Hi, I am replaceing an Exchange 2003 server with a new Exchange 2010 server and I am doing th efinal checks before moving the mailboxes and have come across an error which I could do with some help with if possible. Basically I have just run the Test-OutlookWebServices command and most of it has passed okay but there is one problem, the actual details are: RunspaceId : 745c78d1-4bc5-4732-b1b6-c7e8207018e9 Id : 1004 Type : Error Message : The certificate for the URL https://external ip address/ews/exchange.asmx is incorrect. For SSL to work, the cer tificate needs to have a subject of external ip address, instead the subject found is servername.domain.local. Con sider correcting service discovery, or installing a correct SSL certificate. The customer is using a self signed certificate produced by the exchange server and has no plans to go for a third party one as of yet, also they do not have a external DNS name set up for the server hence the IP address. Can you help? Thanks Alamb200

The self-signed cert should be replaced as soon as possible. If external access is required, getting that 3rd party certificate applied with the correct Subject Names is recommended.

If you dont have plans as you say then you can ignore that error but in the future if you do publish externally then use a trusted 3rd party certificate.Sukh

You shouldnt ignore that error. If you are using apps that reply on certificate integration ( like Communicator), they will fail if you are using the self-signed cert. Not only that, Outlook 2010 will throw certificate errors.

If you dont have OCS/Lync?Sukh

If you dont have OCS/Lync? Sukh Outlook 2010 will throw cert errors as well if you use the self-signed cert. In fact everything will (browsers etc...) unless everyone copies it to their local cert stores. Which is too bad since Outlook 2007 ignored that it wasnt trusted. So I guess if they are using Outlook 2007 and nothing else, it will work!

I thought that the error was referring to the external URL for EWS and not the internal one? I know a host name is needed for the name for external access but I thought for the internal, it would be fine?Sukh

I was thinking strictly in terms of the self-signed cert actually :) Get rid of that thing!

@Alamb200 - maybe you can post the rest of the test results and confirm your internal and external URL for EWS. It seems like you maybe used to access OWA externally before via an IP or you have just setup the external URL for EWS and this alert is coming up. Cant know for sure.Sukh

I was thinking strictly in terms of the self-signed cert actually :) Get rid of that thing! I agree getting using a 3rd party cert for simplicity. But I just thought the alert from the test above was for external EWL URLSukh

Hello, What’s your OWA url. If your extreanl OWA url is https://mail.contoso.com/owa, you can change the EWS url by running: Set-WebServicesVirtualDirectory -Identity “CASName\EWS (Default Web Site)” -ExternalUrl https://mail.contoso.com/EWS/Exchange.asmx Simon Wu Exchange Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hi Simon, Sorry about the delay in my response, I thought I would have a weekend completely free from computers for a change. The extenal url is basically https://external_ip_address/owa for example https://212.50.191.86/owa I agree that they should have a third party certificate but I do not think this will happen straight away if ever so I just need a solution to get them working for now. The only external access I am looking at for now is via OWA. If you need any more info just let me know. Thanks, alamb200

Then you can either distribute the certificate to the users, or allow them to accept the message. I dont believe you can have a IP address in a SSL Cert. So, consider distributing. Maybe consider setting up your internal CA with the correct names for the Cert and distribute that to the clients.Sukh

Hi Sukh, I will follow your advice with this and look at getting a third party address at a later date. Thanks for your help. Alamb200