Amazing Autodiscover(ies), Exchange 2007/2010 Autodiscover

1,517 views
1,370 views

Published on

Presented on 9 Feb 2009
by Michel de Rooij
http://www.eightwone.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,517
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Lokatie intern, extern
  • Local XML zieo.a. blogs.technet.com/ilvancri/archive/2010/02/03/some-autodiscover-fun.aspx
  • Let op: Keywords can contain Site=<Sitename> or GUIDs, e.g. 77378F46-2C66-4aa9-A6A6-3E7A48B19596 or 67661D7F-8FC4-4fa7-BFAC-E1D7794C1F6. Zie [MS-OXDISCO]
  • SCPs are selected at “random”, unless Site set
  • Uiteraardook in beidegevallenook DNS regelenMeerdere e-mail domeinen (multi-tenant)Preciezeimplementatie redirect in IIS hangtaf van IIS (6 of 7)
  • Voor SRV, CN in certificate moetmatchen met SCP (AutodiscoverInternalURI) en InternalURLs (defaults to NetBIOS names of servers) => Outlook certificate warningProxy = proxy + ISA fw client
  • External + Internal is afhankelijk split DNSGeen Server Gated Cryptography (SGC) (SGC is to create 128-bit SSL support for pre-2000 browsers (~1% population))Wildcard certs compatibility issues subdomains, cert *.contoso can issue warnings for mail1.emea.contoso.com. Probable with WinMobileWildcard certs for single domain domain onlySingle/multi server licentieivm import op ISA of NLB/array
  • Don’t forget to include outer Edge/Hub (w/Antispam agents) transports etc. when you want to use the UCC certificate for SMTP TLSYou can use FQDNs instead of NetBIOS (default registered for URIs) but they influence load balancing scheme (reverts to netmask ordering instead, which goes before RoundRobin)Note: Ex2007SP1: New-ExchangeCertificate, leave autodiscover out and use –IncludeAutoDiscover and –IncludeAcceptedDomains switches (but check)ISA 2006 SP1 kanoverweg met SAN cert, vandaar pre-ISA 2006 SP1: 1e SAN = CN
  • Pkcs#12=.p12, pkcs#7=.p7b/.p7c
  • Cert. Request Wizard : request & import, geenPowershell / generators nodig (kanwel)External Client Access ipvExternalURLsdefinierenvoorelke Web Service (ActiveSync, OWA, UM, ..) voorelke CAS
  • Outlook, CTRL-click SysTray Icon
  • MSDNAutodiscover HTTP Service Protocol Specification http://msdn.microsoft.com/en-us/library/cc433481(EXCHG.80).aspxAutodiscover Publishing and Lookup Protocol Specificationhttp://msdn.microsoft.com/en-us/library/cc463896(EXCHG.80).aspx
  • Amazing Autodiscover(ies), Exchange 2007/2010 Autodiscover

