Comments on: Publishing Exchange 2007 Autodisover in ISA 2006 – Part 2 http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/ Just another IT guy! Fri, 30 Jul 2010 14:25:06 -0600 hourly 1 http://wordpress.org/?v=3.0.1 By: Publishing Exchange 2007 Autodisover in ISA 2006 - Persian Networks http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9690 Publishing Exchange 2007 Autodisover in ISA 2006 - Persian Networks Thu, 25 Feb 2010 12:12:16 +0000 http://www.shudnow.net/?p=1188#comment-9690 [...] detail on the different methods you can use to publish Exchange Services including Autodiscover here. In Exchange versions previous to Exchange 2007, users would store data inside a public folder. [...] [...] detail on the different methods you can use to publish Exchange Services including Autodiscover here. In Exchange versions previous to Exchange 2007, users would store data inside a public folder. [...]

]]> By: halfluke http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9120 halfluke Thu, 10 Dec 2009 20:08:40 +0000 http://www.shudnow.net/?p=1188#comment-9120 ok, everything is working fine now. I think one of the main issue was that ISA was not joined to any domain and I was using FBA with AD in the listener, now I've configured FBA with LDAP. I also removed the anonymous authentication from autodiscover. Now everything works with one rule only, one listener, just adding the autodiscover fqdn to the Public tab in the rule. To tell the truth, I'm using Exchange 2010, not 2007, with all the roles on the same machine, and as I said before, FTMG 2010. OWA is fine as well. Haven't tried ActiveSync. Happy to share! :) ok, everything is working fine now. I think one of the main issue was that ISA was not joined to any domain and I was using FBA with AD in the listener, now I've configured FBA with LDAP. I also removed the anonymous authentication from autodiscover. Now everything works with one rule only, one listener, just adding the autodiscover fqdn to the Public tab in the rule. To tell the truth, I'm using Exchange 2010, not 2007, with all the roles on the same machine, and as I said before, FTMG 2010. OWA is fine as well. Haven't tried ActiveSync. Happy to share! :)

]]> By: halfluke http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9104 halfluke Thu, 10 Dec 2009 01:37:23 +0000 http://www.shudnow.net/?p=1188#comment-9104 ok, don-t worry... I've just found out I have many other problems along with that one... :-s ok, don-t worry… I've just found out I have many other problems along with that one… :-s

]]> By: halfluke http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9103 halfluke Thu, 10 Dec 2009 00:49:13 +0000 http://www.shudnow.net/?p=1188#comment-9103 Unfortunately not... my config works only with Basic in the authentication delegation and FBA with AD in the listener. That way, the autodiscover works, but only AFTER you have created a profile. When you create a profile on an external client, you have to use manual settings the first time. Then, you can successfully test autodiscover in outlook, download OAB, use OOF etc.. In the public name I added autodiscover.domain.com to make it work this way. But I can't find a way to create a new profile with autodiscover... any idea? Unfortunately not…
my config works only with Basic in the authentication delegation and FBA with AD in the listener.
That way, the autodiscover works, but only AFTER you have created a profile.
When you create a profile on an external client, you have to use manual settings the first time.
Then, you can successfully test autodiscover in outlook, download OAB, use OOF etc..
In the public name I added autodiscover.domain.com to make it work this way.
But I can't find a way to create a new profile with autodiscover…
any idea?

]]> By: Elan Shudnow http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9100 Elan Shudnow Thu, 10 Dec 2009 00:16:57 +0000 http://www.shudnow.net/?p=1188#comment-9100 Turn Anonymous off. I think that may be breaking it. Turn Anonymous off. I think that may be breaking it.

