On initial deployment of a single Client Access Server(CAS) without an Internet Security and Acceleration Server(ISA) while using Autodiscover, Service Availability, Outlook Web Access(OWA),Offline Address Book, and Outlook Anywhere, choosing the proper certificate became difficult to determine.
We considered going the Microsoft recommended route, using a certificate that handles Subject Alternative Names, but we had a difficult time finding a provider that supported this standard as well as be within a reasonable cost. Instead we went with a solution that did not require a subject alternative certificate, but seperate certificates. To start, we were required to set the proper internal and external names for all of the services we were using.
Defining Internal and External Exchange URL Settings:
The availability service could not be set through the UI, so we had to use the Exchange Management Shellto define these settings.You can review your current Availability Service Urls by typing this command:
Get-webservicesvirtualdirectory –identity ews*
Look for the Internal and External URL lines.To simplify access both internally and externally, we decided to set both names as the external URL, with this command:
Set-WEbservicesvirtualdirectory –Identity “EWS (Default Web Site)” -ExternalUrl https://mailhost.externaldomain.com/EWS/Exchange.asmx -InternalUrl https://mailhost.externaldomain.com/EWS/Exchange.asmx
We then needed to ensure the Outlook Anywhere External Hostname was also set to the same name we used as our Urll’s for the Availability Service.To check this, we ran the following command:
Get-OutlookAnywhere
We were then able to set the name with the following command:
Set-OutlookAnywhere –ExternalHostname mailhost.externaldomain.com
We now have to set the Internal and External Url for Outlook Web Access, using the UI.Open The Exchange Management Console and expand Server Configuration.Once in Server Configuration, choose Client Access.You should now see your single client access server in client access server list.Choose this server and go to the properties of OWA on the Outlook Web Access Tab.You can now set the Internal and External URL on the General tab as shown:
We also set the Internal and External Url for Offline Address Book Distribution point, using the UI.Open The Exchange Management Console and expand Server Configuration.Once in Server Configuration, choose Client Access.You should now see your single client access server in client access server list.Choose this server and go to the properties of OAB on the Offline Address Book Distribution Tab.You can now set the Internal and External URL on the URLs tab as shown:
Defining Internet Information Services Settings:
Note: This section assumes you have set the Internal and External DNS settings for OWA and AutoDiscover, and you have set the appropriate rules on the firewall or gateway devices.
By default, Exchange installs all of its services to a single default web site.Our first thought was to create a single wildcard cert for our external domain and configure it for this web site.Well, it turns out RPC over HTTP does not work on a wildcard cert for a single web site, as the client did not understand the certificate properly.So we now had to determine how to separate the web sites properly and assign the appropriate certificates.
First things first, you will notice that when an Outlook 2007 client is using RPC over HTTP, it addresses the server using the Autodiscover information on initial setup for your RPC Proxy, Service Availability and Mail Server name.While accessing your mailbox, all external names are used.If you are on the same logical network as your Exchange server, your Oulook 2007 client will attempt to communicate with the CAS server using its local server name.This was a problem, as the Outlook client needed a certificate for the local server name and reported a certificate error.
When you are External from your server, you will need to access Autodiscover and the OWA URLs.If all of these services are on the same CAS server, this creates more problems with certificates as you are probably not calling OWA access the same host name as the AutoDiscover service.So now we needed to separate the Autodiscover subweb from the same website that the OWA subweb exists on.
Here is how we addressed these challenges:
First, we assigned three internal IP addresses to the CAS server.Second, we created a new Website that pointed to an empty directory.This Website was assigned the primary (First) IP address of the Exchange server and we also assigned the local server certificate to this website.This eliminated the Outlook Client from requesting a certificate for the local server name, when the client was on the same logical network as the CAS server.
Third, we created another website that pointed to a second empty directory.We then assigned this web site the second IP address assigned to the CAS server.Finally we moved the Autodiscover subweb from the Default Web Site to this new Website.Here is how we moved the Autodiscover Subweb:
Determining your Autodiscover Virtual Subweb Directory:
Get-AutodiscoverVirtualDirectory
Look for the Idenity path, this is your current Subweb Path.Remove this subweb with the following command:
Remove-AutodiscoverVirtualDirectory –Identity “CASServerNameautodiscover (IIS Website Name)”
Now create the Autodiscover Subweb in the second website you created with the following command:(Note: Basic Authentication and Windows Authentication used in this command)
New-AutodiscoverVirtualDirectory –Websitename “Second IIS WebSite Name” –BasicAuthentication:$true –WindowsAuthentication:$true
Assign the Autodiscover Certificate to the second website in which you moved Autodiscover to.This certificate should be Autodiscover.ExternalDomain.com.
Fourth, we assigned the OWA certificate, which is the same name we use for RPC over HTTP, to the Default website.This also handles Service Availability as well as the OAB.Based upon the previous examples for the internal/external URL names, this is what the certificate common name would be: mailhost.externaldomain.com
IIS should look similar to the following configuration:
