Table 5.1 Free/Busy Retrieval Methods Client Source Mailbox Target Mailbox Free/Busy Retrieval Outlook 2007 Exchange 2007 Exchange 2007 The Availability service will read the free/busy i
Trang 1Outlook 2007 discovers the Availability Service URL using the AutoDiscover service Actually, the AutoDiscover service is to Outlook what DNS is to a Web browser, acting like a DNS Web
Service for Outlook It is used to fi nd various services like the Availability service, and the UM and OAB services It simply tells Outlook 2007 where to go to locate the various Web services required:
UM, OAB, and Availability
You should be aware of many aspects when confi guring the Availability service I recommend you check out the Availability Service FAQ over at the Exchange 2007 Wiki, found at
www.exchangeninjas.com/AvailabilityServiceFAQ
Table 5.1 Free/Busy Retrieval Methods
Client Source Mailbox Target Mailbox Free/Busy Retrieval
Outlook 2007 Exchange 2007 Exchange 2007 The Availability service will
read the free/busy info directly from the calendar
in the target mailbox
Outlook 2007 Exchange 2007 Exchange 2003 The Availability service
will make an HTTP connection to the /Public virtual directory of the
Outlook 2003 Exchange 2007 Exchange 2007 Free/busy info will be
Outlook 2003 Exchange 2007 Exchange 2003 Free/busy info will be
Outlook Web Exchange 2007 Exchange 2007 OWA 2007 will call the
which reads the free/busy info from the target mailbox Outlook Web Exchange 2007 Exchange 2003 OWA 2007 will call the
then make an HTTP connection
to the /Public virtual directory
of the Exchange 2003 mailbox Any Exchange 2003 Exchange 2007 Free/busy info is published in
Trang 2Client Access Servers and the
SSL Certifi cate Dilemma
In previous versions of Exchange, you simply issued a request for an SSL certifi cate, and when
received, assigned this certifi cate to the Default Web Site in the IIS Manager That was basically it
Exchange 2007, however, is a different beast, especially when it comes to securing client connectivity
to the CAS using SSL certifi cates
You may have noticed that a default self-signed SSL certifi cate is assigned to the Default
Web Site during the installation of the Exchange 2007 CAS role If you take a closer look at this
certifi cate, you’ll notice it contains multiple subject alternative names (Figure 5.4).
Figure 5.4 SSL Certifi cate with Subject Alternative DNS Names
Trang 3I hear some of you grumbling, “So, what is that all about?” Well, instead of having to require multiple certifi cates, maintain the confi guration of multiple IP addresses, IIS Web sites for each
IP port, and a certifi cate combination, you can create a single certifi cate that enables clients to successfully connect to each host name using SSL and subject alternative names You see, in order to support Outlook Anywhere, OWA, Exchange ActiveSync (EAS) and especially the new Web-based
AutoDiscover service, which requires a common name of autodiscover.domain.com, you must use an
SSL certifi cate containing subject alternative names
Since the default SSL certifi cate is self-signed and, therefore by default, untrusted by clients, and because Outlook Anywhere and Exchange ActiveSync require a trusted SSL certifi cate, we have to replace this certifi cate with an SSL certifi cate issued by a trusted third-party provider Unfortunately, only a few SSL certifi cate providers can issue an SSL certifi cate containing one or more subject alternative names To make matters worse, these providers charge something like $600 per year for such a certifi cate
NOTE
At the time of this writing, only Entrust.com, GeoTrust.com, and VeriSign offered these types of SSL certifi cates Hopefully this will change as more and more
organizations begin to deploy Exchange 2007
If you don’t assign an SSL certifi cate with additional subject alternative names, where one of these matches the hostname of the Exchange 2007 CAS, internal Outlook 2007 clients will
generate certifi cate security warnings since the SSL certifi cate won’t match the name used to confi gure these clients Notice, however, that Outlook 2007 won’t generate a warning if the
self-signed untrusted default SSL certifi cate assigned to the Default Web Site This is by design When the Exchange 2007 CAS role is installed, the setup wizard creates an Active Directory service discovery record, and if the Outlook 2007 client can see that record (meaning they are on the internal network), it ignores the trust warning It uses the service discovery record as the trust (assuming someone that can write that to the Active Directory can be trusted regarding the URL for the CAS), rather than checking that it trusts the issuer of the cert The idea behind this is that while you are on the intranet, Exchange is secure out of the box, using SSL and ignoring any prompts
So why not just leave the self-signed SSL certifi cate on the Default Web Site? Well, because then Outlook Anywhere and Exchange ActiveSync wouldn’t work, since these two features require the common name on the SSL certifi cate to match the external URL used to access the CAS, so the certifi cate will be trusted by the client In addition, OWA 2007 would generate a security warning when a user connects to his mailbox using OWA 2007
“Okay,” you say, “fair enough, but what do I do if my organization can’t afford to throw $600 towards an SSL certifi cate each year?” Well, in that case, the solution would be to use multiple Web sites Besides the Default Web Site (which you should leave in its default state with the
self-signed untrusted SSL certifi cate assigned), we would need two additional Web sites
Trang 4■ One for Exchange ActiveSync (EAS), OWA, and Outlook Anywhere
■ One for the AutoDiscover service
In order to confi gure this type of setup, you must do the following:
First, add two additional virtual IP addresses to the NIC on your Exchange 2007 CAS, as shown
in Figure 5.5
Figure 5.5 Additional Virtual IP Addresses
Now assign a specifi c IP address to the Default Web Site, as shown in Figure 5.6
Trang 5Create two new Web sites using IIS Manager, and call them something like Clients and
AutoDiscover When creating the Web sites, use the default settings and specify the same path as the
one confi gured in the Default Web Site (C:\InetPub\wwwroot) Make sure to also select Read and
Run Scripts (such as ASP) only.
When the Web sites have been properly created, we can create the required virtual directories using the Exchange Management Shell To create the OWA and Exchange ActiveSync directories,
enter the following commands, bearing in mind that the –WebSiteName value is case sensitive:
New-OWAVirtualDirectory –OwaVersion: Exchange2007 –Name “owa” –WebSiteName
“Clients”
New-ActiveSyncVirtualDirectory –WebSiteName “Clients”
NewAutodiscoverVirtualDirectory WebSiteName AutoDiscover
-BasicAuthentication:$true –WindowsAuthentication:$true
Figure 5.6 Assigning a Specifi c IP Address to the Default Web Site