On Premises Exchange Integration Windows Server 2012 Essentials

LogoYes, you heard me right. Hopefully by now the news of the end of development, shall we say, of SBS 2011 Standard has settled in, and you are ready for how to tackle the void left in the market. I know many partners and folks are talking about alternatives, Kerio, Hosted Exchange2Exchange or any number of other solutions, but i wanted to demonstrate how easy it is to setup the OnPrem (OP) integration with an Exchange server, and how it is possible to access both, using 1 single public IP address.

I have no idea how much it would actually cost to do in production though!

So, first of all, this is all based on the beta code recently released, so i do reserve the right to look stupid when they pull the code out due to ‘feedback’.

Second of all, this is based on Windows Server 2012 Essentials, with a second server running Windows 2008 R2 Standard, w/SP1 and Exchange 2010.

What will you need?

  • A server running WSE
  • A server running Windows 2008 R2 SP1
  • Exchange 2010 Media
  • SSL Certificate
  • Dare i suggest, an Internet Connection?

    Modify Group Membership

    The very first step is to make our Domain Administrator a member of the Enterprise Admins group.

    From the WSE server, go to Start, then Administrative tools.

    Open up Active Directory Users and Computers (ADUC), then under the Users container, find your Domain Administrator account.
    Go to the properties of the account.
    Go to the Member Of tab, and click Add.
    Type in Enterprise Admins, then click OK and close down ADUC.


Install WSE Connector Software

I’ll assume  you have installed your 2008R2 server, and it is in a workgroup ready to go.

You may not know, that the WSE Dashboard now supports Servers. That means we can install the connector!

If you’re thinking that means WSE will backup a server, It won’t.

First of all, open up a web browser on your Server2008R2 box, and go to the connect site of the WSE server, this would be http://wseserver/connect


Click on the button to download software, and run when prompted.

Those of you already familiar with SBS Essentials, will have seen this all before.

The connect to server wizard will start, and run through a few steps.





Ordinarily we would enter a standard user account here, but i am using the Domain Admin account.



After a reboot we have to chose whether this computer is for us, or another user, and also to enter a description.




After a short time the wizard should complete, and you will see your server now shows up in the dashboard.


See, i told you it would appear in the dashboard.


Now we need to do some prep in order to get Exchange installed.

First off you will need some Exchange media, i just used the trial download that is available.

I extracted the Exchange media out to a folder called EX in the downloads folder of my profile.

Second you need to install some server roles.

Install Server Roles required for Exchange

We need to install a few server roles in order for Exchange to function. I prefer PowerShell for this because i think its easier. I found a really useful blog post on exactly this topic here.

So, go ahead and open up an Administrative PowerShell window.


Then run the following:

Import-Module ServerManager



Add-WindowsFeature NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model, RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation, RPC-Over-HTTP-Proxy –Restart



Your server will install those roles and reboot.

Install Exchange & Configure

Now, for a little customisation of my own. I wrote a script that will use the Exchange command line installation method, and then run through a ‘wizard’ to add the crucial components to make Exchange work as you would expect.

I will make the script available for download soon.

My custom script is called Install.ps1, as you can see below, you have to modify PowerShells Execution Policy to run scripts, which is easily done by typing:

Set-ExecutionPolicy RemoteSigned

If you are downloading a script from the internet, you will usually need to ‘unblockit’ by right clicking the file, going to properties and clicking Unblock.

Install.ps1 – Running…


I have cropped the above slightly, and not going to explain each step, however the script installs Exchange, installs the Office 2010 Filter pack, then asks the Administrator some basic questions about the environment (coloured sections) and then Sets up Accepted Domains, Email Address Policy, Receive Connectors and Send Connectors. The Send Connector section will support a smart host that requires Authentication as well, and you can also change the SMTP port number, all from this one script.

You can read more about the Script here http://wp.me/p1i7Su-128

Moving on, we can now go ahead and enable the integration.

Install SSL Certificate for Exchange

For Exchange to work correctly over the internet, we will need an SSL certificate.

This needs to be a different SSL certificate (different common name) than the certificate used for RWA on the WSE server.

That suits me because i gave up using Third Party domain names on my SBSE or WSE servers, and now always use the free *.remotewebaccess.com domain provided by Microsoft. It also means i am free to use my existing SBSE SSL for Exchange.

