The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

Using Two Certificates instead of a Unified Communication Certificate:

So the problem with the Unified Communication certificate right now is its cost.  It is by far the best solution for setting this up but it does cost a bit more most customers are currently paying for one or two certificates.

So you can use the following workaround to configure your CAS server to work with two separate commercial certificates.

  1. Get two commercial certificates.  One for mail.company.com and one for Autodiscover.company.com.
  2. Assign an additional IP to the network card of the CAS server.  The CAS server should now have two public IP addresses assigned to it.
  3. In DNS create an A record for Autodiscover.company.com and point it to the new IP that you assigned to the CAS server.
  4. On the CAS server in the IIS Admin program create a new Web Site that points to an empty directory on disk.
  5. Assign this New Web site the IP address for Autodiscover.company.com
  6. From The Exchange Management Shell on the CAS server run:
    New-AutodiscoverVirtualDirectory -websitename ‘Second website’. (e.g   New-AutodiscoverVirtualDirectory -websitename “autodiscover” will create a new Autodiscover virtual directory under the “Second website”).
  7. Run “Get-AutodiscoverVirtualDirectory” to show both directories.  Copy the Identity of the Virtual Directory associated with the default web site.  (e.g. “AP296513\Autodiscover (Default Web Site)”)
  8. Run “Remove-AutodiscoverVirtualDirectory ‘Paste in ID from step 7’”. (e.g. Remove-AutodiscoverVirtualDirectory “AP296513\Autodiscover (Default Web Site)”)  This will remove the Autodiscover virtual directory from the default website.
  9. Assign the mail.company.com certificate to the “Default Web site” Assign the Autodiscover.company.com certificate to the “New Website” (e.g. “Autodiscover”)
  10. Change the External and Internal URLs for your Autodiscover services to point to mail.company.com. *
    a. For OAB use:Set-OABVirtualDirectory –externalURL https://mail.company.com/oab
    –InternalURL https://mail.company.com/oab
    b. For EWS (Exchange Web Services) use:
    Set-WebServicesVirtualDirectory –externalurl https://mail.company.com/EWS/Exchange.asmx
    –internalurl https://mail.company.com/EWS/Exchange.asmx
    c    . For UM (if you have it) use Set-UMVirtualDirectory –externalurl https://mail.company.com/UnifiedMessaging/Service.asmx
    –internalurl https://mail.company.com/UnifiedMessaging/Service.asmx
  11. Configure the Service Connection Point to use the autodiscovery.company.com address. Use the command:
    Set-ClientAccessServer -id <cas server>  -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml
  12. Ensure that mail.company.com and Autodiscover.company.com can be resolved internally and externally.

At this point everything should be working for your clients.  Your domain joined clients will be contacting AD and getting autodiscover.company.com from the Service Connection Point; while your non domain joined and no direct AD access clients will be contacting DNS and getting the same Autodiscover.company.com connection point.  Once either client connects to the Autodiscover service they will get the mail.company.com addresses to connect to for services.  At no point will either client get prompted with a certificate warning since at each point during the connection process we are providing the correct certificate.

Comments

From acodring - 10/10/07 4:22 AM

[Disclaimer: I'm an Entrust employee and we sell Unified Communications Certificates]
You're absolutely right - if you're only securing two sites (e.g. mail.company.com and autodiscover.company.com) you can get away without a Unified Communications Certificate.  However, instead of going through the steps to set up dual hosts with two separate certs as above, you could consider one of our Advantage SSL Certificates which include two hostnames in a single certificate. At $199 qty 1 it's not the cheapest cert around, but how much is your time worth?

From techcontact - 6/7/07 8:43 PM

I think its important to note that a few things need to be in place for this to work.  Your internal domain name must match your external domain name or you must have split dns in place.

If your internal domain is company.loc and your external domain is company.com the Outlook client will not be able to find autodiscover.company.com from the local dns server and will be forced to look outside.  When it hits the external DNS its going to be mapped to the external DNS name that you have set for autodiscover.com.  I dont want my Outlook clients to have to do that much looking around for information.

The answer is to create a internal zone file fo company.com and place your A record in there.  Be careful if you create a zone file for company.com and you host your own website such as www.company.com.  None of your internal clients will be able to hit the site unless you create host records.  They will see the zone file and not find a record and stop trying to resolve.

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 5/11/07 4:34 AM