]]> By: halfluke http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-9099 halfluke Wed, 09 Dec 2009 23:46:44 +0000 http://www.shudnow.net/?p=1188#comment-9099 Hi, problem here is that when I use the Basic method for Outlook anywhere, and I create a new rule for Autodiscover with the same listener set on FBA, when I want to create a new profile externally, it doesn't work. It keeps prompting me for password 3 times then it fails... the new rule has No delegation, but client may authenticate directly. In iis autodiscover has anonymous, integrated and basic. This is with Forefront threat management gateway 2010, which looks to me almost identical to isa 2006 for this aspect. Is it a problem with SAN certificates? Should I request a new certificate to be used for Autodiscover, and create a new Web listener? See here: <a href="http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html" target="_blank">http://www.isaserver.org/tutorials/Publishing-Exc...</a> Hi,

problem here is that when I use the Basic method for Outlook anywhere, and I create a new rule for Autodiscover with the same listener set on FBA, when I want to create a new profile externally, it doesn't work.
It keeps prompting me for password 3 times then it fails…
the new rule has No delegation, but client may authenticate directly.
In iis autodiscover has anonymous, integrated and basic.
This is with Forefront threat management gateway 2010, which looks to me almost identical to isa 2006 for this aspect.
Is it a problem with SAN certificates? Should I request a new certificate to be used for Autodiscover, and create a new Web listener? See here: http://www.isaserver.org/tutorials/Publishing-Exc...

]]> By: Elan Shudnow http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-7848 Elan Shudnow Wed, 19 Aug 2009 23:00:09 +0000 http://www.shudnow.net/?p=1188#comment-7848 Yes, “Bypass Pre-auth” = “No delegation, but client may authenticate directly” Yes, “Bypass Pre-auth” = “No delegation, but client may authenticate directly”

]]> By: Adam http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-7844 Adam Wed, 19 Aug 2009 18:36:18 +0000 http://www.shudnow.net/?p=1188#comment-7844 I'm obviously missing something or mis-understanding something. I'm missing where you set the "Bypass Pre-auth" piece. Is this the same as setting "No delegation, but client may authenticate directly"? Or is it different? Also, I'm using Basic authentication versus NTLM. I’m obviously missing something or mis-understanding something. I’m missing where you set the “Bypass Pre-auth” piece. Is this the same as setting “No delegation, but client may authenticate directly”? Or is it different?

Also, I’m using Basic authentication versus NTLM.

]]> By: Elan Shudnow http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-7822 Elan Shudnow Tue, 18 Aug 2009 15:29:44 +0000 http://www.shudnow.net/?p=1188#comment-7822 Adam, when Autodiscover is on its own rule and you set to bypass preauth, you don't modify the autodiscover virtual directory at all on Exchange. You're just telling the client to auth via NTLM directly to the virtual directory. That's the entire point. You still allow NTLM to Autodiscover without ISA being a man in the middle. Adam, when Autodiscover is on its own rule and you set to bypass preauth, you don’t modify the autodiscover virtual directory at all on Exchange. You’re just telling the client to auth via NTLM directly to the virtual directory. That’s the entire point. You still allow NTLM to Autodiscover without ISA being a man in the middle.

]]> By: Adam http://www.shudnow.net/2009/08/05/publishing-exchange-2007-autodisover-in-isa-2006-part-2/comment-page-1/#comment-7803 Adam Mon, 17 Aug 2009 20:16:25 +0000 http://www.shudnow.net/?p=1188#comment-7803 When you say "I will typically put Autodiscover in its own rule and set that to bypass pre-auth while all other services are not bypassing pre-auth." under the section about Basic Authentication, are you setting the selection on the Authentication Delegation tab? If so, are you setting it to "No delegation, but client may authenticate directly" or "No delegation and client cannot authenticate directly"? Also, if you are choosing the later, do you set the IIS Virtual Directory for AutoDiscover to accept anonymous connections? Thanks! When you say “I will typically put Autodiscover in its own rule and set that to bypass pre-auth while all other services are not bypassing pre-auth.” under the section about Basic Authentication, are you setting the selection on the Authentication Delegation tab? If so, are you setting it to “No delegation, but client may authenticate directly” or “No delegation and client cannot authenticate directly”?

Also, if you are choosing the later, do you set the IIS Virtual Directory for AutoDiscover to accept anonymous connections?

Thanks!

]]>