When you have an Internet facing Exchange 2010 Client Access Server you most likely will have a 3rd party certificate installed on this CAS Server. Every time the certificate is requested it is checked for validity, and this is checked against a webserver of the Certificate Authority.

When you have Threat Management Gateway (TMG) 2010 Server in front of the CAS Server all HTTP(S) traffic is routed via the TMG Server. The TMG Server is the default gateway on the network interface and in Internet Explorer you have to configure the TMG server as the HTTP proxy.

This works fine for normal HTTP traffic, but when you install a certificate on the Client Access Server it will fail with a “The certificate is invalid for Exchange Server usage” error message. This is caused by the fact that the CA checking is not regular HTTP traffic and therefore ignores the Internet Explorer settings.

To resolve this issue the WinHTTP proxy needs to be set which can be done using the NETSH utility. Just enter the following command:

netsh winhttp set proxy :8080 “;;”

for example:

netsh winhttp set proxy TMG2010:8080 “;CAS2010.labs.local;labs.local”

NETSH will automatically show the results of the command like this:

Current WinHTTP proxy settings:

Proxy Server(s) : TMG2010:8080
Bypass List : ;cas2010.labs.local;labs.local