• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 704
  • Last Modified:

Changing the AutoDiscover URL

Hi All,

I've recently procured a new SSL Certificate for my Exchange 2010 CAS box and I'd like to secure my External OWA page with it so I dont have to keep telling my users to "click continue to this website".

I've installed the certificate and this is fine, however when I bind https to the new certificate within IIS on the CAS server, and enable "Require SSL" on my OWA Virtual Directory all of my Outlook 2007 clients begin popping up with a "Certificate Warning"

Obviously this warning is telling me that the Internal URL of my Exchange CAS Box does not match the SSL certificate I applied to OWA.

THe problem i have is this: how can I install my SSL certificate and secure OWA without having to purchase another alternate name on the certificate. I know we can change the AutoDiscover URL to match the new domain name, which I'm fine doing but i'm concerned the effect this will have on my users.

It is worth bearing in mind I do have around 300 OUtlook 2003 users who dont get the certificate error.
0
WPHIT
Asked:
WPHIT
  • 5
  • 5
  • 2
  • +3
1 Solution
 
Alan HardistyCommented:
What names did you include in the certificate?
0
 
sumit_aroraCommented:
Have you installed the 3rd party certificate or self sign certificate. what are the name you have on your certificate?  
0
 
Alan HardistyCommented:
@sumit_arora - How does your comment differ from mine exactly?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sumit_aroraCommented:
unfortuntly i wrote it and submitted it, it was By mistake. Sorry genius :)
0
 
WPHITAuthor Commented:
The certificate contains one name.

The name is our external Mail domain e.g. mail.mail.com
The name of our server (internal is) exchcas1.admin.com
I've an internal DNS record for mial.mail.com which points to exchcas1.admin.com
0
 
WPHITAuthor Commented:
Oh and the mail cert is from VERISIGN and is brand new
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Run Get-ClientAccessServer | fl *uri and paste the output here.

Basically autodiscoverserviceinternaluri (SCP record) should be included in the cert.

Outlook 2003 will be fine as it doesn't recognize autodiscover, but 2007+ will prompt you.
0
 
Alan HardistyCommented:
You would be best advised to purchase a SAN / UCC SSL certificate (multi-name) and should include the following names:

mail.externaldomainname.com (or whatever you prefer)
autodicsover.externaldomainname.com
internalservername.internaldomainname.local
internalservername

With all the above names included - you should not get any SSL certificate errors.
0
 
WPHITAuthor Commented:
I know that I can purchase a SAN, to be honest i do want to avoid that because I'll have to go back to VeriSign and spend more money which obviously people arent going to be too keen on.

The autodiscover URL is the internal name when I do a get-clientacessserver |fl, which is different to that of my cert.

So, this brings me back to if I change this to reflect my external domain (the one on the certificate) how will my Outlook 2003 clients react when I come in the next day? and is this ill-advised?

I'm talking about doing this:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
0
 
Alan HardistyCommented:
Don't spend Verisign sort of money - go to GoDaddy and spend a little and get the same results.

For £$60 you can buy a 1-year 5 name SAN / UCC cert that will work.  Verisign will probably only let you log in for that money!!
0
 
gleekCommented:
its more headache then you want to change this.

active sync devices look for autodiscover.domain.com by default for auto config.  Exchange creates a scp in AD that outlook clients automatically look for.  Outlook Anywhere looks for this to configure, and so on.

The other option is to just use a wildcard cert.  if you went back to verisign and asked them to revoke the cert you bought, refund the money and then purchase a wildcard cert you would be OK using it internally on the CAS and published on the listener on isa/tmg
0
 
tigermattCommented:
gleek,

Personally, I wouldn't use a wildcard certificate for Exchange Client Access anywhere. While it does make it easy to protect all services with on certificate, it also requires more Exchange modifications to get working correctly.

In all honesty, a wildcard certificate is usually more expensive than a multiple-name SAN certificate.

A single-name can be used, but as Alan has indicated, it is generally easier to purchase a SAN which contains all the proper names. A SAN certificate can quite happily sit on both a CAS listener in TMG and on the backend Exchange infrastructure. There also isn't a requirement to include the internal domain.local names on the SAN (none of my environments do) but I only recommend these are omitted where the user is very confident with the configuration of split DNS, firewalls, IP Routing, Active Directory, CAS URL properties etc.

-Matt
0
 
gleekCommented:
tiger,

it can be done though.  yes you may have to set-outlookprovider and change things but its not like it isn't supported or is very hard to set it up.  this sounds like a smaller shop anyways.

a 5 yr UC cert with 2 SANs can get super pricey.  I've found that in some cases a wildcard can be cost effective because you are able to use it throughout your organization for other needs if they should arise as well.

I've setup environments with both and lots of times it depends on customer needs.  It can be done easily one way or another.
0
 
Alan HardistyCommented:
I spend £120 / $180 on a 3 year SAN / UCC for all my Exchange environments and they all work a treat and no messing with Exchange to get the certs to work happily.

Buy - request - approve - download - import - enable - work.

Simple as!
0
 
WPHITAuthor Commented:
Changed Auto-Discover URL's in the end.

Used the following guide:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

Works fine and has been for about a month.
0
 
WPHITAuthor Commented:
Followed this guide, meant I did not have to procure other SSL certs.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 5
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now