This post is based more on personal experience rather than researched fact... just a heads up. May or may not work in other environments, but it was a troublesome enough discovery process that I thought it was worth sharing. The problem was that I had an ISA 2006 box publishing my Exchange 2007 access methods (OWA, RPC/HTTPS, Autodiscover, etc). And everything was working fine, except for Autodiscover. The Autodiscover process would hang while trying to get its settings through the ISA server, then give up. In the ISA logs, I could see that the requests to autodiscover.domain.com were getting rejected because they required authorization.
Here's some additional background on my environment setup:
- ISA 2006 is configured with Authentication to my internal LDAP (Active Directory) servers
- The rule publishing my Outlook Anywhere services was configured for Authenticated Users only. It included the /Autodiscover site as one of its sites to allow traffic for.
- I was using a SAN SSL certificate (from godaddy) with webmail.domain.com as its principal name, and autodiscover.domain.com as one of the SAN names.
I'll cut to the chase and explain what I did and why. I had to remove /Autodiscover from the list of accepted sites on my default Outlook Anywhere rule, then create a new rule just for Autodiscover. The new rule featured the following differences from the original rule:
- On the "To:" tab, I still had the principal name of the certificate... webmail.pih.net. However, in the "Public Name" tab I specified "autodiscover.domain.com" as the only Website/IP.
- On the Paths tab I left the default path of "/*"... you could also specify /Autodiscover, but I didn't care to.
- On the Users tab, I had to remove "Authenticated Users" and add in "All Users". This was the real trick that got autodiscover working, I think.
- I put the rule lower on the list than the rest of the rules for good measure.
Once this change was applied, Autodiscover worked like a charm. No more ISA logs barking about denied connections (still got a few failed connections, the usual error 64 and 10054 stuff... thats normal for an RPC/HTTPS connection mind you...), and autodiscover goodness all around. I noticed that now Autodiscover pops up a box asking for login credentials during its discovery process (even though I specified the same credentials already during configuration of the outlook profile), but this is a small price to pay for working Autodiscover.
I later verified this configuration with Microsoft, by the way... an ISA engineer to be specific. He did not explain why this was, but indicated it may be an Outlook Client problem... its not responding to the request from ISA to authenticate... so the rule allowed the outlook client to bypass authentication on the ISA server and authenticate directly against the exchange server instead. A slight security breach, but nothing to be terribly concerned about considering its just for Autodiscover.
Showing posts with label Autodiscover. Show all posts
Showing posts with label Autodiscover. Show all posts
Thursday, February 11, 2010
Tuesday, February 10, 2009
Configuring Exchange 2007 for external access to the Autodiscover service
You would like to think that going out and buying that expensive UCC Certificate then installing it properly into Exchange (as described in my previous post) would be enough, wouldn't you? Far from it. There are several follow-up steps required to properly configure Exchange 2007 (especially its Autodiscover service). Microsoft outlines a few of the commands here:
To configure the Outlook Anywhere service, run this in the EMS:
To configure the Offline Address Book service, run this in the EMS:
To configure the Exchange web services, run this in the EMS:
If using Unified Messaging, run this in the EMS:
Of course, don't forget to change the contoso stuff to your own domain. Many of these can be configured in the EMC if you are scared of command line, except for EWS... that one can only be found in the EMS. Finally, add an A record for Autodiscover and point it to the external IP of your exchange server (the same IP that mail.domain.com is pointing to) and Autodiscover should be set.
To configure the Outlook Anywhere service, run this in the EMS:
Enable-OutlookAnywhere -Server CAS01 -ExternalHostname "mail.contoso.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False
To configure the Offline Address Book service, run this in the EMS:
Set-OABVirtualDirectory -identity "CAS01\OAB (Default Web Site)" -externalurl https://mail.contoso.com/OAB -RequireSSL:$true
To configure the Exchange web services, run this in the EMS:
Set-WebServicesVirtualDirectory -identity "CAS01\EWS (Default Web Site)" -externalurl https://mail.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$True
If using Unified Messaging, run this in the EMS:
Set-UMVirtualDirectory -identity "CAS01\UnifiedMessaging (Default Web Site)" -externalurl https://mail.contoso.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True
Of course, don't forget to change the contoso stuff to your own domain. Many of these can be configured in the EMC if you are scared of command line, except for EWS... that one can only be found in the EMS. Finally, add an A record for Autodiscover and point it to the external IP of your exchange server (the same IP that mail.domain.com is pointing to) and Autodiscover should be set.
Subscribe to:
Posts (Atom)