Hi, new here!
I realise that this subject has had many questions before but I feel I still have a little confusion over a particular aspect of certificates that can no longer contain local domain names in them. My deployment is Exchange 2013 on server 2012 Std using a single AD domain <domain.local>. At the moment it is still the standard install with the self-signed certificates. As with most people, I need to allow external access to exchange in the form of mail.domain.co.uk. I will want to access most services externally. I have set all internal URL's to be the same as the external URL's in ECP and I have set up a DNS zone on the DC for <domain.co.uk> which has CNAME entries to the exchange server name ie:
mail CNAME exchangeserver.domain.local
If I know generate a new certificate (or obtain one from a CA) with SAN's that cover <mail.domain.co.uk> and one for auto discover, is that all that I need to add to ensure all external access AND all possible internal access methods will continue to work? I did try to test this by creating a new self-signed cert with only these entries (ie not including the server name ones) and this warned that it was replacing the default SMTP certificate (ie the one named 'Microsoft Exchange' in the standard install) which means there will no longer be any certificate covering the internal FQDN server name. I have seen someone stating that external access using VPN will not work with this and I am also concerned as to how an Outlook client inside my network will go about automatically creating a new account as I imagine it will get an SSL error when trying to access the exchange server by name.
I think this all stems from my lack of understanding as to exactly how various types of access to the exchange server are done ie which services use <exchangeserver.domain.local> and which use <mail.domain.co.uk> even after having changed the internal URL's.
Hope this makes some kind of sense, all comments (very) gratefully received.
Thanks