Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Autodiscover for exchange

Posted on 2013-05-29
6
410 Views
Last Modified: 2013-05-30
Probably a fairly simple answer.

Setting up SBS 2011. Have never setup an external autodiscover before. Can someone let me know if the following is all good?

Register 2 x SSL certs (autodiscover.domain.com & remote.domain.com)
Create A record in external DNS (autodiscover.domain.com -> xxx.xxx.xxx.xxx

Is that right?
do I need to configure the server at all?

Thanks
0
Comment
Question by:Talds_Alouds
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203811
Hi,

right :)

just more only check in exchange console that auto discover is on and setup external url. Yes and you need routed 443 for exchange SSL but also 80 for autodiscover

you can use powershell scripts or you have it in gui

http://technet.microsoft.com/en-us/library/bb201695(v=exchg.141).aspx

and check price because you can use one wildcard certificate or certificate with multiple DNS names. After you have certificate you need in exchange console asign services for it.

http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx#emc
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39203815
"Register 2 x SSL certs"

In most normal configurations, no, this will not work. There is no good way to bind two certificates to a single site on a single port. And that causes a problem.

You must either use a single certificate that supports multiple names, or you Kist use some other method to redirect autodiscover requests. The most popular method being SRV records.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203821
Yes and SRV record is need for advanced anti spam techniques like SPF
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:Talds_Alouds
ID: 39206901
Sorry,

So, can I just confirm, because a couple of the posts seem to be conflicting.

I wanted to get an ssl cert for remote.domain.com as sbs will auto configure this address.
I wanted to get an ssl for autodiscover.domain.com so that when clients try to connect, it checks the autodiscover record?

Have I got autodiscover wrong? I thought, when a user types in their details, Outlook goes looks for an autodiscover record. if available, it grabs the remote address (remote.domain.com) and goes from there?
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39206927
You've got it wrong.

Outlook will check autodiscover.domain.com first, but all it does is grab the IP address and then attempts to request an XML file with autodiscover settings from that server. The XML file will be automatically generated by the SBS server, but if you bind the remote.domain.com SSL certificate to the SBS website then the XML request will fail because the domain name autodiscover.domain.com (the server Outlook is expecting to return the XML file) will not match the SSL certificate which has the name remote.domain.com.

A website can only have *ONE* certificate bound to it on a given port. In this case, there is one website (the SBS website) which serves the autodiscover XML file *and* the RWA website. And it is on port 443. Given the limitation above that only one certificate can be bound, you cannot bind both your "remote.domain.com" certificate and your "autodiscover.domain.com" certificate. Note that this is NOT Microsoft or IIS specific. It is inherent in the design of SSL and prevents alterations or man-in-the-middle attacks.

So if you bind your remote.domain.com certificate, autodiscover will fail. If you bind your autodiscover.domain.com certificate, RWA will break.

The solution, therefore, is as I said above. You have a choice. You can purchase a UCC/SAN certificate. This is a type of certificate that supports multiple names attached to one single certificate. They are more expensive. So you'd have ONE certificate with both remote.domain.com *AND* autodiscover.domain.com configured. This allows you to abide by the rule above and bind only one certificate to the SBS website.

HOWEVER, the SBS wizard will not help you by creating a UCC/SAN CSR. You will have to step away from the SBS wizards and configure manually, and things *can* go wrong. Given you seemed to already be confused and thought you could get two certificates, I don't recommend this route. You'd likely find that in attempting to install the certificate, you'd break various parts of RWA since the manual process is not trivial.

The second option is to create an autodiscover SRV record. With this method, you do *not* purchase a certificate with the autodiscover.domain.com name. You can use the SBS wizard to generate the CSR and install the certificate after you've purchased it from a vendor of your choice.

You do *not* create a DNS A record for autodiscover.domain.com. Outlook will try to find a DNS record for autodiscover.domain.com, and that will fail. It will then fall back to the next method it is hard-coded to use, which is to look for an autodiscover SRV record. That record, when configured properly, will tell outlook to request the XML file from remote.domain.com. Outlook will request the XML file, and since the name and the cert match, no errors will occur and autodiscover works as expected.

The process is relatively straightforward and only requires one new DNS record. It does, however, assume that your existing public DNS infrastructure is healthy (no wildcard records with mismatched SSL certs, no bad records), and that your DNS provider supports SRV records. When the above caveats are true, this is an easy method to implement and makes purchasing a certificate simple and inexpensive. It is what I'd recommend.

-Cliff
0
 

Author Closing Comment

by:Talds_Alouds
ID: 39206954
Remarkable explanation! Thank you!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2011 Rollup 18 126
SBS 2008 cannot logon remotely 7 62
Roaming profile issues 1 34
FInd Local Administrators 6 45
A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question