Comments on: Publishing Exchange 2007 Autodisover in ISA 2006 http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/ Just another IT guy! Fri, 12 Mar 2010 09:57:15 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Outlook 2007 Certificate Error - Persian Networks http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-9691 Outlook 2007 Certificate Error - Persian Networks Thu, 25 Feb 2010 12:14:48 +0000 http://www.shudnow.net/?p=4#comment-9691 [...] Communication Certificate. You can read more about these certificates in one of my other articles here. So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) [...] [...] Communication Certificate. You can read more about these certificates in one of my other articles here. So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) [...]

]]> By: Fixing outlook certificate errors - The IT Tech-Archive http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-9511 Fixing outlook certificate errors - The IT Tech-Archive Fri, 08 Jan 2010 04:29:21 +0000 http://www.shudnow.net/?p=4#comment-9511 [...] Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here. [...] [...] Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here. [...]

]]> By: Elan Shudnow http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-7613 Elan Shudnow Thu, 06 Aug 2009 22:56:06 +0000 http://www.shudnow.net/?p=4#comment-7613 Depends on the environment. Take this for example: You're using webmail.domain.com. You don't have ISA and you're allowing connections going directly to your Exchange server from the internet. So your CN on your cert is webmail.domain.com so you change all your InternalURLs for webmail.domain.com. You have internal machines not domain joined but the internal DHCP gives them internal DNS which is on a DC. The domain.com DNS is going to be going to your DCs and not your Exchange servers. It's this reason alone you should be using autodiscover.domain.com. That autodiscover will not be going to a DC and you will point it to Exchange. Anytime you talk autodiscover with people, they just say autodiscover.domain.com. It appears to be the norm and what I always end up using. If you had ISA, you could do what you mention and internally, you could just use a different certificate with autodiscover.domain.com. But keep in mind, if you use http://shudnow.net/autodiscover/autodiscover.xml, you'll need to make sure your certificate can work with just shudnow.net since your certificate will have a CN of webmail.domain.com. Make sense? Depends on the environment. Take this for example:
You’re using webmail.domain.com. You don’t have ISA and you’re allowing connections going directly to your Exchange server from the internet. So your CN on your cert is webmail.domain.com so you change all your InternalURLs for webmail.domain.com. You have internal machines not domain joined but the internal DHCP gives them internal DNS which is on a DC. The domain.com DNS is going to be going to your DCs and not your Exchange servers. It’s this reason alone you should be using autodiscover.domain.com. That autodiscover will not be going to a DC and you will point it to Exchange.

Anytime you talk autodiscover with people, they just say autodiscover.domain.com. It appears to be the norm and what I always end up using.

If you had ISA, you could do what you mention and internally, you could just use a different certificate with autodiscover.domain.com.

But keep in mind, if you use http://shudnow.net/autodiscover/autodiscover.xml, you’ll need to make sure your certificate can work with just shudnow.net since your certificate will have a CN of webmail.domain.com.

Make sense?

]]> By: Blake http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-7612 Blake Thu, 06 Aug 2009 16:34:47 +0000 http://www.shudnow.net/?p=4#comment-7612 I don't understand... Why can't you just use one domain name (i.e. shudnow.net) and one cert without the extra SAN's, and just publish all the services by using the directories for the address. I've seen in multiple articles that autodiscover will also check https://shudnow.net/autodiscover/autodiscover.xml (no subdomain there) So why can't it just work by publishing the one domain? (no subdomain of autodiscover.shudnow.net) I don’t understand… Why can’t you just use one domain name (i.e. shudnow.net) and one cert without the extra SAN’s, and just publish all the services by using the directories for the address. I’ve seen in multiple articles that autodiscover will also check https://shudnow.net/autodiscover/autodiscover.xml (no subdomain there)
So why can’t it just work by publishing the one domain? (no subdomain of autodiscover.shudnow.net)

]]> By: Saad http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-7389 Saad Sat, 18 Jul 2009 01:18:33 +0000 http://www.shudnow.net/?p=4#comment-7389 that very nice i'm sorry i have 1 question i remove getway from TCP\IP and make instal to outlook 2007 to see our exchange in domain but never install i had masage said " u must have getway to install mail " what can i do some computer don't have Getway that very nice
i’m sorry i have 1 question
i remove getway from TCP\IP and make instal to outlook 2007 to see our exchange in domain
but never install
i had masage said ” u must have getway to install mail ”
what can i do
some computer don’t have Getway

]]> By: Elan Shudnow http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-6695 Elan Shudnow Mon, 06 Apr 2009 14:34:02 +0000 http://www.shudnow.net/?p=4#comment-6695 I've published only once since both SP1 for ISA 2006 and Exchange 2007 were out and I did it the same way as I wrote in my article. However, I have seen others not have to do that such as the following video demonstration: http://www.pro-exchange.be/modules.php?name=News&file=article&sid=1040 I’ve published only once since both SP1 for ISA 2006 and Exchange 2007 were out and I did it the same way as I wrote in my article. However, I have seen others not have to do that such as the following video demonstration:
http://www.pro-exchange.be/modules.php?name=News&file=article&sid=1040