You will need your SSL Certificate in PFX Format (this means it includes the private key)

On your Exchange Server, open up an MMC.


Use the File menu to add snapin, and then add the Certificates Snapin for the Local Computer.





Expand Certificates, Personal, and in the free space, right click, then choose All Tasks, Import.


Complete the wizard to install your PFX file.



You will see your certificate shows up.


Now, we need to load the Exchange Shell.


Enter this command:


You will see several results returned, one of which should easily be identifiable as the certificate we just installed.


Copy the ‘Thumbprint’ of that certificate.

Now enter:

Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXX –Services IIS,SMTP

This command will import your certificate onto the Default Website for use with OWA / OA and also enable it for use with SMTP if needed.


If we run the ‘Get’ command again, we can now see the services are enabled for that certificate.


Enable Outlook Anywhere

Now we just need to quickly enable Outlook Anywhere, which we can do easily from the Exchange Management Console (EMC), proof if you needed it i am not 100% committed to PowerShell yet.

Open up the EMC, Expand Server Configuration, then choose Client Access. On the right hand side Choose Enable Outlook Anywhere.


Enter the address you will use to access your server remotely.


Then click Enable.


Install Application Request Routing to WSE

Now we can switch over to the WSE server and install the magic component.

Go to IIS.net and download Application Request Routing.

You will likely need to install the Web Platform Installer, which gave me an error about .NET2 (which i ignored and refreshed the page) it then continued as normal. I have screen shots of the process but not the error as i was scratching my head for a moment. You will also most likely need to adjust your security zones and add a site to trusted sites.


Hopefully you can get through that, and get ARR installed.




Another side note as you can see below, it says it failed, and it also says it succeeded. I chose to ignore the failure, and it turned out ok for me.


You will need to copy the PFX file over to your WSE server and have it in a easy to type path.

Just for Phillip Elder, the location of ARRConfig in 2012 R2 is now,  %systemroot%\System32\Essentials

Open up c:\program files\windows server\bin in an administrative command prompt.

Enter the following:

ARRConfig Config –Cert <path to cert> –hostnames <common name in SSL>

For Example,

ARRConfig Config –Cert c:\users\dfunk\desktop\ssl.pfx –hostnames remote.sbsessentials.co.uk


You are then prompted for the password on the certificate and then it should complete for you.

Wait, no, you now have an error.

We need to enable Exchange Integration in the Dashboard (almost forgot)

Enable WSE Exchange Integration

Load up the Dashboard, and follow the prompts under ‘Email’ to enable Integration to your Exchange Server.



The Dashboard will reload, and you should have a nice green tick!


We can go back to our command prompt, run the same command, and this time it completes.


And that’s it!

Finish and Test Connectivity

Assuming you have the correct DNS records in place, ie an MX record and an A record that point to the right public IP address you have now integrated your on premises Exchange Server.

Don’t forget to open port 25 on your router and point to your Exchange servers internal IP.



(Just to show these both go to the same IP)

You can also now go to www.testexchangeconnectivity.com and run a test to make sure everything is ok!

I got a green check, and also a warning about a certificate chain, but i am just focussing on the green check.

Check Check!!



2cloudAnyway, i hope you found this useful, it was certainly a lot of fun to work on.

I am very interested to hear comments about this integration feature/idea and also any comments on the beta as a whole!


Update 15/08/201 : Microsoft has now made public it’s own steps which are available here.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

66 Responses to On Premises Exchange Integration Windows Server 2012 Essentials

  1. MikeH says:

    Great work!

    What about Sharepoint Foundation Server 2010? Maybe you already work on that?

    Why did you choose Server 2008 R2 SP1 instead of Server 2012 for the Exchange Server machine? Will there be trouble ahead?

  2. bitzie says:

    Right now only server 2008 r2 and not 2012 is supported for Exchange 2012. There’s a schema update ulimately needed to get 12 to work (of which we don’t have access to

  3. MarcoV says:

    Great walkthrough Robert! Are you aware yet of the licensing requirement details when we go with this configuration; for the second server would we need Windows CAL’s for networks <25 users in addition to the Exchange CAL's? Or are the CAL's covered by Essentials? Can we run Essentials 2012 as a VM or does it need to be a separate physical server?

