Solved

Autodiscover for exchange

Posted on 2013-05-29
6
407 Views
Last Modified: 2013-05-30
Probably a fairly simple answer.

Setting up SBS 2011. Have never setup an external autodiscover before. Can someone let me know if the following is all good?

Register 2 x SSL certs (autodiscover.domain.com & remote.domain.com)
Create A record in external DNS (autodiscover.domain.com -> xxx.xxx.xxx.xxx

Is that right?
do I need to configure the server at all?

Thanks
0
Comment
Question by:Talds_Alouds
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
Comment Utility
Hi,

right :)

just more only check in exchange console that auto discover is on and setup external url. Yes and you need routed 443 for exchange SSL but also 80 for autodiscover

you can use powershell scripts or you have it in gui

http://technet.microsoft.com/en-us/library/bb201695(v=exchg.141).aspx

and check price because you can use one wildcard certificate or certificate with multiple DNS names. After you have certificate you need in exchange console asign services for it.

http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx#emc
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
"Register 2 x SSL certs"

In most normal configurations, no, this will not work. There is no good way to bind two certificates to a single site on a single port. And that causes a problem.

You must either use a single certificate that supports multiple names, or you Kist use some other method to redirect autodiscover requests. The most popular method being SRV records.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
Comment Utility
Yes and SRV record is need for advanced anti spam techniques like SPF
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Talds_Alouds
Comment Utility
Sorry,

So, can I just confirm, because a couple of the posts seem to be conflicting.

I wanted to get an ssl cert for remote.domain.com as sbs will auto configure this address.
I wanted to get an ssl for autodiscover.domain.com so that when clients try to connect, it checks the autodiscover record?

Have I got autodiscover wrong? I thought, when a user types in their details, Outlook goes looks for an autodiscover record. if available, it grabs the remote address (remote.domain.com) and goes from there?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
You've got it wrong.

Outlook will check autodiscover.domain.com first, but all it does is grab the IP address and then attempts to request an XML file with autodiscover settings from that server. The XML file will be automatically generated by the SBS server, but if you bind the remote.domain.com SSL certificate to the SBS website then the XML request will fail because the domain name autodiscover.domain.com (the server Outlook is expecting to return the XML file) will not match the SSL certificate which has the name remote.domain.com.

A website can only have *ONE* certificate bound to it on a given port. In this case, there is one website (the SBS website) which serves the autodiscover XML file *and* the RWA website. And it is on port 443. Given the limitation above that only one certificate can be bound, you cannot bind both your "remote.domain.com" certificate and your "autodiscover.domain.com" certificate. Note that this is NOT Microsoft or IIS specific. It is inherent in the design of SSL and prevents alterations or man-in-the-middle attacks.

So if you bind your remote.domain.com certificate, autodiscover will fail. If you bind your autodiscover.domain.com certificate, RWA will break.

The solution, therefore, is as I said above. You have a choice. You can purchase a UCC/SAN certificate. This is a type of certificate that supports multiple names attached to one single certificate. They are more expensive. So you'd have ONE certificate with both remote.domain.com *AND* autodiscover.domain.com configured. This allows you to abide by the rule above and bind only one certificate to the SBS website.

HOWEVER, the SBS wizard will not help you by creating a UCC/SAN CSR. You will have to step away from the SBS wizards and configure manually, and things *can* go wrong. Given you seemed to already be confused and thought you could get two certificates, I don't recommend this route. You'd likely find that in attempting to install the certificate, you'd break various parts of RWA since the manual process is not trivial.

The second option is to create an autodiscover SRV record. With this method, you do *not* purchase a certificate with the autodiscover.domain.com name. You can use the SBS wizard to generate the CSR and install the certificate after you've purchased it from a vendor of your choice.

You do *not* create a DNS A record for autodiscover.domain.com. Outlook will try to find a DNS record for autodiscover.domain.com, and that will fail. It will then fall back to the next method it is hard-coded to use, which is to look for an autodiscover SRV record. That record, when configured properly, will tell outlook to request the XML file from remote.domain.com. Outlook will request the XML file, and since the name and the cert match, no errors will occur and autodiscover works as expected.

The process is relatively straightforward and only requires one new DNS record. It does, however, assume that your existing public DNS infrastructure is healthy (no wildcard records with mismatched SSL certs, no bad records), and that your DNS provider supports SRV records. When the above caveats are true, this is an easy method to implement and makes purchasing a certificate simple and inexpensive. It is what I'd recommend.

-Cliff
0
 

Author Closing Comment

by:Talds_Alouds
Comment Utility
Remarkable explanation! Thank you!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now