CAS server>\EWS
(Default Web Site)" -ExternalUrl https://<your domain>/EWS/Exchange.asmx
After configuring the Web Services virtual directory, use the following command to configure the Offline Address Book:
Set-OABVirtualDirectory -Identity "<your Exchange 2013 CAS server>\OAB (Default
Web Site)" -ExternalUrl https://<your domain>/OABC
Finally, configure the AutoDiscover Service with the following command:
Set-ClientAccessServer -Identity <your Exchange 2013 Client Access Server>
If you install Exchange Server 2013 from scratch, you won't need to enter additional virtual directory configuration commands. But if you're migrating from Exchange Server 2010, there are a few more commands to run to establish external access to your Exchange CAS server.
The first command to enter sets the external URL the OWA will use. After entering the command, restart IIS before the change takes effect. Do so by either rebooting the server or by entering the following two commands:
Net Stop IISAdmin /y
Net Start W3SVC
Once you redirect external OWA access, you'll have to configure external access to EAC and configure the availability service. Use these commands to do so:
Set-EcpVirtualDirectory <your Exchange 2013 CAS server>\ECP* -ExternalUrl
https://<your domain>/ECP -InternalURL https://<your domain>/ECP
Set-Webservicesvirutaldirectory -Identity <your Exchange 2013 CAS
server>/EWS\(Default Website) -ExternalURL https://<your
About the author:
Brien Posey is an eight-time Microsoft MVP for his work with Windows Server, IIS, Exchange Server and file system storage technologies. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once responsible for IT operations at Fort Knox. He has also served as a network administrator for some of the nation's largest insurance companies.
This was first published in February 2014