Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Autodiscover configuration (for lack of a better discription)
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Autodiscover configuration (for lack of a better discri... - 10.Apr.2007 5:52:52 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Slowly progressing (debatable sometimes) through 2007 configuration. I previously posted about Certificate warnings i was getting with Outlook 2007. That had turned out to be because i had installed my SSL certificate on the default web site. I followed Sembee's great guide,
http://www.sembee.co.uk/archive/2007/01/21/34.aspx
concerning setting up a secondary and 3rd virtual directory to host external services (OWA, Activesync, etc) and the 3rd for autodiscover.
Here is the problem i am running into now, I have one external IP, I also have a redirect on port 80 (HTTP) to be redirected to 443 (HTTPS) for OWA ( ie the user just has to put in: http://mail.domain.com and will be redirected to https://mail.domain.com/owa ).
So i can't figure out how to configure the router since any request on my one external IP on Ports 80 or 443 is internally routed to the 'External' virtual directory with OWA & Activesync and not the 3rd Autodiscover VD.
Thanks for the help
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 13.Apr.2007 3:22:56 PM
|
|
|
Helinium
Posts: 4
Joined: 29.Mar.2007
Status: offline
|
You just need multiple external ip adresses. You can't host multiple SSL on one external IP adrress. Internally you can but extrenal you just need more then one to use autodiscover and activesync. I think you can host the SSL on for example on port 444 but i don't think that you want that. Than you have to use hhtps://autodiscover.domain.com:444
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 15.Apr.2007 11:52:08 AM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Well i have spent quite a bit of time surfing technet and any other references to autodiscover, and the information out there is in one word: lacking.
Granted at this point it seems that the only thing taking advantage of this is Outlook 2007, it seems the next version of windows mobile (crossbow) will have it, but for the moment its just Outlook 2007.
Would anyone like to explain the setup of external and internal DNS entries, router capabilities and settings, and general IIS configurations.
I found an extract for Henrik's book which details setting up 3 VD in IIS, one for the default web site (internal), an external (OWA, OAB, AS), and one for autodiscover. Each of these have their own internal IP - for example;
10.10.0.1 - Default
10.10.0.2 - External
10.10.0.3 - autodiscover
I get it up to this point.
Now as explained above, if i have in my external DNS;
mail.domain.com - for OWA
autodiscover.domain.com - for autodiscover service
In my router - a linksys for testing purposes - 80 & 443 are forwarded to 10.10.0.2
This is where it becomes unclear, since both should be on SSL (external & autodiscover) what do you need so that this works? It would seem that you need 2 external IPs (one for 10.10.0.2 & one for 10.10.0.3) as well as a router that allows multiple NAT, such that the internal network is sitting behind one external IP, and the router does a NAT for the second external IP to 10.10.0.3 for the autodiscover? I don't think my linksys does this, but i know my bigger firewall does.
Or would running ISA be able to deal with this, i have not used ISA so i am uninformaed whether this is possible.
Thanks
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 24.Apr.2007 11:15:33 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Well after more research i can only pretty much confirm what i put in my last post;
I'm really suprised that no one has been able to publish how to get a real CAS exchange installation going with autodiscover, owa, outlook anywhere, activesync both from an internal as well as external perspective!
Anyways, to sum up from what i think i know;
Most places are saying that if you set up another VD in IIS (2 total - default web site and external) for all internet facing services, you will need an SSL certificate that has 'Subject alternative name', the necessary one will be autodiscover.domain.com and then one for OWA such as mail.domain.com or owa.domain.com. Current cost of SAN SSL certificates = $600USD/year (for 4 SAN) or $300/year (for 2 SAN).
If you go with 3 sites (default, external, autodiscover) you can then get 2 simple $20USD SSL certificate one for autodiscover.domain.com and another for mail.domain.com. However now you have 3 internal IPs which have to be mapped to external IPs. Since only port 80 & 443 are used, you might get away with redirecting 80 to the autodiscover IP and 443 to the external IP. However in my setup i have a redirect on port 80 to 443 for OWA so that users do not need to remember to put https. In this case it seems that i need another 2nd external IP to come in and be nated accross the router to the autodiscover IP.
My last hope now (since i neither wish to pay $600/year, nor can i easily get another static IP) is ISA, since i have not used it before i am hoping that perhaps it will allow me to do the redirection mentioned above.
If anyone can add or confirm any of this information i would be very greateful
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 27.Apr.2007 12:34:52 PM
|
|
|
t0ta11ed
Posts: 288
Joined: 2.Feb.2007
From: Mars
Status: offline
|
Interesting, I use a single SSL cert for all services and a single outside IP address. Autodiscover, OWA, and Outlook Anywhere work just fine.
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 27.Apr.2007 12:52:28 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Hi tota11ed
Can you expand on how your exchange, and IIS is set up, and what clients you are you using, Outlook 2003/7? also what type of ssl certificate you are using.
