Resource Booking

Internal vs. External Autodiscover

Outlook 2007 uses two different approaches to locate an Autodiscover site and determine the necessary information. The first approach is used when the Windows computer is a member of the Active Directory forest in which the Exchange server exists. Figure 17.12 shows the process that Outlook uses to locate resources. In this example, the computer on which Outlook 2007 is installed is a member of the Active Directory forest. This is considered the service process for internal clients.

Figure 17.12: Autodiscover when a client is member of the Active Directory

In step 1 in Figure 17.12, Outlook is launched for the first time and there is not an Outlook profile for the user account. Outlook contacts the Active Directory to find a service connection point (SCP). A service connection point is an Active Directory object that can be used to publish and locate network services. The SCP object will provide Outlook with the fully qualified domain names of Client Access servers; Outlook contacts a Client Access servers in its local Active Directory site

In step 2, the Outlook 2007 client queries the Client Access server to retrieve the user's home server. The username and domain name are used to locate the user's home mailbox server. Outlook also retrieves information about the location of the Availability service and the distribution points for the offline address book. From this information, the Outlook profile is created.

In step 3, Outlook is able to connect to the user's home Exchange server.

If the desktop client is not a member of the Active Directory or is outside of the corporate network and cannot contact a domain controller, then Outlook 2007 uses a different approach. This is the Autodiscover service process for external access. In this approach, DNS is used to locate the Autodiscover service. Figure 17.13 shows an example of how the Autodiscover service is located for an external client. In this example, the user must provide their e-mail address since it cannot be provided for them using their Active Directory user account.

Figure 17.13: External Autodiscover location process

In step 1, Outlook tries to contact an Active Directory domain controller (if the client is a member of the Active Directory). If Active Directory cannot be located or the computer is not a member of the Active Directory, the user is presented with the Add New E-mail Account dialog box shown in Figure 17.14. From this dialog box, the user must enter their primary STMP address, their name, and their account password. The e-mail address is important because the STMP domain name is used in step 2.

Figure 17.14: Providing Outlook with your information manually

In step 2, the Outlook 2007 client performs a DNS query and uses the SMTP domain name. In our example, the domain name is somorita.com. Outlook will use the following URLs to try to connect in order to locate the Autodiscover server:

• https ://somorita.com/autodiscover/autodiscover.xml

• https://autodiscover.somorita.com/autodiscover/autodiscover.xml

These URLs will need to be resolvable in DNS and accessible from outside your network for external clients. If you will use the DNS approach for "external" clients on your inside network, you will want to make sure that one of these two URL's is resolvable using your internal DNS.

The Client Access server that hosts either the Autodiscover URL will then return the Outlook Anywhere information necessary to configure Outlook 2007 as well as external URL locations for the Availability service and the offline address book distribution point.

Configuring Autodiscover

When an Exchange 2007 Client Access server is installed, an SCP record is created in Active Directory for it. This includes the internal Outlook Anywhere settings, the internal internal URL for the offline address book, and the internal URL for Exchange web services. However, depending on your environment, there may be additional configuration settings that you need to perform, if, for example, you needed to enable Outlook Anywhere (formerly RPC over HTTP) or define external URLs for other web services.

Configuring Autodiscover Virtual Directories

An Autodiscover virtual directory is automatically created on each Exchange 2007 Client Access server. The only way to configure this is through the Exchange Management Shell. The Get-AutoDiscoverVirtualDirectory cmdlet can let you view the Autodiscover virtual directories. Here is an example:

[PS] C:\

>

Get-AutodiscoverVirtualDirectory Name : Autodiscover (Default Web Site) InternalAuthenticationMethods : {Basic, Ntlm} ExternalAuthenticationMethods : {Basic, Ntlm} BasicAuthentication : True DigestAuthentication : False WindowsAuthentication : True MetabasePath : IIS://HNLEX03.volcanosurfboards.com/W3SVC/1/ ROOT/Autodiscover

Path

: C:\Program Files\Microsoft\Exchange Server \ClientAccess\ Autodiscover Server : HNLEX03 InternalUrl : ExternalUrl : AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=Autodiscover (Default Web Site), CN=HTTP,CN=Protocols,CN=HNLEX03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com Identity : HNLEX03\Autodiscover (Default Web Site) Guid : ObjectCategory : volcanosurfboards.com/Configuration/Schema 'ms-Exch-Auto-Discover- Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory} WhenChanged : 12/22/2006 9:10:00 PM WhenCreated : 12/22/2006 9:10:00 PM OriginatingServer : HNLDC01.volcanosurfboards.com IsValid : True

