I've also created this guide as an eBook which you can grab here.
Request and Import a new UC certificate
Generate the Cert Request (CSR)
1. On one Mailbox Server, open the Exchange Admin Center (EAC) and navigate to Servers > Certificates.2. Hit “+” button
3. Choose to create a request for a certificate from a certification authority
4. Enter a friendly name for the cert (can be anything you want). You’ll see this name in the list of certificates installed on the server, so make it something that you will easily recognize; maybe call your new certificate something like “Exchange 2016 UC Cert”.
Although you can technically use a Wildcard cert, don’t select Wildcard – it makes things painful later on.
5. Choose a server to store the cert request on. This server will be used to complete the request, and will be the first server that has the certificate installed.6. Now, just hit “Next” because we’ll select the SSL names on the next screen.
7. At the next step you can select and remove any unwanted names, edit existing names, or add more names to the certificate request.
The most important ones we need will be:
**Note** The server name will be present, and won’t hurt anything. You’ll also need to add any extra domains you will be using. For instance us.domain.com or domain.org.
You will need to pay for each additional domain name, but it depends on your provider, so it’s best to only include the ones you need.
8. Enter your Organization info.9. Enter a UNC path to save the request on: \\EXCH-MBX-01\c$\temp\exchcert.req
10. Click Finish and submit that .req to your Certificate Authority like DigiCert or GoDaddy.
Complete the Pending Cert Request
1. Download the cert file provided from your CA to C:\Temp2. In the EAC, go to Servers > Certificates
3. Click the Pending Request, and in the right-hand pane, click Complete near the bottom.
4. Enter the UNC for the cert file: \\EXCH-MBX-01\c$\temp\newcert.cer
If successful, it will show as “Valid”.
Assign the Cert to Services
Once your cert is installed, you can assign it to Exchange services such as IIS, SMTP, etc.
1. Still in Servers > Certificates, select the new SSL cert, and click the “Pencil” button.2. Check every box that you need – most times you’ll need IIS, SMTP, POP, IMAP. If you run UM, check those too.
3. Click “Save”.
4. You will be prompted to overwrite the existing SMTP service, click “Yes”.
Configure Outlook Anywhere
1. In the EAC, go to Servers, and double-click your first server.2. Choose Outlook Anywhere.
3. Set your namespace for Internal and External host names to match your namespaces you used in the Set Namespace section i.e. Mail.domain.com
4. And set NTLM for the auth method.
Import certificates on the Load Balancer
Each Load Balancer is different, but for Kemp follow these steps:
1. Export your certificate from Exchange.
On the Load Balancer:
2. Go to Virtual Services > View/Modify Services.
3. Click the Add New button under the Certificate Installed Column.
4. Click Import Certificate in the upper-right, then next to Certificate File, click Browse.
5. Select your .pfx file that you exported from Exchange, input the passphrase, and specify the cert name: Exchange 2016 UC Cert
6. Click “Save”
7. On the Cert Config screen, select the VIP in the “Available VSs” and hit the right arrow to move it to the Assigned VSs box.
8. Save Changes
9. Now back at the View/Modify Services page, you can see the cert is assigned to the VIP.
Now test your pings and nslookups to ensure that mail and autodiscover resolve to the LB and open OWA and Outlook to ensure you don’t get any cert prompts.
You should now have your Exchange Resource Forest set up and functioning behind your Load Balancer, with mail flowing in and out through your Edge server.
Now create some linked mailboxes by following my previous post: