Dear Friends,

I have 8 Exchange 2013 servers, 4 CAS servers and 4 CAS+Mailbox servers. Currently the we use the Windows CA assigned certificate to secure OWA, Outlook anywhere. Our external domain name is mail.contoso.com and internet domain is *.cts.com.

InternalUrl                                         : https://server.cts.com/owa

ExternalUrl                                         : https://mail.contoso.com/owa

Now we got a VeriSign wildcard certificate *.contoso.com, can I safely replace the Windows CA certificate with VeriSign?

My plan is:

1. In internal DNS, create server.contoso.com A record and point to the IP address of CAS servers (server.cts.com).

2. Change the Internal URL of OWA, AutoDiscover, OAB and so on.

3. Chang the OWA Internal URL from https://server.cts.com/owa to https://mail.contoso.com/owa.

4. Replicate the Windows CA certificate to VeriSign Certificate.

Is above plan OK?

Any suggestion is highly appreciated.

It look good. Do you have a HLB or something to handle the CAS connections from external? If yes, then you will need to put that same cert on the HLB.

I'm guessing you are just replacing the cert, right? 

thx. We have F5 NLB and the user access OWA via Forefront UAG.