As far as i understand the autodiscovery is looking for an ssl certificate of autodiscover.domain.com, and any other CN will produce an security error.
Thanks
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 27.Apr.2007 1:16:33 PM
|
|
|
t0ta11ed
Posts: 288
Joined: 2.Feb.2007
From: Mars
Status: offline
|
I'm using the default websites and a mixed enviroment of Outlook 2k7 and 2k3. The cert is from RapidSSL. Autodisover searches more than one URL, including autodiscover.domain.com. All that was required was a zone in internal DNS for autodiscover.domain.com with a CNAME to our mail server and Autodiscover works fine. You can also change the Autodiscover URL to whatever you like using the Exchange management shell.
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 27.Apr.2007 1:46:23 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
I would love to get a look at your setup to see how everything is working.
Is your cert something like owa.domain.com?
if so i don't understand how Outlook 2007 is connecting on the LAN (RPC) without giving a security alert since the cert is not server.domain.com, unless your CAS server is called owa?
Do you mean that you created a zone for autodiscover.domain.com or a host record (A) for autodiscover to the cas server?
and your external DNS entries - how are they set up?
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 27.Apr.2007 2:00:53 PM
|
|
|
t0ta11ed
Posts: 288
Joined: 2.Feb.2007
From: Mars
Status: offline
|
quote:
Do you mean that you created a zone for autodiscover.domain.com or a host record (A) for autodiscover to the cas server?
I created a zone and then a CNAME for it to the A record of the mail server.
The cert is for mail.domain.com, the internal and external DNS contain records for this domain name. The domain on the cert must match the FQDN set for the server.
Refer to one of my previous posts regarding Autodiscover, relevant info is near the bottom (Last two posts): http://forums.msexchange.org/m_1800412268/mpage_1/key_Autodiscover/tm.htm#1800434101
Refer to this one for info about the cert: http://forums.msexchange.org/m_1800431120/mpage_1/key_/tm.htm#1800431120
Hope that helps.
< Message edited by t0ta11ed -- 27.Apr.2007 2:04:18 PM >
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 1.May2007 9:23:18 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Ok I think i'm slowly getting it (my two brain cells are working on it)
I created the zone and added the cname - 1 question from that is - when you select the target host are you pointing to the a record of the server name (ie - mx1.domain.com) or to the A record for the cert name, ie mail.domain.com?
quote:
The domain on the cert must match the FQDN set for the server
Do you mean that the server name has to be the same as the cert? Ie if the cert is for mail.domain.com that the server name has to be 'mail' or you just mean that you need a DNS entry (A record) to point mail.domain.com to your CAS server?
Also are all of your URLs, both for internal and external using the mail.domain.com or are you using some mx1.domain.com for internal use?
thanks
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 2.May2007 3:23:31 PM
|
|
|
t0ta11ed
Posts: 288
Joined: 2.Feb.2007
From: Mars
Status: offline
|
quote:
ORIGINAL: TwoJ
Ok I think i'm slowly getting it (my two brain cells are working on it)
I created the zone and added the cname - 1 question from that is - when you select the target host are you pointing to the a record of the server name (ie - mx1.domain.com) or to the A record for the cert name, ie mail.domain.com?
I used an existing A record for mail.domain.com. Whatever you use probably doesn't matter to Autodiscover, it just needs a way to resolve the URL it is trying to find. For that matter you can also simply change the URL Autodiscover is using.
quote:
Do you mean that the server name has to be the same as the cert? Ie if the cert is for mail.domain.com that the server name has to be 'mail' or you just mean that you need a DNS entry (A record) to point mail.domain.com to your CAS server?
The FQDN is not the same as the machine name. You set the FQDN in the properties of each send/recieve connector in the Exchange Management Console. This FQDN should match the name used on the cert. The FQDN is what the mail server will use in response to connections. Telnet to the server and send the ehlo command, it'll respond with whatever the FQDN is set to.
quote:
Also are all of your URLs, both for internal and external using the mail.domain.com or are you using some mx1.domain.com for internal use?
All URLs...for things like OWA, etc are using mail.domain.com. This is so that the cert matches the URL and will encrypt the connection.
External DNS points mail.domain.com to the public IP of the mail server. Internal DNS contains records for both mail.domain.com and the internal name, (ie; mx1.domain.local). I mostly did this to make things easier on end users. You can tell them to use mail.domain.com instead of a complicated internal domain name like mx1.domain.name.local or whatever. Internal Outlook clients will simply resolve mail.domain.com to mx1.domain.com anyway.
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 17.Jun.2007 5:53:32 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
Sorry it took so long to get back, i was having a stability problem with my server, asus m2n-sli, amd processor, kept on rebooting every few days???, anyways i got another server, intel this time, far too many weird issues with nvidia stuff.
Anyways, re-installed Exchange 2007 from scratch again, i kept notes on pretty much all changes done, so at least i can re-create the same setup (mistakes!) again.
I followed your advice t0ta11ed, and it is *almost* working, the Outlook 2007 clients are connecting properly, however the autodiscover service is still giving a security alert when connecting from the internet. It gives an ssl certificate name mismatch, the cert is for mail.domain.com and on the security alert error box it has autodiscover.domain.com
I did as you suggested and switched all the urls to the mail.domain.com, including the internal url for autodiscover, however i don't see any way to change the external url used?
Also i have an external dns entry A record for autodiscover.domain.com that points to my external IP, i am wondering if removing this or changing it to a CNAME to point to mail.domain.com on the external DNS entries would help the situation.
So close!!! any suggestions???
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 18.Jun.2007 9:20:09 AM
|
|
|
t0ta11ed
Posts: 288
Joined: 2.Feb.2007
From: Mars
Status: offline
|
Change the URL autodiscover is using in the EMS:
set-webservicesvirtualdirectory -id:"EWS
*" -externalURL:"https://mail.domain.com/ews/exchange.asmx" -internalURL:"https:/
/mail.domain.com/ews/exchange.asmx"
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 18.Jun.2007 9:31:00 AM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Bear in mind that you can get SAN certificates for 200$ per year now...
Se more here:
http://support.microsoft.com/kb/929395/en-us
BTW I'm currently writing an articles explaining how you request, submit and install a SAN certificate on an Exchange 2007 CAS. It should be ready in the near future.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 18.Jun.2007 3:26:34 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
t0ta11ed - Sorry thats not it :-(, i already changed those URLs, i turned on logging in Outlook and this is part of the log;
Thread Tick Count Date/Time Description
1476 835411 06/18/07 08:24:39 Autodiscover to https://domain.com/autodiscover/autodiscover.xml starting
1476 856631 06/18/07 08:25:01 Autodiscover to https://domain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
1476 856631 06/18/07 08:25:01 Autodiscover to https://autodiscover.domain.com/autodiscover/autodiscover.xml starting
1476 896208 06/18/07 08:25:40 Autodiscover XML Received
As i mentioned i have an A record in my external DNS for autodiscover to point to my IP.
Do you have any external autodiscover entries for dns?
Do you know what URL outlook is getting for autodiscover.xml when it is connecting from the internet?
As far as i understand, Outlook is hard coded to search at either
domain.com/autodiscover
autodiscover.domain.com
for the autodiscover.xml, meaning that you would need a cert for domain.com or autodiscover.domain.com
Henrik- I appreciate the suggestion, however i will consider it after. I truly find that most CA roots are really cashing in on the need of most companies now to present SSL certs. I think the prices are highly inflated, and to have some CA's charging $600 for SAN because a simple $20 cert can no longer be used just adds to my overall feeling that the whole CA root structure should be revamped.
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 18.Jun.2007 8:26:58 PM
|
|
|
DrShinder
Posts: 41
Joined: 25.Jul.2006
Status: offline
|
Where in the Exchange Management Console do you configure the Autodiscover address?
Thanks!
Tom
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 19.Jun.2007 11:47:32 PM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
DrShinder - you can't modify the autodiscover internal url through the EMC, only the EMS, look for ;
Set-clientaccessserver -autodiscoverinternaluri "https://...."
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 20.Jun.2007 12:03:55 AM
|
|
|
TwoJ
Posts: 46
Joined: 21.Feb.2007
Status: offline
|
OK - I think i have done it!!!!
Exchange 2007 with OWA, AS, OAB, Activesync, & Outlook Anywhere running on 1 SSL certificate ($20 - GoDaddy), and through 1 External (Public) IP.
I have tested this with Outlook 2007, and Windows Mobile 2003SE, and OWA. I have not tested this on Outlook 2003 yet however i don't foresee any problems. I have not extensively test everything yet, but it seems there are no Security Alerts, no Sync Issues, no connection errors coming up.
The only thing so far is that i am used to Outlook 2003 RPC over Http, which seems pretty fast, i should time it on my production machine, however on Outlook 2007 using Outlook Anywhere it seems pretty slow, maybe 1:00 to 1:15 to connect and another 0:45s to syncronize. So 2mins before you are up & running.
Could someone verify if this is normal or slow?
It seems i had a much faster connection in my first exchange 2007 deployement.
Anyways i will probably post a little guide when i get a few more things worked out and a bit more time.
|
|
|
|
|
RE: Autodiscover configuration (for lack of a better di... - 20.Jun.2007 11:13:28 AM
|
|
|
DrShinder
Posts: 41
Joined: 25.Jul.2006
Status: offline
|
Hi TwoJ,
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
