Re: Autodiscover
- From: jj@xxxxxxxxxxxx
- Date: Sat, 16 May 2009 03:40:09 -0400
John I highly reccomend that you go the route of using only one cert.
Having clients pointing to two seperate addresses will really screw
you over and I think lead to alot of confusion.
There is a whole host of docs available for exchange 2007/sp1
pertaining to using certs. MS really push the idea of using UCC type
certs. It was not until exchange 2007 sp1 that I believe it was
possible to configure cas to use a typical standard cert.
To give you an idea of the price take a look here
http://www.entrust.net/ssl-certificates/unified-communications.htm
ROFL, They got to be kidding :)
Anyway, before you go out and get a "Standard SSL cert" you would need
to configure exchange using the powershell. FYI I run exchange 2007
on windows server 2008 standard and it works really really well !
The trick is to point CAS, WVD, OAB, UM TO THE Correct place so
a UCC cert is not needed.
in the example below my server name "computer name" is E02
Commands to use.
Set-ClientAccessServer -Identity ex02 -AutodiscoverServiceInternalUri
https://mydomain.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "eo2\EWS (Default Web Site)"
-ExternalUrl https://mydomain.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "ex02\oab (Default Web Site)"
-ExternalUrl https://mydomain.com/oab
Set-UMVirtualDirectory -Identity "ex02\unifiedmessaging (Default Web
Site)" -ExternalUrl https://mydomain.com/unifiedmessaging/service.asmx
THats it, once you point exchange to the correct https address you can
go get a single chepo ssl cert for that address and install it on the
exchange server.
do not go the route of using a self signed cert, you will run into
issues with autodiscover and activesync for phones. One public
ssl cert is all you need .
To sum up. Configure an external ip so that your outlook clients and
activesync phone users can connect to exchange 2007 "Note this does
not have to be the same ip that your e-mail is coming in on. I think
its a good route to go as existing mail will not be stoped from coming
into the company and you will be fully able to test outlook clients
both inside and outside your company before exchange is deployed for
e-mail.
Configure your firewall to nat translate that external ip to your
internal exchange server. You only need to open port 443 !
Configure exchange using the commands above to point to the correct
https address of your external ip
Configure your internal DNS server with a zone named the same as your
external https address. In this zone put a a record that points to
your internal exchange server computer name. This handles resolution
for the internal clients
After you test for a bit "lots of testing" :) change your firewall's
smtp rules to simply point to the internal ip of the exchange server.
Autodiscover will work the same for both internal and external
clients.
You can get the staff to install the outlook clients on their pc's and
when it comes time to switch over all you got to do is change the
firewall rule to route e-mail to the exchange server.
Hope this helps you out
Thanks JJ.
On Fri, 15 May 2009 14:59:02 -0700, John
<John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Great help..
thanks for your detailed explanation and helps me a lot.
I have one question: autodoscover just discoveres the exchange server and
what about the certificate? Can we use two certificates (self-signed and
public) for OWA, EWA since the internal and external URLs are differnet
(https://serverhostname.comapny.local and https://mail.company.com?)
thank you!!!
"jj@xxxxxxxxxxxx" wrote:
Not too sure if this is your first deployment of exchange 2007 or not
but if it is and you have an existing e-mail server at your company
you might like to consider bringing up exchange on a external ip
address other than the one that routes mail to your existing mail
server.
By way of an example.
Assume people send you e-mail at jondoe@xxxxxxxxx Your ISP will have
a dns record called mail1that will point to a particular public ip
address. More than likely you will have a firewall that NAT translates
that external ip address to the internal address of your existing mail
server, say 192.168.1.10
You can leave all of this in-place, this way the external dns mail
record will not have to change and mail will continue to flow in.
If you have another external ip to use have your ISP configure that
ip address with an SRV record for the host name of your exchange
server. The format is below.
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: exchange.123.com
So what we have now is a SRV record in external DNS that points to
where your exchange server is. The outlook clients will now be able
to use autodiscover to find your exchange servers ip-address and
connect to the exchange server.
Ok so at this point you have a slight problem. External clients can
connect but what about internal clients ? You configure your
internal DNS server with a "NON AD intergrated zone" that points
to the ip address of your internal exchange server. The zone name will
be the same as your external srv hostname
On your internal DNS Server create the zone called exchange.123.com
In this zone add a alias cname record that points to the internal host
name of your Exchange server.
There are alot of dirty little details and pitfalls along the way but
if you go this road your exchange users will see no difference in
getting mail both inside and outside the comapny. From a connectivity
standpoint it should work seamless as the outlook client will allways
see the external dns name due to the trick with the internal dns
server.
If you need additional details, let me know
JJ
Internally you would use a DNS A record to point to your exchange
server on the internal network
On Fri, 15 May 2009 09:45:06 -0500, "Jeff" <jeffpoling@xxxxxxxxx>
wrote:
How is autodiscover deployed in your environment?
If your CAS is on your internal network, how do you provide autodiscover for
external clients such as those using RPC via HTTP?
Thanks for any insight
Jeff
- Follow-Ups:
- Re: Autodiscover
- From: jj
- Re: Autodiscover
- References:
- Autodiscover
- From: Jeff
- Re: Autodiscover
- From: jj
- Re: Autodiscover
- From: John
- Autodiscover
- Prev by Date: Re: False positive on Mailbox Size Limit
- Next by Date: Exchange 2007 CA errors
- Previous by thread: Re: Autodiscover
- Next by thread: Re: Autodiscover
- Index(es):
Relevant Pages
|
Loading