]]> By: Andrew Hodgson http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-6694 Andrew Hodgson Mon, 06 Apr 2009 08:13:29 +0000 http://www.shudnow.net/?p=4#comment-6694 Hi Elan, In your original article you wrote: "The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1". Was this ever sorted? I currently have an issue with publishing the autodiscover only (everything else is working including Outlook Anywhere), whereby the ISA server is requesting authentication, but the Outlook client is not giving this. I think this may have something to do with forms based authentication (though I always thought that it went back to basic if specific User Agent strings were provided). Thanks, Andrew. Hi Elan,

In your original article you wrote:

“The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1″.

Was this ever sorted?

I currently have an issue with publishing the autodiscover only (everything else is working including Outlook Anywhere), whereby the ISA server is requesting authentication, but the Outlook client is not giving this. I think this may have something to do with forms based authentication (though I always thought that it went back to basic if specific User Agent strings were provided).

Thanks,
Andrew.

]]> By: Elan Shudnow http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-5944 Elan Shudnow Tue, 09 Dec 2008 20:00:17 +0000 http://www.shudnow.net/?p=4#comment-5944 Keep in mind that the SCP is only for internal Autodiscover access. For external access, Autodiscover round robin can work, but round robin does not check the state of a server as NLB would. Because of this, if one CAS goes down or ISA server goes down, the DNS mechanism will still give out a bad DNS record to an ISA box that is unreachable. To achieve better redundancy, you should make that site that is going to be hosting the Autodiscover a lot more redundancy. For instance, there's a doc out there which talks about Microsoft's Exchange 2007 design. They have Autodiscover centralized. And my assumption, since it's MS and they have a ton of $$$, is that they have multiple internet connections going to this site and everything is redundant as possible (multiple load balancers), multiple ISA servers, etc.... That way the chance of Autodiscover going down short of a meteor destroying their entire datacenter is pretty slim. Keep in mind that the SCP is only for internal Autodiscover access. For external access, Autodiscover round robin can work, but round robin does not check the state of a server as NLB would. Because of this, if one CAS goes down or ISA server goes down, the DNS mechanism will still give out a bad DNS record to an ISA box that is unreachable.

To achieve better redundancy, you should make that site that is going to be hosting the Autodiscover a lot more redundancy. For instance, there’s a doc out there which talks about Microsoft’s Exchange 2007 design. They have Autodiscover centralized. And my assumption, since it’s MS and they have a ton of $$$, is that they have multiple internet connections going to this site and everything is redundant as possible (multiple load balancers), multiple ISA servers, etc…. That way the chance of Autodiscover going down short of a meteor destroying their entire datacenter is pretty slim.

]]> By: Hong http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-5933 Hong Tue, 09 Dec 2008 00:15:58 +0000 http://www.shudnow.net/?p=4#comment-5933 Hi Elan, We have two Exchange servers and two sets of ISA arrays (separate WAN connections) at two physical locations belongs two different logical sites. When we're setting up autodiscover, we have to configure one autodiscover site (round robin DNS balanced) which is https:///autodiscover. My question is for this one site, is it possible to create SCP info in autodiscover.xml to redirect users' Outlook to use the ISA servers at their home site based on the site info of the requesting mailbox's server? I should admit that I am still not 100% understand autdiscover. But I have the feeling that it won't fly. If this is true, what is my next option? Should I try to make the ISA servers in one location talking to the CAS servers in another location (they are not now) so that no matter which ISA server a user is connecting to, this user can access the home site CAS server (use Use Site Affinity?) and then the Mailbox server? Could you please let me know? Thank you in advance, Hong Hi Elan,

We have two Exchange servers and two sets of ISA arrays (separate WAN connections) at two physical locations belongs two different logical sites.

When we’re setting up autodiscover, we have to configure one autodiscover site (round robin DNS balanced) which is https:///autodiscover. My question is for this one site, is it possible to create SCP info in autodiscover.xml to redirect users’ Outlook to use the ISA servers at their home site based on the site info of the requesting mailbox’s server?

I should admit that I am still not 100% understand autdiscover. But I have the feeling that it won’t fly. If this is true, what is my next option? Should I try to make the ISA servers in one location talking to the CAS servers in another location (they are not now) so that no matter which ISA server a user is connecting to, this user can access the home site CAS server (use Use Site Affinity?) and then the Mailbox server?

Could you please let me know?

Thank you in advance,

Hong

]]> By: Exchange 2007 -- The Monopologue http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/comment-page-1/#comment-1110 Exchange 2007 -- The Monopologue Wed, 16 Jan 2008 10:12:08 +0000 http://www.shudnow.net/?p=4#comment-1110 [...] Publishing Exchange 2007 Autodisover in ISA 2006 [...] [...] Publishing Exchange 2007 Autodisover in ISA 2006 [...]

]]>