  4. Jason says:

    Found this blog and would like to thank you for the walk through.

    One question though: I am trying to get a windows 2012 essentials up and running with an exchange server.

    The scenario I would like to create is have the people log into the RWA on essentials and have a link to OWA. Is there any way of doing this in a fashion so that the user wouldn’t have to log into 2 sites? (First having to log into the RWA, and then having to put in the credentials for OWA)

    My goal is to set up a web interface similiar to the sbs 2011.


    • Yes, you can just add a link to the OWA URL via the WSE Dashboard.

      Under Settings, AnywhereAccess, Customize, Home Page Links. You can add/remove the links as required.

      As for not having to login twice, i am not sure about that. There may be some sort of single sign on tool you can use, somthing like AuthAnvil – from Scorpion Software.

      • Wes says:

        A way around 2 SSL Certs…

        Configure everything as this guide says… but ARR add-on for IIS is not required.

        When done, point port 80 and 25 to your exchange server’s internal IP Address. Point 443 to your Essentials server.

        Open IIS on your Exchange Server, drill down to OWA and open SSL settings on OWA and uncheck Require SSL, and then click apply on the right hand window pane.

        You can host your organizations website on the same Member/Exchange Server in IIS as a new site, just use a host header to direct traffic to it. ie, Mycompany.com vs http://org.remotewebaccess.com/owa both on port :80. (do not use a host header on remote web access or owa)

        You will have to switch the pointer for Port 80 back to your Essentials server in order to domain join new computers via the connect site. But OWA, Remote Web Access and your company’s web page are all hosted internally now. Also note, that you will not get to OWA via https://, only form http://… if this gets complicated, use your company website, but add a page with links or re-directs to keep things easy on your users, they can book-mark there way around from there.

      • I would not suggest or approve of the idea of running your Exchange services over HTTP.

        I would also not advocate the hosting of your company website on a server on your internal network.

  5. Hi,
    In the RWW I have a box calles Check E-Mail. This is leading to the WSE external URL /owa. This leads to an IIS error. Is there a way to link this to the external Exchange URL? From the Setup you provide, I understand to have two URLS (one for WSE RWW and one for Exchange owa)
    Is there a way to integrate both into one URL?


  6. Christoph says:

    Thank you for your great article!

    You wrote that you use the free remote.remotewebaccess.com domain for OWA and essentials2012.remotewebaccess.com for RWA to get a free white certificate for both services.
    But how does it work when I have a dynamic IP? The Essentials-Server will update the essentials2012.rwa.com Domain, but how does it work for the remote.rwa.com domain? Is there an ddns-updater for rwa.com to install on the exchange server?


    • I think you may have mis-understood.
      I use the Free SSL (remotewebaccess.com) only for RWA. OWA is handled using an SSL i purchased, in this case for SBSEssentials.co.uk

      Both URLS (or fqdns) go to the same IP address, in my case i had a static IP. with a dynamic IP i would set the second address (remote.sbsessentials.co.uk) as a CNAME of your remotewebaccess.com address, and this should take care of your dynamic IP issue.

  7. Chris Mottersead says:

    i have followed you article and all went well except the part for connecting exchange to the 2012 essentials dashboard,when i tried to connect it it said it failed with an unknown error but after a restart it says its connected but keeps failing when i try to view mailbox properties from the users tab and if i try to remove the integration it shows the same unknown error message

    • are you running exchange 2010?, was this a migration?

      • Chris Mottersead says:

        Yes its exchange 2010 SP3 and no clean install of windows 2008 r2 sp1 and exchange 2010

      • what do the ope logs show in c:\prograndata\windows server\logs (on the essentials)
        did the server join the domain ok?

      • Chris Mottersead says:

        the opewizard logs say System.TimeoutException when i tried to connect exchange to essentials but when i try to remove it it says failed to connect to OPEManager
        the server joined the domain fine

      • Chris Mottersead says:

        I have sorted it, i deleted the reg key HKEY_LOCA_MACHINE\SOFTWEAR\Microsoft\WINDOWS SERVER\Productivity and opened the dashboard which still had the green tick next to exchange but when i clicked Setup Exchange Server Integration it went back to the setup and this time was successful

      • cool, good work.

  8. Wes says:

    First off, Kudos! Great post.

