?
Solved

Autodiscover for exchange

Posted on 2013-05-29
6
Medium Priority
?
415 Views
Last Modified: 2013-05-30
Probably a fairly simple answer.

Setting up SBS 2011. Have never setup an external autodiscover before. Can someone let me know if the following is all good?

Register 2 x SSL certs (autodiscover.domain.com & remote.domain.com)
Create A record in external DNS (autodiscover.domain.com -> xxx.xxx.xxx.xxx

Is that right?
do I need to configure the server at all?

Thanks
0
Comment
Question by:Talds_Alouds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203811
Hi,

right :)

just more only check in exchange console that auto discover is on and setup external url. Yes and you need routed 443 for exchange SSL but also 80 for autodiscover

you can use powershell scripts or you have it in gui

http://technet.microsoft.com/en-us/library/bb201695(v=exchg.141).aspx

and check price because you can use one wildcard certificate or certificate with multiple DNS names. After you have certificate you need in exchange console asign services for it.

http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx#emc
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39203815
"Register 2 x SSL certs"

In most normal configurations, no, this will not work. There is no good way to bind two certificates to a single site on a single port. And that causes a problem.

You must either use a single certificate that supports multiple names, or you Kist use some other method to redirect autodiscover requests. The most popular method being SRV records.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203821
Yes and SRV record is need for advanced anti spam techniques like SPF
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Talds_Alouds
ID: 39206901
Sorry,

So, can I just confirm, because a couple of the posts seem to be conflicting.

I wanted to get an ssl cert for remote.domain.com as sbs will auto configure this address.
I wanted to get an ssl for autodiscover.domain.com so that when clients try to connect, it checks the autodiscover record?

Have I got autodiscover wrong? I thought, when a user types in their details, Outlook goes looks for an autodiscover record. if available, it grabs the remote address (remote.domain.com) and goes from there?
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 39206927
You've got it wrong.

Outlook will check autodiscover.domain.com first, but all it does is grab the IP address and then attempts to request an XML file with autodiscover settings from that server. The XML file will be automatically generated by the SBS server, but if you bind the remote.domain.com SSL certificate to the SBS website then the XML request will fail because the domain name autodiscover.domain.com (the server Outlook is expecting to return the XML file) will not match the SSL certificate which has the name remote.domain.com.

A website can only have *ONE* certificate bound to it on a given port. In this case, there is one website (the SBS website) which serves the autodiscover XML file *and* the RWA website. And it is on port 443. Given the limitation above that only one certificate can be bound, you cannot bind both your "remote.domain.com" certificate and your "autodiscover.domain.com" certificate. Note that this is NOT Microsoft or IIS specific. It is inherent in the design of SSL and prevents alterations or man-in-the-middle attacks.

So if you bind your remote.domain.com certificate, autodiscover will fail. If you bind your autodiscover.domain.com certificate, RWA will break.

The solution, therefore, is as I said above. You have a choice. You can purchase a UCC/SAN certificate. This is a type of certificate that supports multiple names attached to one single certificate. They are more expensive. So you'd have ONE certificate with both remote.domain.com *AND* autodiscover.domain.com configured. This allows you to abide by the rule above and bind only one certificate to the SBS website.

HOWEVER, the SBS wizard will not help you by creating a UCC/SAN CSR. You will have to step away from the SBS wizards and configure manually, and things *can* go wrong. Given you seemed to already be confused and thought you could get two certificates, I don't recommend this route. You'd likely find that in attempting to install the certificate, you'd break various parts of RWA since the manual process is not trivial.

The second option is to create an autodiscover SRV record. With this method, you do *not* purchase a certificate with the autodiscover.domain.com name. You can use the SBS wizard to generate the CSR and install the certificate after you've purchased it from a vendor of your choice.

You do *not* create a DNS A record for autodiscover.domain.com. Outlook will try to find a DNS record for autodiscover.domain.com, and that will fail. It will then fall back to the next method it is hard-coded to use, which is to look for an autodiscover SRV record. That record, when configured properly, will tell outlook to request the XML file from remote.domain.com. Outlook will request the XML file, and since the name and the cert match, no errors will occur and autodiscover works as expected.

The process is relatively straightforward and only requires one new DNS record. It does, however, assume that your existing public DNS infrastructure is healthy (no wildcard records with mismatched SSL certs, no bad records), and that your DNS provider supports SRV records. When the above caveats are true, this is an easy method to implement and makes purchasing a certificate simple and inexpensive. It is what I'd recommend.

-Cliff
0
 

Author Closing Comment

by:Talds_Alouds
ID: 39206954
Remarkable explanation! Thank you!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month8 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question