Using one Certificate and a Redirection

There are circumstances in which you would not have the ability, or it doesn’t make business sense for you to acquire an additional Certificate for use by your CAS server.  In this circumstance you can use Autodiscover redirection to redirect your non domain joined and no direct AD access clients to another DNS address to get their information.

1. Apply the mail.company.com certificate to the Default Website of your CAS server.
2. Change the External and Internal URLs for your Autodiscover services to point to mail.company.com. *
   a. For OAB use Set OAB Virtual Directory -Identity "<server>/<oab virtual directory name" –externalURL https://mail.company.com/oab –InternalURL https://mail.company.com/oab
   b. For EWS (Exchange Web Services) use: Set Web Services Virtual Directory  -Identity "<server>/<ews virtual directory name"  –externalurl https://mail.company.com/EWS/Exchange.asmx  –internalurl https://mail.company.com/EWS/Exchange.asmx
   c. For UM (if you have it) use Set-UMVirtualDirectory –externalurl https://mail.company.com/UnifiedMessaging/Service.asmx –internalurl https://mail.company.com/UnifiedMessaging/Service.asmx
3. Configure the Service connection point to use the mail.company.com address. Use the command:
   Set-ClientAccessServer -id <cas server>  -AutoDiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml
4. Set the Default Website to only listen on one IP address
   a. On the Website tab assign the current IP to the website.
   b. Click Advanced
   c. Under SSL Identities edit the IP address to be only the current address
5. Bind an additional IP address to the CAS servers Network Card.
6. Create a new website in IIS admin
   a.  Right-Click Web Sites, choose New, then "Web Site"
   b.  When you are asked for the path, create a new folder in the file system (recommended under C:\Inetpub called autodiscover_redirect)
   c.  You must allow read and anonymous access to the site.
7. In Windows Explorer under the autodiscover_redirect folder create a new folder called “Autodiscover”
8. In the Autodiscover folder create a new blank text document with the name “Autodiscover.xml”
9. Setup the Website to redirect to the mail.company.com site
   a. In IIS manager right click the Autodiscover.xml file and choose properties.
   b. On the properties choose “A redirection to a URL”
   c. For redirection fill in the same address as we used for your Service Connection Point (e.g. https://mail.company.com/autodiscover/autodiscover.xml)
   d. Click OK
10. Ensure that mail.company.com can be resolved internally.
11. Ensure that mail.company.com and Autodiscover.company.com can be resolved externally.

At this point your non domain joined and “no direct AD connectivity” Outlook 2007 clients will be working by getting redirected from Autodiscover.company.com to mail.company.com.  The only downside to this process is that the Outlook 2007 end user will be prompted with a box asking them to allow this redirection.  There is the option to have Outlook not prompt you again about this redirection.

This is also the proper solution when you are hosting multiple SMTP domains and you do not want to get a certificate for each of the domains.  Once you have configured the autodiscover redirect site, you would simply create a DNS Entry in each of your zones that you host for “autodiscover” to point to this non-SSL redirect site.  This redirect site would in turn redirect all of your clients to a central url (e.g. https://mail.hoster.com/autodiscover/autodiscover.xml ).