After you’ve installed Microsoft Exchange Server 2013 in your organization, you need to configure Exchange Server 2013 for mail flow and client access. Without these additional steps, you won’t be able to send mail to the Internet and external clients such as Microsoft Office Outlook and ActiveSync devices won’t be able to connect to your Exchange organization.
Exchange Admin Center
The traditional Exchange Management Console is moved into a web based interface: Exchange Admin Center.
Open the EAC by browsing to: https://<FQDN of Client Access server>/ECP
Send connector
Before you can send mail to the Internet, you need to create a Send connector on the Mailbox server. Do the following.
- Go to Mail flow > Send connectors. On the Send connectors page, click Add .
- In the New send connector wizard, specify a name for the Send connector and then select Internet. Click Next.
- Verify that MX record associated with recipient domain is selected. Click Next.
- Under Address space, click Add. In the Add domain window, make sure SMTP is selected in the Type field. In the Fully Qualified Domain Name (FQDN) field, enter *. Click Save.
- Make sure Scoped send connector isn’t selected and then click Next.
- Under Source server, click Add. In the Select a server window, select a Mailbox server that will be used to send mail to the Internet via the Client Access server. After you’ve selected the server, click Add and then click OK.
- Click Finish.
Receive connector
A default inbound Receive connector is created when Exchange 2013 is installed. This Receive connector accepts anonymous SMTP connections from external servers. You don’t need to do any additional configuration.
Accepted domains
By default, when you deploy a new Exchange 2013 organization in an Active Directory forest, Exchange uses the domain name of the Active Directory domain where Setup /PrepareAD was run. If you want recipients to receive and send messages to and from another domain, you must add the domain as an accepted domain. This domain is also added as the primary SMTP address on the default email address policy in the next step.
Important: A public Domain Name System (DNS) MX resource record is required for each SMTP domain for which you accept email from the Internet. Each MX record should resolve to the Internet-facing server that receives email for your organization.
- Go to Mail flow > Accepted domains. On the Accepted domains page, click Add .
- In the New accepted domain wizard, specify a name for the accepted domain.
- In the Accepted domain field, specify the SMTP recipient domain you want to add. For example, contoso.com.
- Select Authoritative domain and then click Save.
Default email address policy
If you added an accepted domain in the previous step and you want that domain to be added to every recipient in the organization, you need to update the default email address policy.
- Go to Mail flow > Email address policies. On the Email address policies page, select Default Policy and then click Edit.
- On the Default Policy Email Address Policy page, click Email Address Format.
- Under Email address format, click the SMTP address you want to change and then click Edit.
- On the Email address format page in the Email address parameters field, specify the SMTP recipient domain you want to apply to all recipients in the Exchange organization. This domain must match the accepted domain you added in the previous step. Click Save.
- Click Save
- In the Default Policy details pane, click Apply.
Note We recommend that you configure a user principal name (UPN) that matches the primary email address of each user. If you don’t provide a UPN that matches the email address of a user, the user will be required to manually provide their domainuser name or UPN in addition to their email address. If their UPN matches their email address, Outlook Web App, ActiveSync, and Outlook will automatically match their email address to their UPN.
SSL certificate
Some services, such as Outlook Anywhere and ActiveSync, require certificates to be configured on your Exchange 2013 server. The following steps show you how to configure an SSL certificate from a third-party certificate authority (CA):
- Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click Add.
- In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
- Specify a name for this certificate and then click Next.
- If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
- Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.
- For each service in the list shown, specify the external or internal server names that users will use to connect to the Exchange server. For example, for Outlook Web App (when access from the Internet), you might specify owa.contoso.com. For OWA (when access from the Intranet), you might specify CAS02.corp.contoso.com. These domains will be used to create the SSL certificate request. Click Next.
- Add any additional domains you want included on the SSL certificate. Click Next.
- Provide information about your organization. This information will be included with the SSL certificate. Click Next.
- Specify the network location where you want this certificate request to be saved. Click Finish.
After you’ve saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:
- On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
- In the certificate request details pane, click Complete under Status.
- On the complete pending request page, specify the path to the SSL certificate file and then click OK.
- Select the new certificate you just added, and then click Edit.
- On the certificate page, click Services.
- Select the services you want to assign to this certificate. At minimum, you should select SMTP and IIS. Click Save.
- If you receive the warning Overwrite the existing default SMTP certificate?, click OK.
External Client Access
After you’ve chosen your external domains and installed your certificate, you need to configure the external domains on the Client Access server’s virtual directories and then configure your domain name service (DNS) records. The steps below configure the same external domain on the external URL of each virtual directory. If you want to configure different external domains on one or more virtual directory external URLs, you need to configure the external URLs manually.
- Go to Servers > Servers and then click Configure external access domain.
- Under Select the Client Access servers to use with the external URL, click Add
- Select the Client Access servers you want to configure and then click Add. After you’ve added all of the Client Access servers you want to configure, click OK.
- In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. Click Save.
- Go to Servers > Servers, select the name of the Internet-facing Client Access server and then click Edit.
- Click Outlook Anywhere.
- In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.contoso.com.
- Click Save.
External URL
After you’ve configured the external URL on the Client Access server virtual directories, you need to configure DNS records for Autodiscover, Outlook Web App, and mail flow. The DNS records should point to the external IP address of your Internet-facing Client Access server and use the externally accessible FQDNs that you’ve configured on your Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.
FQDN | DNS record type | Value |
Contoso.com | MX | Mail.contoso.com |
Mail.contoso.com | A | 172.16.10.11 |
Owa.contoso.com | A | 172.16.10.11 |
Autodiscover.contoso.com | A | 172.16.10.11 |