    Any luck with Exchange 2013 CU1 on a Server 2012 member server?

    I have been beating my head against a wall trying to get this done. Seeing this confirms it is possible now. Your notes here will be invaluable.

    • What problems are you running into?

      • Wes says:

        Failures during install. Lots of them. Have tried manual un-installs, complete OS re-installs…
        I am giving up on Exchange 1013… Needs more time to bake. Got it working, but had issues getting admin tools to work correctly. Not to useful if I cannot get accounts set up. But ecp looked nice… Working now on Exchange 2010 SP3 on Server 2012.

        Now, on a fresh clean OS install… So far install feature requirements are different, so your script will not work due to it checking before installing exchange. But some of the other functions might work…

        I will let you all know how it goes. Or come back for help :)

      • Christoph says:

        In our company we are working productive for two weeks with WSE and Exchange 2013 CU1 on Server 2012. We had some problems with public folders, but they’re fixed now. FYI: We have not used Roberts install-script. Just checked the requirements in the wizard and then we configured the Exchange-Integration in the wse-dashboard. It woked very well. P.S. Sorry for my english, it’s not my native language ;-)

  9. Trevor says:

    I’ve managed to get my exchange 2010 integrated with Essentials 2012, however the ARRconfig doesn’t succeed. it logs an error about the logon session and i’ve tried the fixes I found but still not working. I can get to my remote login from the internet, but /owa gets a 404. IIS7 on the Essentials server just wont configure the reverse proxy : /

  10. Trevor says:

    Well I found the problem. The certificate format was preventing the ARRConfig from working. I had to export a copy without extended attributes and other certs in the chain. Then ARRConfig worked fine and i’m now running a remotewebaccess.com for Essentials and a separate (*working!) cert for my Exchange.

  11. Tony Paletti says:

    I have everything installed and working with the exception of the Application Request Routing (BTW when I installed it the version was AAR 3 so I did not get the error about AAR 2.5). No matter what, I just cannot get the AARConfig to run and properly configure IIS for me. I am not seeing any error in the event logs (not quite sure where to look). Here is what I get when I type the command from and Administrator command prompt:

    C:\Program Files\Windows Server\Bin>ARRConfig config -cert c:\temp\mailcert.p
    fx -hostnames mail.mydomain.com
    ARRConfig config -cert -hostnames [,name2,…nameN] [-target
    server ]
    ARRConfig unconfig
    ARRConfig config -cert “c:\tmp\certificate.pfx” -hostnames “www.contoso.com,mail
    ARRConfig config -cert “c:\tmp\certificate.pfx” -hostnames “www.contoso.com,mail
    .contoso.com” -targetserver MyExchangeServer

    It never prompts me for a password, which I did choose during the export. I also tried to export the Exchange certificate without extended attributes and without other certs in the chain as someone else suggested to no avail. Any help with this would be greatly appreciated. Thanks in advance!

    • are you running the cmd window elevated?

      • Tony Paletti says:

        Yes, right-click Command Prompt and select “Run as Administrator” Very strange, no error or anything…it’s like it is telling me I am typing something incorrectly, but I typed the command in exactly the way I posted it (although I changed my domain name to mydomain.com). Should I uninstall ARR 3 and try to find and install ARR 2.5? Any suggestions would be greatly appreciated!

    • Trevor says:

      I recommend you inspect the entries in C:\ProgramData\Microsoft\Windows Server\Logs\ARRConfig.txt

      Its where I found the errors that got me started googling my first few fix attempts, although I eventually came up with the fix myself (re-exporting the certificate).

      Here’s an example of the main error line that I received:
      [7280] 130712.112223.1723: ExchangeReverseProxyConfigurator: Create site failed System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

      There was more, but its just to demonstrate that there is a source of more info on what is happening in your config attempt.

      If you look there it may give you a great pointer or at least something that may prompt people to suggest some fixes for you.


  12. Tony Paletti says:

    Thanks for your suggestion Trevor! I am in the process of reinstalling my Exchange server, so once I get to the point where I am running ARRconfig on my Essentials server again, I will take a look at that log file and report back what I find. Just a couple of caveats: my Exchange server is Exchange 2013 Standard, and I am installing it on Windows Server 2012 Standard. I used these instructions on the TechNet site to install the Exchange server: http://technet.microsoft.com/en-us/library/jj200172.aspx. I came across this tutorial while troubleshooting the ARRconfig issue; both articles use the same procedure for installing and running ARRconfig. Thanks again both of you for your help, I will report back soon!

