The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

Exchange 2007 Autodiscover and Certificates:

With Exchange 2007 we introduce the idea of the Autodiscover service. This service allows your Outlook 2007 clients to retrieve the URLs that it needs to gain access to the new web services offered by Exchange 2007. These web services (OAB, UM, OOF, and Availability) provide a good portion of the new functionality available to Outlook 2007. Please see this blog post for more details on Outlook 2007 feature matrix based on the Exchange server version.

For domain joined clients Outlook is able to find the Autodiscover service using a service connection point (SCP). The SCP is an AD entry specific to each client access server. When Outlook 2007 is able to securely connect to the domain and read this entry from AD, it can connect directly to this URL. Once connected to the Autodiscover end point, the Autodiscover service provides the client with the URLs of the other exchange web services.

For non domain joined clients or clients that are not able to directly access the domain, Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign). This means that to service clients in this scenario we must provide connectivity to one of these URLs. On the surface this should not be hard; but this connection is made over SSL and requires a valid certificate.

The communication to Autodiscover end point and subsequent communications to the services all occur over SSL. This requires that we have valid certificates (trusted, matching the name of the URL we are connecting to, and not expired) for the Autodiscover connection point and the services URLs. By default the services URLs are all variations of https://serversname.

When you install a client access server we provide IIS with a self-signed certificate that meets validity tests for domain joined clients. This allows internal clients to work right out of the box. Long-term use of this self-signed certificate is not recommended by Microsoft. Instead, it should be replaced with a commercially available Internet trusted, or a trusted internal PKI Infrastructure issued certificate as soon as possible. The problem is that we must be able to resolve Autodiscover.company.com or company.com with a trusted certificate in addition to other externally published exchange services like OWA. 

Assumptions:

These post assumes that you are small to medium sized company that is moving from Exchange 2003 to Exchange 2007.  Furthermore they make the assumption that you are deploying a single CAS server, that you are using autodiscover.company.com, and that your environment is rather localized. Most of what is talked about here can be reasonably extracted to larger environments.

Method One: Unified Communication Certificates

Method Two: Using Two Cerificates

Method Three: Using one Certificate and Redirection

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 5/10/07 4:33 AM