How to change all Exchange external URLs without adversely affecting external users?

Question

We have an Exchange 2010 SP2 system consisting of a single Mailbox/Hub/CAS server and a single Edge server. The MHC server is exposed to Internet users via a TMG 2010 reverse proxy.

All Exchange web services use a public FQDN in an old DNS domain that we are replacing with a new one; let's call the current public FQDN of the server webmail.olddomain.com and the new one webmail.newdomain.com.

We already bought a new certificate for webmail.newdomain.com (with also the internal server name as a SAN).

Now, what is the best course of action to replace all Exchange external URLs without adversely affecting our users? A simple HTTP redirection should work for OWA, but I'm quite concerned about Outlook Anywhere users (we have lots of them).

Answer 1

This is what I did:

• Installed a temporary certificate from an internal CA on the Exchange server, with both public names as SANs (so TMG can connect to Exchange using both names).
• Changed all Exchange external URLs to use the new public name.
• Registered the new public name in the public DNS using a different public IP address on TMG.
• Created a new publishing rule on TMG using the new certificate, the new public name and the new public IP address.
• Kept the old publishing rule with the old certificate, old public name and old public IP address unchanged.

End result:

• OWA can be accessed using both public URLs.
• New Outlook Anywhere clients use the Autodiscover service and connect to the new public URLs.
• Existing Outlook Anywhere clients connect to the old URLs (which are still active), get the new configuration via Autodiscover and then automatically switch to the new URLs.
• The only thing Outlook Anywhere users see is Outlook asking them to supply their password again (because the web site name has changed) and then asking for permission for the new Autodiscover service to change the configuration.

To be done: after some time, remove the old publishing rule from TMG and install the real public certificate on the Exchange server instead of the temporary one.