    • the arrconfig is not concerned with what version of exchange or the os afaik. it will most likely be an issue with your syntax, the ssl, or a change in arr3.

      • Trevor says:

        In my case IIS wouldn’t work with the certificate and the log *cryptically indicated that.

      • Michael says:

        Hi Robert
        First of all, appreciation for keeping this post open.
        Server 2012 Essentials domain
        Exchange 2013 installed on Server 2012 standard

        I am just trying to fully understand the concept here. I have a CA trusted certificate remote.mydomain.com imported and functioning on Sever 2012 Essentials. This is for remote access and works fine.
        My Exchange cert is self-generated and only trusted by domain machines it is installed on. By Using ARR, remote connections can be router to Exchange for OWA using remote.mydomain.com to handle security and negating the need to purchase a CA SAN certificate (for Exchange); remote.mydomain.com handles the security – is this correct?

      • The certificate used for Exchange, needs to be for a different FQDN. So if your essentials box has remote.mydomain.com then Exchange would need to be a different name. like mail.mydomain.com.

        I think generally speaking, a single name certificate will work perfectly well for Exchange. If you want to have AutoDiscover setup externally, then you just need to use a SRV record in DNS to point autodiscover to your Exchange server at mail.mydomain.com.

        Some devices do not function with an SRV record, like for an example an iPhone, so if that was a concern then you would need a SAN certificate also containing ‘autodiscover’.

        Hope that helps.

      • Michael says:

        I am using ARR 3. 0. The commend line to configure ARR files
        I created the self-signed certificate mail.mydomiain.com. It carries the subject names listed below as I am entering them into the command prompt:
        ARRConfig Config –Cert C:\Users\Public\Downloads\CertFin.pfx –hostnames mail.mydomain.com.au, exchangeserver.local, AutoDiscover.mis.local, AutoDiscover.mydomain.com.au, ExchServer, mydomain.com.au

        Now noting your comment on a single name certificate, I seem to have no way of excluding the above subject names from the creation process, which is probably more to with my struggle in understanding certificate requests from Exchange. (I had to import this certificate on to the local workstations for Outlook to work which it does)
        Have I got this right? If I do, the above command fails – syntax error perhaps?
        Appreciate you patience if I am testing it

      • Im not sure if ARR supports a SAN certificate. Have you tried it with a single name certificate? You can probably sign up for a free trial SSL from someone to get a single name cert signed for you just for testing.

      • Although looking back at your syntax it does appear to be wrong.

        You may have some typos?

        ARRConfig Config –Cert C:\Users\Public\Downloads\CertFin.pfx –hostnames mail.mydomain.com.au,
        *typo here—->* exchangeserver.local, AutoDiscover.mis.local, AutoDiscover.mydomain.com.au,
        *typo here—->* ExchServer, mydomain.com.au

        Exchangeserver.local – is that valid on your LAN or in your SSL?
        ExchServer, mydomain.com.au – clearly a ‘,’ in error and a space also.


        ARRConfig config –cert “path to the certificate file” –hostnames “host names for Exchange Server”–targetserver “server name of Exchange Server”

        So your example would be something like:

        ARRConfig Config –Cert C:\Users\Public\Downloads\CertFin.pfx –hostnames mail.mydomain.com.au, AutoDiscover.mis.local, AutoDiscover.mydomain.com.au

      • Michael says:

        Hi Again
        Here’s some feedback for others grappling with this. I recreated the certificate as per the following and after much frustration found the following got response from ARRConfig:

        ARRConfig config -cert C:\Users\Public\Downloads\CertNew.pfx -hostnames mail.mydomain.com.au,AutoDiscover.mydomain.com.au,mydomain.com.au

        Note that the c in -cert has to be lowercase. But no smiles just yet. ARRConfig then asked me for the password which it hadn’t done before. Entering the password got me the following error:
        ‘An error occurred while configuring the certificate’

        No errors recorded in IIS logs. Is there another way of doing this? I really appreciate your time on this Robert



      • i would try to manually install the pfx file into the certificates mmc to confirm the password, and verify the file.

