certificates for CAS server
We have an exchange 2007SP1 setup as follows. Seperate HUB server, seperate CAS server, CCR mailbox cluster. Upcoming migration from 2003. All Outlook 2007 clients. We do not use Outlook Anywhere but will use all the available exchnage web services, including activesync and owa. I am looking at getting a SAN or Unified Communications certificate for securing autodiscover, activesync, and owa. Currently all users are on Exchange 2003 with windows mobile handhelds that point to "exchange.domain.com" and we would prefer not to change that. The SAN cert should allow us to have both "autodiscover.domain.com" and "exchange.domain.com" as names on the default web site. Is that correct how I am understanding that? I am a little unclear how our Outlook 2007 clients will get the correct autodiscover settings? will an internal A record for "autodiscover.eksh.com" be enough? Or will I need to modify thr AD SCP record as well? Now Outlook 2007 clients look to https://mail-cas01.domain.com/autodiscover/autodiscover.xml. Do I need to remove the self-signed certificate from IIS before importing the new SAN cert? Do I need to put the CAS server name "mail-cas-01.domain.com" on the SAN certifcate request along with "autodiscover.domain.com" and "exchange.domain.com"? Thanks you for your help
October 14th, 2008 10:05pm

Hi, When setup CAS, the Service Connection Point (SCP) object in Active Directoryis created, this object contains an attribute containing the URL to the Autodiscover service (ServiceBindingInformation). By default, the URL will be set as the name of FQDN (https://FQDN/autodiscover/autodiscover.xml) For the internal user, Outlook first connects to AD and obtains SCP object with URL to Autodiscover service, then Outlookconnects Autodiscover URL, and send the XML request to Autodiscover service in order to obtain URL of Availability, Out of Office, Unified Messaging services and Offine Address book, then connect them. The autodiscover.domain.com is not used for internal user but for external users whoneed towork by usingOutlook Anywhere. If you are not logged into the domain, the SCP object cannot be found, Outlook must take a different approach that uses DNS to locate Autodiscover. The default URL is https://autodiscover.domain.com/autodiscover/autodiscover.xml Of course, you can change the URIin the SCP to autodiscover.domain.com depend on your needs. Please note the corresponding A record for autodiscover.domain.com needs to be created. Additionally, the other services URL also need to be changed if you only apply for SAN certificate which just includes autodiscover.domain.com and exchange.domain.com To better understand the relationship between autodiscover service and certificate, please refer to the article as below: http://technet.microsoft.com/en-us/library/bb332063.aspx Thanks Allen
Free Windows Admin Tool Kit Click here and download it now
October 16th, 2008 1:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics