کد:
http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/
Edit: I have went into pretty good detail on the different methods you can use to publish Exchange Services including Autodiscover here.
In Exchange versions previous to Exchange 2007, users would store data inside a public folder. This data included free/busy information, Out of Office messages, Offline Address Book, etc. Beginning with Exchange 2007, this information is stored in Internet Information Services (IIS). The process of distributing these services in Exchange 2007 is known as web distribution. Keep in mind that you will need to have Outlook 2007 clients to support web distribution. If you are running clients previous to Outlook 2007, you will still need to use public folders.
As you can see in the following image, in Exchange 2007, IIS contains several new directories than its predecessor, Exchange 2003:


The Autodiscover directory is used by the Autodiscover service to provide automatic profile configuration for Outlook 2007 clients as well as compatible mobile devices, such as Windows Mobile 6. In addition to automatic profile configuration, it provides the external URLs necessary to connect to web distributed services. Another directory is the EWS directory which provides access to web distributed services. These web distributed services include the Availability service, Out of Office (OOF) messages, etc. The Availability service grants users on-demand access to free-busy information. For more information regarding the Availability service, please visit the following site: You Had Me At EHLO... : What does Exchange 2007 Availability Service do?. The OAB directory is used to store the Offline Address Book (OAB) which provides an offline copy of the Global Adress List (GAL). The file distribution service copies the OAB files from the OAB generation server to the CAS server for web distribution. To learn more about OAB web distribution, please visit the following site: You Had Me At EHLO... : Exchange 2007 Offline Address Book Web Distribution.
Prerequisite

Properly configure IIS on your Client Access Server (CAS) to host the certificate(s) needed for external and internal access. The certificate recommended for this configuration is a Unified Communications (UC) certificate. You can read more about these different configurations here.
Note: For this article, we will be using a UC certificate that contains 4 Subject Alternative Names (SANs). Our requested certificate’s CN was webmail.shudnow.net. The first SAN name requested was also webmail.shudnow.net. Our request was created using the following EMS command:
New-Exchangecertificate -domainname webmail.shudnow.net, autodiscover.shudnow.net, casserver.shudnow.net, casserver -Friendlyname Shudnow -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname “c=US, o=Shudnow Inc, CN=webmail.shudnow.net”

  1. NetBIOS name of CAS (casserver)- used if there is a need/want to connect to services such as OWA using the NetBIOS name of the CAS while connected to the internal network.
  2. FQDN name of CAS (casserver.shudnow.net)- used so we can publish Autodiscover internal URLs to point directly to the CAS.
  3. Autodiscover.shudnow.net – used so external clients can retrieve external URLs to connect to web distributed services.
  4. Intuitivname.shudnow.net – used for services such as Outlook Web Access, Outlook Anywhere, Exchange ActiveSync, web service distribution (OAB, OOF, and Availability). Common FQDNs used are exchange.domain.com, owa.domain.com, mail.domain.com, webmail.domain.com, etc. This article will use the example FQDN: webmail.shudnow.net.

ISA 2006 RTM Configuration

Update1 (08/18/2008) – It’s been over a year since this article was released. Things have changed. Below I explain to create a new rule for Autodiscover, set All users for authentication, etc.. ISA 2006 SP1 is now out and supports SAN certs. As of now, when I configure ISA 2006 SP1, I leave autodiscover in the Outlook Anywhere Rule, leave Authenticated Users on, and add the autodiscover FQDN to the Public Name Tab as I do below. So please keep these things in mind due to the remaining section of ISA 2006 is based off of RTM and not SP1.
You must ensure that you go onto the CAS and export the certificate with its private key and import that into ISA 2006 (Please make sure you have the licenses needed for installing a certificate on multiple servers if required by your certificate vendor). A guide on how to do this is out of the scope of this blog. Once the certificate has been imported on the ISA 2006, ISA configuration can begin. Start by publishing each Exchange 2007 role as needed. In ISA 2006, each rule will need to be published by itself. You can see this by looking at the following screen:

The Outlook Anywhere rule contains several /paths/ as can be seen by the following screenshot:

Because Outlook 2007 will contact the Autodiscover service by using https://autodiscover.shudnow.net/Aut...todiscover.xml, we will need to remove the /Autodiscover/ Path from the Outlook Anywhere rule and create a dedicated rule just for the Autodiscover.
There are also several other /paths/ that are new to publishing Exchange 2007. As you recall from the previous IIS screenshot from the CAS, there is an /EWS/ and /OAB/ path that allow us to publish the OAB and EWS web distributed folders. In the Exchange ActiveSync (EAS) rule, there is a /Microsoft-Server-Activesync/ path that is used to publish Exchange Active Sync. Because the Public Name for these rules are configured to webmail.shudnow.net, we will need to publish the external URLs on the CAS server to distribute these services to external clients via https://webmail.shudnow.net.
Autodiscover Rule

With the Autodiscover rule created, there are a few configuration settings that need to be modified. The first is done by opening the Autodiscover Rule and navigating to the To: Tab. We need to ensure the, “This rule applies to the published site:” equates to the Common Name of the internal certificate. Since we are using the same certificate on both the CAS and ISA, the common name will be the same on both certificates. Using a separate certificate on your CAS and ISA is out of the scope of this article. The IP Address must be the IP address of the CAS server.

The next tab you will need to modify is the Public Name tab. Because this rule will be listening for a request to Autodiscover.shudnow.net, we will need to ensure this rule accepts requests that are destined to Autodiscover.shudnow.net

You will see an error on the Listener tab that states there is an issue with certificates. Disregard this error as it doesn’t affect us. ISA does not see the certificate contains subject alternative names and will work even though the Public Name is set to something other than the Common Name of the certificate.
Note: Microsoft has stated that ISA 2006 SP1 will support SAN certificates (which means all SAN names in a SAN Certificate). SP1 is due out late summer at earliest.
The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1.

Configuring Autodiscover on CAS

In order to allow a smooth connection to web distributed folders, we need to configure internal and external URLs. Internal URLs are provided to domain-joined clients who have direct connectivity to Active Directory. Because they have direct connectivity to AD, they will be able to pull authoritative internal web distribution URLs directly from the Service Connection Point (SCP). The SCP is an object that gets installed in Active Directory when a CAS is installed. The SCP contains an authoritative list of all Autodiscover service URLs in the forest where Exchange 2007 is installed.
Because we created an Autodiscover rule that listens for connections on Autodiscover.shudnow.net, an Outlook 2007 client as well as a compatible mobile client connecting from a remote network will be able to contact the Autodiscover service to have their profile automatically be configured as well as find the external URLs for web distributed services. Because ISA is publishing these web distributed folders via webmail.shudnow.net, we need to configure the external URLs to use https://webmail.shudnow.net/ServiceAddress. This way when a client connects from the outside network, they will see these external URLs are configured using https://webmail.shudnow.net/OAB and https://webmail.shudnow.net/EWS.
When using a UC certificate with the 4 URLs specified earlier in this article, we can allow an internal client to connect directly to the CAS bypassing ISA. If you are not using the UC certificate, you will most likely be using the same internal and external URL. This is because when not using the UC certificate, you will be need to separate your IIS websites to accommodate multiple certificates. One blank default web site for your self-signed certificate, one site for all your web distributed services, OWA, and Outlook Anywhere that will contain your webmail.shudnow.net certificate, and finally an Autodiscover website for your Autodiscover.shudnow.net certificate. Because you will be only using 3 certificates, you will not have the FQDN of the CAS server defined in your certificates. Because of this, you will need to point both the internal and external URL to webmail.shudnow.net. Because the UC certificate contains both the FQDN of our CAS and the FQDN webmail.shudnow.net, we can point the internal URL to the FQDN of the CAS server and the external URL to the webmail.shudnow.net FQDN for which we configured ISA to accommodate. As stated in the prerequisite section, you can read about these two different types of certificate configurations here.
As of late September, Microsoft has added a new method to make the Autodiscover service accessible from the outside with a single certificate. This is through the use of SRV records. You can read more about this new type of configuration here.
EWS Configuration

In order to see what internal and external URLs are set for the EWS folder, we can run the Get-WebServicesVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the external URL to go through https://webmail.shudnow.net. The EWS /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.
In order to configure the Internal and External URL, we need to use the following commands:
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://casserver.shudnow.net/EWS/Exchange.asmx -ExternalURL https://webmail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true
Note: You must ensure that you enable Basic Authentication on the EWS folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation.
OAB Configuration

In order to see what internal and external URLs are set for the OAB folder, we can run the Get-OABVirtualDirectory | FL cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The OAB /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.
In order to configure the Internal and External URL, we need to use the following commands:
Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://casserver.shudnow.net/OAB -ExternalURL https://webmail.shudnow.net/OAB -RequireSSL:$true
Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The same goes for Basic Authentication on the OAB directory. The above command will only enable SSL, but will not ensure 128-bit SSL is required.
Outlook Anywhere Configuration

Currently, in Exchange 2007, Outlook anywhere only works using Basic Authentication. To enable Outlook anywhere and configure it to use the webmail.shudnow.net with basic authentication, use the following command:
Enable-OutlookAnywhere -Server CASServer -ExternalHostname “webmail.shudnow.net” -ExternalAuthenticationMethod “Basic” -SSLOffloading:$False
Note: The above Enable-OutlookAnywhere command works on RTM. For SP1, substitute -ExternalAuthenticationMethod with ClientAuthenticationMethod.
Exchange ActiveSync

In order to see what external URLs are set for the Microsoft-Server-Activesync folder, we can run the Get-ActiveSyncVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The Microsoft-Server-Activesync /path/ is configured in its own ActiveSync rule which accepts connections from webmail.shudnow.net (Remember the public name and the To: tab should both be configured to accept connections from webmail.shudnow.net)
In order to configure the External URL, we need to use the following commands:
Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://webmail.shudnow.net/Microsoft-Server-Activesync
Unified Messaging Configuration

In order to see what internal and external URLs are set for the UnifiedMessaging folder, we can run the Get-UMVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The unifiedmessaging /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.
In order to configure the Internal and External URL, we need to use the following commands:
Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://casserver.shudnow.net/Unifie...g/Service.asmx -ExternalURL https://webmail.shudnow.net/UnifiedM...g/Service.asmx -BasicAuthentication:$true
Note: You must ensure that you enable Basic Authentication on the UnifiedMessaging folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation




موضوعات مشابه: