RSS Subscription 167 Posts and 2,643 Comments

Publishing Exchange 2007 Autodisover in ISA 2006

Edit: I have went into pretty good detail on the different methods you can use to publish Exchange Services including Autodiscover here.

In Exchange versions previous to Exchange 2007, users would store data inside a public folder. This data included free/busy information, Out of Office messages, Offline Address Book, etc. Beginning with Exchange 2007, this information is stored in Internet Information Services (IIS). The process of distributing these services in Exchange 2007 is known as web distribution. Keep in mind that you will need to have Outlook 2007 clients to support web distribution. If you are running clients previous to Outlook 2007, you will still need to use public folders.

As you can see in the following image, in Exchange 2007, IIS contains several new directories than its predecessor, Exchange 2003:

The Autodiscover directory is used by the Autodiscover service to provide automatic profile configuration for Outlook 2007 clients as well as compatible mobile devices, such as Windows Mobile 6. In addition to automatic profile configuration, it provides the external URLs necessary to connect to web distributed services. Another directory is the EWS directory which provides access to web distributed services. These web distributed services include the Availability service, Out of Office (OOF) messages, etc. The Availability service grants users on-demand access to free-busy information. For more information regarding the Availability service, please visit the following site: http://msexchangeteam.com/archive/2006/10/23/429296.aspx. The OAB directory is used to store the Offline Address Book (OAB) which provides an offline copy of the Global Adress List (GAL). The file distribution service copies the OAB files from the OAB generation server to the CAS server for web distribution. To learn more about OAB web distribution, please visit the following site: http://msexchangeteam.com/archive/2006/11/15/431502.aspx.

Prerequisite

Properly configure IIS on your Client Access Server (CAS) to host the certificate(s) needed for external and internal access. The certificate recommended for this configuration is a Unified Communications (UC) certificate. You can read more about these different configurations here.

Note: For this article, we will be using a UC certificate that contains 4 Subject Alternative Names (SANs). Our requested certificate’s CN was webmail.shudnow.net. The first SAN name requested was also webmail.shudnow.net. Our request was created using the following EMS command:

New-Exchangecertificate -domainname webmail.shudnow.net, autodiscover.shudnow.net, casserver.shudnow.net, casserver -Friendlyname Shudnow -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname “c=US, o=Shudnow Inc, CN=webmail.shudnow.net”

  1. NetBIOS name of CAS (casserver)- used if there is a need/want to connect to services such as OWA using the NetBIOS name of the CAS while connected to the internal network.
  2. FQDN name of CAS (casserver.shudnow.net)- used so we can publish Autodiscover internal URLs to point directly to the CAS.
  3. Autodiscover.shudnow.net – used so external clients can retrieve external URLs to connect to web distributed services.
  4. Intuitivname.shudnow.net – used for services such as Outlook Web Access, Outlook Anywhere, Exchange ActiveSync, web service distribution (OAB, OOF, and Availability). Common FQDNs used are exchange.domain.com, owa.domain.com, mail.domain.com, webmail.domain.com, etc. This article will use the example FQDN: webmail.shudnow.net.

ISA 2006 RTM Configuration

Update1 (08/18/2008) – It’s been over a year since this article was released.  Things have changed.  Below I explain to create a new rule for Autodiscover, set All users for authentication, etc..  ISA 2006 SP1 is now out and supports SAN certs.  As of now, when I configure ISA 2006 SP1, I leave autodiscover in the Outlook Anywhere Rule, leave Authenticated Users on, and add the autodiscover FQDN to the Public Name Tab as I do below.  So please keep these things in mind due to the remaining section of ISA 2006 is based off of RTM and not SP1.

You must ensure that you go onto the CAS and export the certificate with its private key and import that into ISA 2006 (Please make sure you have the licenses needed for installing a certificate on multiple servers if required by your certificate vendor). A guide on how to do this is out of the scope of this blog. Once the certificate has been imported on the ISA 2006, ISA configuration can begin. Start by publishing each Exchange 2007 role as needed. In ISA 2006, each rule will need to be published by itself. You can see this by looking at the following screen:

The Outlook Anywhere rule contains several /paths/ as can be seen by the following screenshot:

Because Outlook 2007 will contact the Autodiscover service by using https://autodiscover.shudnow.net/Autodiscover/Autodiscover.xml, we will need to remove the /Autodiscover/ Path from the Outlook Anywhere rule and create a dedicated rule just for the Autodiscover.

There are also several other /paths/ that are new to publishing Exchange 2007. As you recall from the previous IIS screenshot from the CAS, there is an /EWS/ and /OAB/ path that allow us to publish the OAB and EWS web distributed folders. In the Exchange ActiveSync (EAS) rule, there is a /Microsoft-Server-Activesync/ path that is used to publish Exchange Active Sync. Because the Public Name for these rules are configured to webmail.shudnow.net, we will need to publish the external URLs on the CAS server to distribute these services to external clients via https://webmail.shudnow.net.

Autodiscover Rule

With the Autodiscover rule created, there are a few configuration settings that need to be modified. The first is done by opening the Autodiscover Rule and navigating to the To: Tab. We need to ensure the, “This rule applies to the published site:” equates to the Common Name of the internal certificate. Since we are using the same certificate on both the CAS and ISA, the common name will be the same on both certificates. Using a separate certificate on your CAS and ISA is out of the scope of this article. The IP Address must be the IP address of the CAS server.

The next tab you will need to modify is the Public Name tab. Because this rule will be listening for a request to Autodiscover.shudnow.net, we will need to ensure this rule accepts requests that are destined to Autodiscover.shudnow.net

You will see an error on the Listener tab that states there is an issue with certificates. Disregard this error as it doesn’t affect us. ISA does not see the certificate contains subject alternative names and will work even though the Public Name is set to something other than the Common Name of the certificate.

Note: Microsoft has stated that ISA 2006 SP1 will support SAN certificates (which means all SAN names in a SAN Certificate).  SP1 is due out late summer at earliest.

The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1.

Configuring Autodiscover on CAS

In order to allow a smooth connection to web distributed folders, we need to configure internal and external URLs. Internal URLs are provided to domain-joined clients who have direct connectivity to Active Directory. Because they have direct connectivity to AD, they will be able to pull authoritative internal web distribution URLs directly from the Service Connection Point (SCP). The SCP is an object that gets installed in Active Directory when a CAS is installed. The SCP contains an authoritative list of all Autodiscover service URLs in the forest where Exchange 2007 is installed.

Because we created an Autodiscover rule that listens for connections on Autodiscover.shudnow.net, an Outlook 2007 client as well as a compatible mobile client connecting from a remote network will be able to contact the Autodiscover service to have their profile automatically be configured as well as find the external URLs for web distributed services. Because ISA is publishing these web distributed folders via webmail.shudnow.net, we need to configure the external URLs to use https://webmail.shudnow.net/ServiceAddress. This way when a client connects from the outside network, they will see these external URLs are configured using https://webmail.shudnow.net/OAB and https://webmail.shudnow.net/EWS.

When using a UC certificate with the 4 URLs specified earlier in this article, we can allow an internal client to connect directly to the CAS bypassing ISA. If you are not using the UC certificate, you will most likely be using the same internal and external URL. This is because when not using the UC certificate, you will be need to separate your IIS websites to accommodate multiple certificates. One blank default web site for your self-signed certificate, one site for all your web distributed services, OWA, and Outlook Anywhere that will contain your webmail.shudnow.net certificate, and finally an Autodiscover website for your Autodiscover.shudnow.net certificate. Because you will be only using 3 certificates, you will not have the FQDN of the CAS server defined in your certificates. Because of this, you will need to point both the internal and external URL to webmail.shudnow.net. Because the UC certificate contains both the FQDN of our CAS and the FQDN webmail.shudnow.net, we can point the internal URL to the FQDN of the CAS server and the external URL to the webmail.shudnow.net FQDN for which we configured ISA to accommodate. As stated in the prerequisite section, you can read about these two different types of certificate configurations here.

As of late September, Microsoft has added a new method to make the Autodiscover service accessible from the outside with a single certificate. This is through the use of SRV records. You can read more about this new type of configuration here.

EWS Configuration

In order to see what internal and external URLs are set for the EWS folder, we can run the Get-WebServicesVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the external URL to go through https://webmail.shudnow.net. The EWS /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://casserver.shudnow.net/EWS/Exchange.asmx -ExternalURL https://webmail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Note: You must ensure that you enable Basic Authentication on the EWS folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation.

OAB Configuration

In order to see what internal and external URLs are set for the OAB folder, we can run the Get-OABVirtualDirectory | FL cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The OAB /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://casserver.shudnow.net/OAB -ExternalURL https://webmail.shudnow.net/OAB -RequireSSL:$true

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The same goes for Basic Authentication on the OAB directory. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Outlook Anywhere Configuration

Currently, in Exchange 2007, Outlook anywhere only works using Basic Authentication. To enable Outlook anywhere and configure it to use the webmail.shudnow.net with basic authentication, use the following command:

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “webmail.shudnow.net” -ExternalAuthenticationMethod “Basic” -SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on RTM. For SP1, substitute -ExternalAuthenticationMethod with ClientAuthenticationMethod.

Exchange ActiveSync

In order to see what external URLs are set for the Microsoft-Server-Activesync folder, we can run the Get-ActiveSyncVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The Microsoft-Server-Activesync /path/ is configured in its own ActiveSync rule which accepts connections from webmail.shudnow.net (Remember the public name and the To: tab should both be configured to accept connections from webmail.shudnow.net)

In order to configure the External URL, we need to use the following commands:

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://webmail.shudnow.net/Microsoft-Server-Activesync

Unified Messaging Configuration

In order to see what internal and external URLs are set for the UnifiedMessaging folder, we can run the Get-UMVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The unifiedmessaging /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://casserver.shudnow.net/UnifiedMessaging/Service.asmx -ExternalURL https://webmail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: You must ensure that you enable Basic Authentication on the UnifiedMessaging folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation.

Share

22 Responses to “Publishing Exchange 2007 Autodisover in ISA 2006”

  1. on 17 Aug 2007 at 4:02 amMrRudy

    Feedburner…

    I can’t add your feed to Feedburner. How I do this?…

  2. on 17 Aug 2007 at 6:39 amElan Shudnow

    You can add the following feed:
    http://feeds.feedburner.com/eshudnow

  3. on 27 Aug 2007 at 3:47 pmOutlook 2007 Certificate Error?

    [...] Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here. [...]

  4. [...] http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/ http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html [...]

  5. on 16 Jan 2008 at 4:12 amExchange 2007 -- The Monopologue

    [...] Publishing Exchange 2007 Autodisover in ISA 2006 [...]

  6. on 08 Dec 2008 at 6:15 pmHong

    Hi Elan,

    We have two Exchange servers and two sets of ISA arrays (separate WAN connections) at two physical locations belongs two different logical sites.

    When we’re setting up autodiscover, we have to configure one autodiscover site (round robin DNS balanced) which is https:///autodiscover. My question is for this one site, is it possible to create SCP info in autodiscover.xml to redirect users’ Outlook to use the ISA servers at their home site based on the site info of the requesting mailbox’s server?

    I should admit that I am still not 100% understand autdiscover. But I have the feeling that it won’t fly. If this is true, what is my next option? Should I try to make the ISA servers in one location talking to the CAS servers in another location (they are not now) so that no matter which ISA server a user is connecting to, this user can access the home site CAS server (use Use Site Affinity?) and then the Mailbox server?

    Could you please let me know?

    Thank you in advance,

    Hong

  7. on 09 Dec 2008 at 2:00 pmElan Shudnow

    Keep in mind that the SCP is only for internal Autodiscover access. For external access, Autodiscover round robin can work, but round robin does not check the state of a server as NLB would. Because of this, if one CAS goes down or ISA server goes down, the DNS mechanism will still give out a bad DNS record to an ISA box that is unreachable.

    To achieve better redundancy, you should make that site that is going to be hosting the Autodiscover a lot more redundancy. For instance, there’s a doc out there which talks about Microsoft’s Exchange 2007 design. They have Autodiscover centralized. And my assumption, since it’s MS and they have a ton of $$$, is that they have multiple internet connections going to this site and everything is redundant as possible (multiple load balancers), multiple ISA servers, etc…. That way the chance of Autodiscover going down short of a meteor destroying their entire datacenter is pretty slim.

  8. on 06 Apr 2009 at 3:13 amAndrew Hodgson

    Hi Elan,

    In your original article you wrote:

    “The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1″.

    Was this ever sorted?

    I currently have an issue with publishing the autodiscover only (everything else is working including Outlook Anywhere), whereby the ISA server is requesting authentication, but the Outlook client is not giving this. I think this may have something to do with forms based authentication (though I always thought that it went back to basic if specific User Agent strings were provided).

    Thanks,
    Andrew.

  9. on 06 Apr 2009 at 9:34 amElan Shudnow

    I’ve published only once since both SP1 for ISA 2006 and Exchange 2007 were out and I did it the same way as I wrote in my article. However, I have seen others not have to do that such as the following video demonstration:
    http://www.pro-exchange.be/modules.php?name=News&file=article&sid=1040

  10. on 17 Jul 2009 at 8:18 pmSaad

    that very nice
    i’m sorry i have 1 question
    i remove getway from TCP\IP and make instal to outlook 2007 to see our exchange in domain
    but never install
    i had masage said ” u must have getway to install mail ”
    what can i do
    some computer don’t have Getway

  11. on 06 Aug 2009 at 11:34 amBlake

    I don’t understand… Why can’t you just use one domain name (i.e. shudnow.net) and one cert without the extra SAN’s, and just publish all the services by using the directories for the address. I’ve seen in multiple articles that autodiscover will also check https://shudnow.net/autodiscover/autodiscover.xml (no subdomain there)
    So why can’t it just work by publishing the one domain? (no subdomain of autodiscover.shudnow.net)

  12. on 06 Aug 2009 at 5:56 pmElan Shudnow

    Depends on the environment. Take this for example:
    You’re using webmail.domain.com. You don’t have ISA and you’re allowing connections going directly to your Exchange server from the internet. So your CN on your cert is webmail.domain.com so you change all your InternalURLs for webmail.domain.com. You have internal machines not domain joined but the internal DHCP gives them internal DNS which is on a DC. The domain.com DNS is going to be going to your DCs and not your Exchange servers. It’s this reason alone you should be using autodiscover.domain.com. That autodiscover will not be going to a DC and you will point it to Exchange.

    Anytime you talk autodiscover with people, they just say autodiscover.domain.com. It appears to be the norm and what I always end up using.

    If you had ISA, you could do what you mention and internally, you could just use a different certificate with autodiscover.domain.com.

    But keep in mind, if you use http://shudnow.net/autodiscover/autodiscover.xml, you’ll need to make sure your certificate can work with just shudnow.net since your certificate will have a CN of webmail.domain.com.

    Make sense?

  13. [...] Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here. [...]

  14. [...] Communication Certificate. You can read more about these certificates in one of my other articles here. So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) [...]

  15. on 21 May 2011 at 7:41 amia1

    fixed autodiscover had to add a ( A DNS record in my internal dns server same as my external dns) now all is left is active sync mainly for wp7

  16. on 20 Jan 2012 at 1:31 amwolffparkinsonwhite

    Keep in mind that the SCP is only for internal Autodiscover access. For external access, Autodiscover round robin can work, but round robin does not check the state of a server as NLB would.

  17. on 08 Mar 2012 at 9:24 amkane Hipolito

    Glad to see this, thanks for the instruction you show in here I really need this because this is one my problem that I never now how to do it..
    Fab Defence

  18. on 28 May 2012 at 3:43 amRogret

    Great article had an issue for Outlook for MAc 2011 connectivity to MS Exchange 2010 SP2 nd this helped me to resolve it.

  19. [...] Сделал, не работает. Поиск по Интернету привел на статью, где буквально между строк [...]

  20. on 11 Sep 2012 at 6:30 pmGo Darren Blog

    Outlook Certificate error…

    ​ When importing a new certificate into Exchange 2007/2010, ……

  21. on 18 Mar 2013 at 10:12 amwww.michaelcinco.com

    Greetings! I know this is kinda off topic nevertheless I’d figured I’d ask.
    Would you be interested in exchanging links or maybe guest authoring a
    blog article or vice-versa? My website goes over a lot of the same subjects as yours and I feel we could greatly
    benefit from each other. If you might be interested feel free to
    send me an e-mail. I look forward to hearing from you!

    Terrific blog by the way!

    Also visit my site; http://www.michaelcinco.com

  22. on 22 Apr 2013 at 8:04 pmSonja

    My brother recommended I might like this web site.

    He was entirely right. This post truly made my day. You
    cann’t imagine simply how much time I had spent for this info! Thanks!

Trackback this post | Feed on Comments to this post

Leave a Reply