Solved

Autodiscover for exchange

Posted on 2013-05-29
6
409 Views
Last Modified: 2013-05-30
Probably a fairly simple answer.

Setting up SBS 2011. Have never setup an external autodiscover before. Can someone let me know if the following is all good?

Register 2 x SSL certs (autodiscover.domain.com & remote.domain.com)
Create A record in external DNS (autodiscover.domain.com -> xxx.xxx.xxx.xxx

Is that right?
do I need to configure the server at all?

Thanks
0
Comment
Question by:Talds_Alouds
  • 2
  • 2
  • 2
6 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203811
Hi,

right :)

just more only check in exchange console that auto discover is on and setup external url. Yes and you need routed 443 for exchange SSL but also 80 for autodiscover

you can use powershell scripts or you have it in gui

http://technet.microsoft.com/en-us/library/bb201695(v=exchg.141).aspx

and check price because you can use one wildcard certificate or certificate with multiple DNS names. After you have certificate you need in exchange console asign services for it.

http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx#emc
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39203815
"Register 2 x SSL certs"

In most normal configurations, no, this will not work. There is no good way to bind two certificates to a single site on a single port. And that causes a problem.

You must either use a single certificate that supports multiple names, or you Kist use some other method to redirect autodiscover requests. The most popular method being SRV records.
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39203821
Yes and SRV record is need for advanced anti spam techniques like SPF
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 

Author Comment

by:Talds_Alouds
ID: 39206901
Sorry,

So, can I just confirm, because a couple of the posts seem to be conflicting.

I wanted to get an ssl cert for remote.domain.com as sbs will auto configure this address.
I wanted to get an ssl for autodiscover.domain.com so that when clients try to connect, it checks the autodiscover record?

Have I got autodiscover wrong? I thought, when a user types in their details, Outlook goes looks for an autodiscover record. if available, it grabs the remote address (remote.domain.com) and goes from there?
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39206927
You've got it wrong.

Outlook will check autodiscover.domain.com first, but all it does is grab the IP address and then attempts to request an XML file with autodiscover settings from that server. The XML file will be automatically generated by the SBS server, but if you bind the remote.domain.com SSL certificate to the SBS website then the XML request will fail because the domain name autodiscover.domain.com (the server Outlook is expecting to return the XML file) will not match the SSL certificate which has the name remote.domain.com.

A website can only have *ONE* certificate bound to it on a given port. In this case, there is one website (the SBS website) which serves the autodiscover XML file *and* the RWA website. And it is on port 443. Given the limitation above that only one certificate can be bound, you cannot bind both your "remote.domain.com" certificate and your "autodiscover.domain.com" certificate. Note that this is NOT Microsoft or IIS specific. It is inherent in the design of SSL and prevents alterations or man-in-the-middle attacks.

So if you bind your remote.domain.com certificate, autodiscover will fail. If you bind your autodiscover.domain.com certificate, RWA will break.

The solution, therefore, is as I said above. You have a choice. You can purchase a UCC/SAN certificate. This is a type of certificate that supports multiple names attached to one single certificate. They are more expensive. So you'd have ONE certificate with both remote.domain.com *AND* autodiscover.domain.com configured. This allows you to abide by the rule above and bind only one certificate to the SBS website.

HOWEVER, the SBS wizard will not help you by creating a UCC/SAN CSR. You will have to step away from the SBS wizards and configure manually, and things *can* go wrong. Given you seemed to already be confused and thought you could get two certificates, I don't recommend this route. You'd likely find that in attempting to install the certificate, you'd break various parts of RWA since the manual process is not trivial.

The second option is to create an autodiscover SRV record. With this method, you do *not* purchase a certificate with the autodiscover.domain.com name. You can use the SBS wizard to generate the CSR and install the certificate after you've purchased it from a vendor of your choice.

You do *not* create a DNS A record for autodiscover.domain.com. Outlook will try to find a DNS record for autodiscover.domain.com, and that will fail. It will then fall back to the next method it is hard-coded to use, which is to look for an autodiscover SRV record. That record, when configured properly, will tell outlook to request the XML file from remote.domain.com. Outlook will request the XML file, and since the name and the cert match, no errors will occur and autodiscover works as expected.

The process is relatively straightforward and only requires one new DNS record. It does, however, assume that your existing public DNS infrastructure is healthy (no wildcard records with mismatched SSL certs, no bad records), and that your DNS provider supports SRV records. When the above caveats are true, this is an easy method to implement and makes purchasing a certificate simple and inexpensive. It is what I'd recommend.

-Cliff
0
 

Author Closing Comment

by:Talds_Alouds
ID: 39206954
Remarkable explanation! Thank you!
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question