If you want to set the external URL for Autodiscover, here is the command:

Set-AutodiscoverVirtualDirectory "HNLEX03\Autodiscover (Default Web Site)" -ExternalUrl "https://owa.somorita.com"

Configuring Outlook Anywhere and Autodiscover

By default, Outlook Anywhere is not enabled on the Client Access servers. To enable Outlook Anywhere, locate each Client Access server in the Server Configuration work center in the Exchange Management Console (EMC) and select the Enable Outlook Anywhere task on the Actions pane. This launches a wizard that prompts you for the external hostname and the type of authentication and gives you the option to use SSL offloading .

If you are using network load balancing, the external hostname will be the fully qualified domain name that the clients will use externally. When you have completed the information required by the wizard, you can click the Enable Outlook Anywhere button.

Optionally, you could enable Outlook Anywhere using the Enable-OutlookAnywhere cmdlet. Here is an example:

Enable-OutlookAnywhere -Server 'HNLEX03' -ExternalHostname 'owa.somorita.com' -ExternalAuthenticationMethod 'Basic' -SSLOffloading $false

Once Outlook Anywhere is enabled, you can select the properties of the Client Access server and view the Outlook Anywhere properties of that particular Client Access server. An example is shown in Figure 17.15.

Figure 17.15: Configuring the external hostname for Outlook Anywhere

You can retrieve the same information (and more) using the Get-OutlookAnywhere cmdlet; here is an example:

Get-OutlookAnywhere SSLOffloading : False ExternalHostname : owa.somorita.com ExternalAuthenticationMethod : Basic MetabasePath : IIS://HNLEX03.volcanosurfboards.com/ W3SVC/1/ROOT/Rpc Path : C:\WINDOWS\System32\RpcProxy Server : HNLEX03 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Rpc (Default Web Site) DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP, CN=Protocols,CN=HNLEX03,CN=Servers,CN=Exchange AdministrativeGroup (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com Identity : HNLEX03\Rpc (Default Web Site) Guid : ObjectCategory : volcanosurfboards.com/Configuration/Schema/ ms-Exch-Rpc-Http-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory} WhenChanged : 1/8/2007 6:24:32 PM WhenCreated : 1/8/2007 6:24:32 PM OriginatingServer : HNLDC01.volcanosurfboards.com IsValid : True

When configuring the external hostname for Outlook Anywhere, remember that this is the URL that will be referred to external Outlook 2007 clients when Autodiscover is used.

Offline Address Books and Autodiscover

The offline address book distribution points by default only contain the internal URL used to locate them. You can set these using the graphical user interface by selecting the properties of the offline address book virtual directory in the Exchange Management Console. The URLs property page of the default OAB virtual directory for a Client Access server is shown in Figure 17.16.

Figure 17.16: Setting the external URL for offline address book distribution

You can also set this parameter using the EMS cmdlet Set-OABVirtualDirectory . Hereisan example:

Set-OABVirtualDirectory "hnlex03\OAB (Default Web Site)" -ExternalURL https://owa.somorita.com/OAB -RequireSSL:$True

You can view the configuration of the offline address book virtual directory using the Get-OABVirtualDirectory cmdlet. Here is an example:

Get-OabVirtualDirectory  fl Name : OAB (Default Web Site) PollInterval : 480 OfflineAddressBooks : {} RequireSSL : True MetabasePath : IIS://HNLEX03.volcanosurfboards.com/W3SVC/1/ROOT/ OAB Path : C:\Program Files\ Microsoft\Exchange Server\ClientAccess\OAB Server : HNLEX03 InternalUrl : http://hnlex03.volcanosurfboards.com/OAB InternalAuthenticationMethods : {WindowsIntegrated} ExternalUrl : https://owa.somorita.com/OAB ExternalAuthenticationMethods : {WindowsIntegrated} AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=OAB (Default Web Site), CN=HTTP,CN=Protocols, CN=HNLEX03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com Identity : HNLEX03\OAB (Default Web Site) Guid : ObjectCategory : volcanosurfboards.com/Configuration/Schema/ ms-Exch-OAB-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualDirectory} WhenChanged : 1/8/2007 7:17:58 PM WhenCreated : 12/22/2006 9:09:56 PM OriginatingServer : HNLDC01.volcanosurfboards.com IsValid : True

