[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Autodiscover for exchange

Posted on 2013-05-29
6
Medium Priority
?
421 Views
Last Modified: 2013-05-30
Probably a fairly simple answer.

Setting up SBS 2011. Have never setup an external autodiscover before. Can someone let me know if the following is all good?

Register 2 x SSL certs (autodiscover.domain.com & remote.domain.com)
Create A record in external DNS (autodiscover.domain.com -> xxx.xxx.xxx.xxx

Is that right?
do I need to configure the server at all?

Thanks
0
Comment
Question by:Talds_Alouds
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203811
Hi,

right :)

just more only check in exchange console that auto discover is on and setup external url. Yes and you need routed 443 for exchange SSL but also 80 for autodiscover

you can use powershell scripts or you have it in gui

http://technet.microsoft.com/en-us/library/bb201695(v=exchg.141).aspx

and check price because you can use one wildcard certificate or certificate with multiple DNS names. After you have certificate you need in exchange console asign services for it.

http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx#emc
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 39203815
"Register 2 x SSL certs"

In most normal configurations, no, this will not work. There is no good way to bind two certificates to a single site on a single port. And that causes a problem.

You must either use a single certificate that supports multiple names, or you Kist use some other method to redirect autodiscover requests. The most popular method being SRV records.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203821
Yes and SRV record is need for advanced anti spam techniques like SPF
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Talds_Alouds
ID: 39206901
Sorry,

So, can I just confirm, because a couple of the posts seem to be conflicting.

I wanted to get an ssl cert for remote.domain.com as sbs will auto configure this address.
I wanted to get an ssl for autodiscover.domain.com so that when clients try to connect, it checks the autodiscover record?

Have I got autodiscover wrong? I thought, when a user types in their details, Outlook goes looks for an autodiscover record. if available, it grabs the remote address (remote.domain.com) and goes from there?
0
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 39206927
You've got it wrong.

Outlook will check autodiscover.domain.com first, but all it does is grab the IP address and then attempts to request an XML file with autodiscover settings from that server. The XML file will be automatically generated by the SBS server, but if you bind the remote.domain.com SSL certificate to the SBS website then the XML request will fail because the domain name autodiscover.domain.com (the server Outlook is expecting to return the XML file) will not match the SSL certificate which has the name remote.domain.com.

A website can only have *ONE* certificate bound to it on a given port. In this case, there is one website (the SBS website) which serves the autodiscover XML file *and* the RWA website. And it is on port 443. Given the limitation above that only one certificate can be bound, you cannot bind both your "remote.domain.com" certificate and your "autodiscover.domain.com" certificate. Note that this is NOT Microsoft or IIS specific. It is inherent in the design of SSL and prevents alterations or man-in-the-middle attacks.

So if you bind your remote.domain.com certificate, autodiscover will fail. If you bind your autodiscover.domain.com certificate, RWA will break.

The solution, therefore, is as I said above. You have a choice. You can purchase a UCC/SAN certificate. This is a type of certificate that supports multiple names attached to one single certificate. They are more expensive. So you'd have ONE certificate with both remote.domain.com *AND* autodiscover.domain.com configured. This allows you to abide by the rule above and bind only one certificate to the SBS website.

HOWEVER, the SBS wizard will not help you by creating a UCC/SAN CSR. You will have to step away from the SBS wizards and configure manually, and things *can* go wrong. Given you seemed to already be confused and thought you could get two certificates, I don't recommend this route. You'd likely find that in attempting to install the certificate, you'd break various parts of RWA since the manual process is not trivial.

The second option is to create an autodiscover SRV record. With this method, you do *not* purchase a certificate with the autodiscover.domain.com name. You can use the SBS wizard to generate the CSR and install the certificate after you've purchased it from a vendor of your choice.

You do *not* create a DNS A record for autodiscover.domain.com. Outlook will try to find a DNS record for autodiscover.domain.com, and that will fail. It will then fall back to the next method it is hard-coded to use, which is to look for an autodiscover SRV record. That record, when configured properly, will tell outlook to request the XML file from remote.domain.com. Outlook will request the XML file, and since the name and the cert match, no errors will occur and autodiscover works as expected.

The process is relatively straightforward and only requires one new DNS record. It does, however, assume that your existing public DNS infrastructure is healthy (no wildcard records with mismatched SSL certs, no bad records), and that your DNS provider supports SRV records. When the above caveats are true, this is an easy method to implement and makes purchasing a certificate simple and inexpensive. It is what I'd recommend.

-Cliff
0
 

Author Closing Comment

by:Talds_Alouds
ID: 39206954
Remarkable explanation! Thank you!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question