      • Michael says:

        The certificate is confirmed, I know its fine. Thanks for all your help but I think I’m going to give up on this. I don’t know if its a V3 problem, but ARRConfig seems to have a mind of its own. Typing in the exact command as in my earlier post is now back to refusing to accept the syntax, and I’m losing confidence in the process. I’ll have to find another way.
        Thanks for your time and help

      • Michael says:

        Hi there again
        I just wanted to let you know I got AAR working at last and thought I would pass on some points to others who struggle with Certificates and configuring this product:

        Platform: Server 2012 Essentials virtual guest with Exchange 2013 on Server 2012 also as a VM guest

        1. First of all it has been written elsewhere that you can use a self-signed certificates with ARR for Exchange in this environment, which may or may not be true. However I bit the bullet and purchased a SAN certificate (from GoDaddy for $100) and it worked. The self –signed certificates just didn’t, no matter what I tried

        2. ARR will accept a SAN certificate with multiple domain names including .local

        3. For a GoDaddy certificate at $100 will only accept 5 names including the principle. Remove AutoDiscover.domain.local, you don’t need it.

        4. I found that cutting and pasting the Config command from a text file didn’t work for me – I had to type it in

        5. In my case I did not have to configure split DNS as Microsoft suggests. It works fine without it.

        6. Finally as tip on ActiveSync and in my case, iPhones. As this was new installation I couldn’t get them to work with or without ARR. This is not an ARR issue. I my case it was inheritance issue on the user name object in the Active Directory. Go to AD, Users and computers, first selecting Advanced view. Find and open the properties of the user account in question. Click on the Security Tab, Click Advanced, then Enable Inheritance, then Ok. You will get warnings about doing this, so try a test account If you feel uneasy

        Hope this helps. Thanks again for a fine article Robert

      • and thanks to you for your comments!

      • Trevor says:

        @Michael > Thanks…
        “4. I found that cutting and pasting the Config command from a text file didn’t work for me – I had to type it in”

        I just came to renew my cert and re-do my ARRconfig and had to revisit this thread. Yes I’m the same Trevor who posted helping others in 2013.
        My first attempt at pasting the command just kept telling me the syntax. I had even made sure I didn’t have any smart-quotes pasted in.

        Re-typed the whole command from scratch and it magically worked. Definitely a temperamental command!

  13. Trevor says:

    ARR3 appears to still want the same syntax. I’m still thinking certificate problem if you aren’t getting prompted for the password, perhaps it doesn’t like reading the PFX to get to the password prompt in the certificate API. I just hope the ARRConfig.txt helps. it should still be on your Essentials so no need to wait for Exch rebuild.

    • Tony Paletti says:

      Strange, I do not see the ARRConfig.txt file in the location you indicated:

      C:\ProgramData\Microsoft\Windows Server\Logs\ARRConfig.txt

      I will search the drive to see if I can find it elsewhere. I am still getting the same results when running the ARRconfig command. I will let you know if/when I find that log file, although I wonder if it is even being created if the program is not launching for some reason. Thanks again both of you for your help!

      • Tony Paletti says:

        I have no idea what I did differently, but I just tried the command again, and it prompted me for the certificate password this time and successfully configured IIS. It must have been a syntax error as Robert suggested, but if you look at my previous post, you can see exactly how I typed it because that was literally a cut-and-paste from my command prompt. Perhaps it needed a couple of extra reboots? Nevertheless, it is working now, and I thank you both for your help!

      • Mark A says:

        The ARR command is in different locations in R1 and R2

        In R1 its in the Program Files/Windows Server/Bin folder

        In R2 its actually in an Essentials Folder in the Windows system 32 folder c:/windows/system32/essentials

        And yes it is the most touchy command I encountered. You will type it once and it wont work then type it in again exactly the same way on the next line and suddenly it will work on both R1 and R2 (its really weird)

  14. Nile says:

    @Robert Pearman
    Hi, Robert

    Now I have a problem about the session in IIS ARR for Exchange 2013 in Win 2012. I add four Exchange servers. When I bring one of my CAS online, I get session expired when I logon OWA. The problem occurs only in this one server. If I take this server offline. It is OK for logging on via the ARR server. But if I only bring this CAS online, I also can logon via the ARR server, and I also can logon via this CAS server. I have a single certificate for all Exchange servers. Do you have any suggestion for my problem?

