Exchange Server 2016 Outlook on the Web Configuration

Exchange Server 2016 Outlook on the Web, formerly known as Outlook Web App, allows users to access email using browsers like Microsoft Edge, Internet Explorer, Chrome, Firefox, Safari, and others. Outlook on the Web offers rich email views with a great user experience. It delivers some great feature improvements over the previous versions of Outlook Web App. These include:

  • Pin messages, sweep on messages to perform actions, one click archiving, and an Undo action
  • Single email message preview and detailed message view
  • Embed images in email body and customize them if required
  • Calendar view is improved to be cleaner and easier to use
  • Better text editing: common typos/suggestion, better formatting features, better attachment views, inline replies
  • Inline previews of URLs and videos
  • The ability to import contacts from CSV files

Outlook on the Web must be configured on Exchange Server 2016 to work seamlessly for both internal and Internet users. The install requires security certificates to function. These can either be self-signed or from a trusted Certificate Authority (CA). The latter is the preferred method to prevent security risks and allow users to have a seamless experience.

Certificate Best Practice

Some best practice guidelines to use when deploying security certificates for Outlook on the Web:

  • Always purchase a certificate from a third-party trusted CA. Some of the trusted vendors are Cyber Trust, Verisign, Entrust, GeoTrust, GoDaddy, and Comodo. Certificates from any of reputable CA will be trusted by all mobile and windows clients.
  • Purchase a Subject Alternative Name (SAN) or Unified Communication Certificate for Exchange Server.
  • Use a minimum number of SAN names in the Certificate. For example:

Exchange Server 2016 servers can make use of a wildcard certificate, but avoid using it if possible and procure a SAN certificate only. Wildcard (* certificates support multiple domains (eg.,,, etc.) but there are security risks associated with having multiple sub-domains under a wildcard certificate.

To request a third-party CA certificate, you need to submit a CSR request file to the CA vendor. This can be generated from Exchange Server 2016 via PowerShell. For example:

$SubjectName = “c=US, s=Dallas, O=My Domain, ou=IT,”
$DomainName =’’,’’
$data = New-ExchangeCertificate –Server -GenerateRequest -FriendlyName “Exchange 2016” -PrivateKeyExportable $true -KeySize “2048” -SubjectName $subjectname -DomainName $domainname
Set-content -path “C:\Cert\MyExchangeCert.req” -Value $Data

Certificate Request File Validation

Validate the certificate request file that is produced (called MyExchangeCert.req in the example above), to make sure that there are no errors or spelling mistakes before sending to the CA. Here’s how to do this:

  1. Open MyExchangeCert.req file in a plain text editor like Notepad
  2. Copy all the data between

  3. $data = New-ExchangeCertificate –Server -GenerateRequest -FriendlyName “Exchange 2016” -PrivateKeyExportable $true -KeySize “2048” -SubjectName $subjectname -DomainName $domainname
  4. Set-content -path “C:\Cert\MyExchangeCert.req” -Value $Data

Certification Configuration

Once the certificate is validated, send the file to the chosen CA. The CA processes the request and returns the chain certificate in a format such as filename.p7b. Copy this certificate file to the same server the CSR request was generated on to import and assign. This can be done using Powershell as follows:

Import-ExchangeCertificate -server -FileData ([Byte[]]$(Get-Content -path “C:\cert\filename.p7b” -Encoding byte -ReadCount 0))

To enable the certificate, use the new Certificate thumbprint that will be available. Find the new Thumbprint using the PowerShell cmdlet Get-ExchangeCertificate. Replace Thumbprint with the actual thumbprint value you find in the following PowerShell code:

Enable-ExchangeCertificate –Thumbprint “New Thumbprint” -Services “IIS, SMTP, POP, IMAP”

Once a certificate is imported and enabled for Exchange Server 2016 services, it can then be exported (with a private key) and imported to all the other Exchange Server 2016 servers in the organization. Export the certificate in .pfx format using the PowerShell code below. This will prompt for the credentials to be used when importing the certificate into the other servers. You must use the same credentials or the import will fail:

$export = Get-ExchangeCertificate –thumbprint “New Thumbprint” | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Get-Credential).password
Set-Content -Path C:\cert\Exch2013Cert.pfx -Value $Export.FileData Encoding Byte

Use the PowerShell code below to import the certificate onto the other Exchange Server 2016 servers, then enable IIS, SMTP, POP, and IMAP services:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\cert\Exch2016Cert.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).password

Get-ExchangeCertificate | where-object {$_.Thumbprint-like “New Thumbprint”} | Enable-Exchangecertificate -Services “IIS, SMTP,POP,IMAP”

Configuring Exchange Server Outlook on the Web Virtual Directory

Once the certificate is configured, then a Virtual Directory needs to be configured with both an internal and External URL. Internal URL is the namespace which clients use to connect from inside the network, and External URL allows clients to connect from the Internet.

The following PowerShell code will configure a Virtual Directory on the Server EXCH01 for both InternalURL and ExternalURL. Replace the Server name EXCH01 with the actual server name:

$InternalURL= “”
$ExternalURL = “”
Set-OwaVirtualDirectory –Identity ‘EXCH01\owa (Default Web site)’ – ExternalURL "https://$Externaldomain/owa" –InternalURL "https://$Internaldomain/owa"

Finally, make DNS changes by adding DNA A records for on both internal and external DNS servers to resolve to the mail domains. In a typical environment the access to the mail servers and Outlook on the Web servers will be managed via a load balancer acting as a Proxy Server. In this case then configure DNS to point the URLS to the load balancer.