Configuring Web Services and Autodiscover

If remote or external clients will need access to custom web services, you should configure the external URL for web services. This can only be done via the EMS. The following cmdlet is an example for setting the external URL for a Client Access server:

Set-WebServicesVirtualDirectory "hnlex03\EWS (Default web site)" -ExternalUrl https://owa.somorita.com/EWS/Exchange.asmx -BasicAuthentication:$True

To check the configuration of the Web Services virtual directory, you can use the Get-WebServicesVirtualDirectory cmdlet:

Get-WebServicesVirtualDirectory Name : EWS (Default Web Site) InternalAuthenticationMethods : {Basic, Ntlm} ExternalAuthenticationMethods : {Basic, Ntlm} BasicAuthentication : True DigestAuthentication : False WindowsAuthentication : True MetabasePath : IIS://HNLEX03.volcanosurfboards.com/W3SVC/1/ ROOT/EWS Path : C:\Program Files\Microsoft\Exchange Server\ ClientAccess\ exchweb\EWS Server : HNLEX03 InternalUrl : https://hnlex03.volcanosurfboards.com/ EWS/Exchange.asmx ExternalUrl : https://owa.somorita.com/EWS/Exchange.asmx AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=EWS (Default Web Site),CN=HTTP, CN=Protocols, CN=HNLEX03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Volcano Surfboards, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=volcanosurfboards,DC=com Identity : HNLEX03\EWS (Default Web Site) Guid : ObjectCategory : volcanosurfboards.com/Configuration/Schema/ ms-Exch-Web-Services-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchWebServices VirtualDirectory} WhenChanged : 1/8/2007 7:07:25 PM WhenCreated : 12/22/2006 9:10:12 PM OriginatingServer : HNLDC01.volcanosurfboards.com IsValid : True

Autodiscover and Secure Sockets Layer

If you have tried to deploy both internal and external URLs already, then you are already wondering how Secure Sockets Layer is supposed to work if the FQDN of the internal location is different than the external FQDN. After all, if certificates are requested you usually only provide one name in the certificate signing request. There is a workaround, however, that allows you to have more than one DNS domain name for a Client Access server. To do this, you have to use the New-ExchangeCertificate cmdlet. The command line is fairly involved; here is an example:

New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=volcanosurfboards,o=Volcano Surfboards, cn=owa.somorita.com" -domainname HNLEX03,HNLEX03.volcanosurfboards.com,owa.somorita.com, autodiscover.somorita.com -path c:\certrequest-HNLEX03.txt

This cmdlet creates a certificate request with multiple hostnames. In this case, the hostnames include owa.somorita.com, autodiscover.somorita.com, hnlex03, and hnlex03.volcanosurfboards.com.

We can take the contents of this file and get a certificate signed and issued by a trusted certificate authority or we could sign it ourselves using Windows Certificate Server. The result will be a file that is returned to us from the certification authority (in this case, certnew.cer). Here is an example of using the Import-ExchangeCertificate cmdlet to import the signed certificate in to the certificate store:

Import-ExchangeCertificate -path c:\certnew.cer -friendlyname "HNLEX03 Cert"

If you are used to creating certificate requests using the Internet Information Services Manager console, then there is a new step you may not be familiar with. The Import-ExchangeCertificate cmdlet imports the certificate into the computer's personal certificate store, but it does not assign it to the default website. You will need to follow these steps to associate the certificate with the default website.

1. Run the Internet Information Server Manager console.

2. Open the Web Sites container, right-click Default Web Site, and select Properties.

3. Select the Directory Security property page.

4. Click the Server Certificate button and then click Next.

5. Select the Assign an Existing Certificate radio button and click Next.

6. In the Select a Certificate list, select the certificate you have just imported using the Import-ExchangeCertificate cmdlet. When you have selected the certificate, click Next.

   

7. Confirm that port 443 is the SSL port. This is usually the case. Click Next.

8. On the Certificate Summary page, you can see some of the details of the certificate. When you are ready, click Next and then click Finish.

   

Congratulations. The certificate is now installed and associated with the default website. On the Directory Security property page, you can click the View Certificate button to see more details about the certificate. On the Details property page, if you scroll down to Subject Alternative Name in the Field column (see Figure 17.17), you will see the additional names you have specified for the certificate.

Figure 17.17: Subject Alternative Name in the Field column

In the example we just showed you, the internal names of the server were HNLEX03 and HNLEX03.volcanosurfboards.com. The external names were owa.somorita.com and autodiscover.somorita.com.