    Thank you.

    • I don’t imagine this is a tested/supported scenario. I dont know Exchange in enough detail to know how it would handle multiple CAS servers sharing the same public name. What i would suggest is you test it with a single CAS Server, and then investigate Exchange Config to handle multiple CAS Servers – i would imagine it is possible to make it work.

      • Nile says:

        Yes, single CAS server works good, But when it is online with other CAS sers, OWA didn’t work as once logon then logoff, now I just use CAS NLB domain name online and it works good. I did’t see exceptions in IIS logs and din’t find the reason why. Thank you.

  15. Jeremy Flaugh says:


    I need some help with ARR
    When I run this command C:\Windows\System32\Essentials>ARRConfig Config -Cert d:\cert.pfx -hostnames exchange.flaughs2000.com

    I get this reply

    ARRConfig config -cert -hostnames [,name2,…nameN] [-target
    server ]
    ARRConfig unconfig
    ARRConfig config -cert “c:\tmp\certificate.pfx” -hostnames “www.contoso.com,mail
    ARRConfig config -cert “c:\tmp\certificate.pfx” -hostnames “www.contoso.com,mail
    .contoso.com” -targetserver MyExchangeServer

    I have tried everything to get this to work.

    My setup
    2012 WSE R2
    exchange 2013

    Thanks for your time.

    • Can you put the hostname inside quotes?
      ARRConfig Config -Cert d:\cert.pfx -hostnames “exchange.flaughs2000.com”

      • Jeremy Flaugh says:

        Yep tried that
        c:\Windows\System32\Essentials>ARRConfig Config -Cert d:\exchange.flaughs2000.co
        m.pfx -hostnames “exchange.flaughs2000.com”

        c:\Windows\System32\Essentials>ARRConfig Config -Cert “d:\exchange.flaughs2000.c
        om.pfx” -hostnames “exchange.flaughs2000.com”

        I even exported my cert again also as you can see the change in the path name.

        Thanks for the reply Robert

      • can you check that on the cert file properties you do not have the option to ‘unblock’.

      • Jeremy Flaugh says:

        I know what your talking about but no there is no unblock option.

      • not sure then, id happily take a look remotely for you if we can arrange a suitable time, but i cant promise i could make it work.

      • Jeremy Flaugh says:

        That will work can you see my registered email address?

  16. Mark says:

    Type the command in it never works cut an paste

    Try not pulling the cert from the root of a drive, drive roots have more security in win8, server 2012 range of products (hence its difficult to share the root of a drive in win8)

    Did you save the pfx from the Exchange Administration centre? in server>certificates you must export the exchange cert using only the Exchange Centre not through IIS.

    Have you imported the trusted root cert into your essentials box? without it being in trusted certificates ARR wont work.

    Type it exactly like the suggested syntax when it errors and gives you the suggestion.

    • Jeremy Flaugh says:

      I copied and pasted and hand typed both fails.

      I moved the cert to c:/cert no go

      Yes I exported it from EMC

      I did not have the root certs but I do now but still fails.

      • Mark says:

        c: is still a drive root. Move it to another folder like downloads

        Are you getting the same error? The error you indicated in your posts above suggests incorrect syntax? Arr gives of a couple of different error messages has it been the same error all along?

        Also did you rename your domain from .local to .com internally? (im assuming this is an internal exchange server)

        Try rebooting the essentials box now that the root cert is in trusted and try again


  17. Mark says:

    Correction for above, the hostnames I can see is your external name for your mail server. Renaming internally should affect this so don’t worry about point 3.

    Put the cert in c:\users\name\downloads or c:\temp or something not c: or d: root.

    Root cert from your CA is requirement for ARR to work (it can’t bind a reverse proxy website to something it doesn’t trust) so it would have never worked before that so your headed in the right direction.

  18. Mark says:

    “shouldn’t affect”

  19. Mark says:

    also look here for possible solutions forum with people experiencing same issue:


    Another q too can u see your exchange server as online in the essentials dashboard? (ie its properly joined and split dns is set up?)

  20. Mark says:

    Some people in that above link talk about exchange integration on the essentials box. I can say that every time I have followed the MS instructions as they stand I have done Integration first then configure ARR I’m assuming you did this?

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: