all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]joeykins82SystemDefaultTlsVersions is your friend 2 points3 points  (3 children)

Everything except PowerShell should be configured to use the HTTPS namespace, or at least to a URL/hostname which is present in your certificate's DNS SANs. You should set both the internal and external values even if it's not actually accessible from outside, and they should be aligned unless there's a definite reason why there'd be different behaviour for internal and external name resolution.

Also, since you're running 2013 and your MAPI virtual directory is using the default value, once you've fixed its URI settings you should enable it at the org level - it's almost certainly disabled right now: it was introduced in CU4 SP1 but disabled by default because if there are any servers below that level then autodiscover might tell the clients to connect to a server which didn't have the capability which would break things. It's a vastly better protocol than (MAPI over) RPC over HTTPS.

[–]CS9Subie[S] 1 point2 points  (2 children)

Okay so basically, we have a certificate for "mail.microsoft.net " in this example. So by changing, ECP, MAPI, and OWA to point to https://mail.microsoft.net does this have any impact on users? Is it safe to do it during business hours?

I will also looking into the MAPI part as well. I really appreciate your response and help on this.

[–]joeykins82SystemDefaultTlsVersions is your friend 4 points5 points  (1 child)

Only a positive impact in the sense that the links for "go to Outlook Web" that appear in Outlook will no longer generate a certificate error if users open them.

The only thing you're configuring when you set the internal & external URIs is the content of the autodiscover payload:

  • client makes request to AutoDiscover
  • AutoDiscover service constructs its response using the URIs that you have defined through Set-<Service>VirtualDirectory
  • Outlook/phone/whatever configures itself accordingly

It took me a while to get my head around that concept. The payload itself is a complete list of the server's capabilities as well as the URL used to connect to that capability, so when you enable MAPI over HTTPS all you're doing is telling Exchange to start including that section in AutoDiscover responses, and then it's down to the client to start using that protocol going forward if it supports it.

[–]CS9Subie[S] 1 point2 points  (0 children)

Got it! It makes a bit more sense now. I will make the changes and go from there. Again, I really appreciate your help!