    1. 1.
    2. 2. Amazing Autodiscover(ies)<br />Exchange 2007/2010 Autodiscover<br />Michel de Rooij<br />Inter Access<br />
    3. 3. Agenda<br /><ul><li>Introductie
    4. 4. Scenarios
    5. 5. Certificaten
    6. 6. Exchange 2010</li></li></ul><li>Exchange Client Configuratie<br />
    7. 7. Wat is Autodiscover<br />Automatische client configuratie<br />Goedvooreindgebruikers<br />Goedvoor de IT afdeling<br />Onafhankelijk van lokatie<br />Ontsluiting Exchange functionaliteiten<br />Exchange Web Services<br />
    8. 8. Hoe werkt het<br />Informatiebron (CAS) via AD of DNS(.. alshet moetlokale XML file, kb956955)<br />Levert op:<br />Displayname<br />Mailbox Server<br />External + Internal Connection Settings<br />External + Internal URLs<br />Free/Busy, OAB, OOF & UM<br />Outlook Anywhere<br />
    9. 9. Wanneer<br />Tijdens account configuratie<br />Tijdensopstarten client<br />Periodiek<br />Connectivity Issues<br />
    10. 10. Intern vs. Extern<br />Interne client (domain joined)<br />Discovery via Service Connection Point (SCP) in AD<br />CN=Autodiscover,CN=Protocols,CN=<CAS Server>,CN=Servers,CN=<AG>,CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services<br />Autoconfiguratie via POX1<br />Externe client<br />Discovery via DNS<br />Autoconfiguratievia POX1<br />Meerdere scenarios<br />Single/Multi SMTP domain<br />1) POX= Plain Old XML<br />
    11. 11. Service Connection Point<br />Publicatie in Active Directory door CAS servers:<br />CN=Autodiscover,CN=Protocols,CN=<CAS Server>,CN=Servers,CN=<AG>,CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services<br />Attributes:<br />serviceBindingInformation = CAS FQDN<br />keywords = Site (Site Affinity)<br />Reconfig via Set-ClientAccessServer, parameters:<br />AutodiscoverServiceInternalURI = URL<br />Site = Authoritative Site(s)<br />
    12. 12. Intern<br />2. Query SCP objects<br />3. Autodiscover URL(s)<br />1. Register SCP (AutodiscoverInternalURI)<br />4. Connect<br />Outlook<br />5. Available Services URLs<br />
    13. 13. Externetoegang<br />DNS<br />autodiscover.<maildomain> CNAME <hostname><br /><ul><li>SRV record </li></ul>Vereist Outlook2007 SP1+ of Outlook2007+kb940881<br />Service: _autodiscoverProtocol: _tcpPort Number: 443Host: <hostname><br />Let op:<br />DNS wildcard records (*.contoso.com, contoso.com)<br />
    14. 14. DNS, Single Domain<br />1. Contact AD<br />2. Resolve contoso.com<br />3. Resolve autodiscover.contoso.com <br />4. Post autodiscover.contoso.com/autodiscover/autodiscover.xml<br />Outlook<br />michel.de.rooij@contoso.com<br />5. Available Services URLs<br />
    15. 15. DNS, Redirect, Multi Domain<br />1. Contact AD<br />2. Resolve fabrikam.com<br />3. Resolve autodiscover.fabrikam.com <br />4. https://autodiscover.fabrikam.com/autodiscover/autodiscover.xml<br />5. Post http://autodiscover.fabrikam.com/autodiscover/autodiscover.xml<br />Outlook<br />michel.de.rooij@fabrikam.com<br />6. Redirect (302) to autodiscover.contoso.com <br />7. Contact autodiscover.contoso.com<br />8. Available Services URLs<br />
    16. 16. Redirect, How-To<br />IIS<br />Nieuwe Virtual Website (+ 2e IP adres)<br />Redirect /autodiscover/autodiscover.xml naar https://autodiscover.<domain>/autodiscover/autodiscover.xml<br />ISA Web Publishing rule<br />Bind 2nd public IP to ISA<br />New website, deny non-SSL rule op autodiscover.<altdomain>/autodiscover/autodiscover.xml en redirect naarhttps://autodiscover.<maildomain>/autodiscover<br />Plus: ISA array => danook redirect load balanced<br />
    17. 17. Multidomain: Redirect of SRV<br />DNS / HTTP Redirect<br />SRV Record<br />Pro:<br />Werkt in alle scenarios<br />Werktvooralle Outlook 2007 versies<br />Con:<br />Implementatie<br />Onderhoud<br />2 x public IP adres (multidomain)<br />Popup<br />Pro:<br />Implementatie<br />1 public IP adres<br />Con:<br />DNS provider SRV support<br />Client env. SRV support (proxy)<br />Werktniet in alle scenarios<br />Outlook2007SP1/RTM+ kb940881<br />Popup<br />Noot: Redirect Popup onderdrukbaar (kb956528)<br />
    18. 18. Certificaten<br />Autodiscover & Certificaten<br />Soortcertificaat<br />Welkeinformatienodig<br />Waarteverkrijgen<br />
    19. 19. Autodiscover & Certificates<br />Wanneer is eencertificaatgeldig(Outlook 2007)<br />Certificaat chain t/m trusted root<br />Naam op certificaat matched URL<br />Certificaatgeldig en niet expired<br />Noot: Outlook op domain joined clients slaan regel 1 over (ivm self-signed certificates)<br />
    20. 20. Aandachtspunten<br />Requirements:<br />Subject Alternative Name (SAN) certificate(Unified Communications Certificate (UCC))<br />Multiple external & internal names<br />Single Root (Unchained) vs Intermediate (Chained)<br /><ul><li>Gebruikjuisteinformatiebijb.v. Organization</li></ul>Mogelijke check tegen WHOIS info<br />Licentie<br />single/multi-server<br />Wildcard certificate<br />1 domein<br />Compatibility issues (bv WM5)<br />Check met security policy<br />
    21. 21. Names to Register<br />Interne namen<br />Server hostname(s)<br />Server interne FQDN(s)<br />..of Array FQDN<br />Externenamen<br />Domeinnamenvoor OWA/POP/IMAP<br />Autodiscoverdomeinnamen<br />Voorbeeld<br />mbx1, mbx1.contoso.local,mail.contoso.com, autodiscover.contoso.com<br />Let op:<br />ISA 2006 RTM -> 1e SAN = CN<br />Private Key exporteerbaarivm Export/Import ISA<br />
    22. 22. Certificate Authorities<br />“De Autodiscover Microsoft lijst”<br />Entrust ($449, 10 names, 1yr, single srv)<br />Comodo($285, 3 names, 1yr, single srv)<br />DigiCert($328, 4 names, 1yr, unlimited srv)<br />http://support.microsoft.com/kb/929395<br />Overigeaanbieders<br />b.v. via sslshopper.com<br />Let op: Federated Sharing gewenst?<br />Comodo, Digicert, Entrust, Go Daddyhttp://technet.microsoft.com/en-us/library/ee332350.aspx<br />
    23. 23. sslshopper.com<br />d.d. jan2010<br />
    24. 24. Certificaat Export/Import<br />Voorb.v. publikatie Exchange in ISA<br />ISA 2006 SP1 support SAN certs<br />Vergeet export private key niet<br />Fileformat<br />Chain(PKCS#7/P7B, .p7b)<br />Chain+private key (PKCS#12/PFX, .pfx, p12)<br />
    25. 25. Autodiscover in Exchange 2010<br />AutodiscoverPOX of SOAP1<br />Meer Web Services<br />ECP (voor UM), Archive, MailTips<br />Let op wijzigingen in cmdlet syntax<br />o.a. New-ExchangeCertificate<br />ECM functies<br />o.a. Certificate Request Wizard<br />1) SOAP= Simple Object Access Protocol = XML Web Services<br />
    26. 26. Ex2010 Certificate Req. Wizard<br />
    27. 27. TestenAutodiscover<br />Outlook<br />Test-OutlookWebServices<br />
    28. 28. TestenAutodiscover (2)<br />https://www.testexchangeconnectivity.com/<br />
    29. 29. Autodiscover Support<br />Microsoft<br />Outlook 2007 (SP1)+<br />Windows Mobile 6.1+<br />Entourage 2008 SP1+<br />Apple<br />iPhone, Snow Leopard<br />Nokia<br />N-series, E-series<br />Diverse Sony Ericsson & Palm modellen<br />Bijtwijfel: Raadpleegproduktinformatie & test<br />Let op:Support voorsynchronisatie met Exchange 2007/2010 betekentnietdat client/device Autodiscoverondersteunt<br />
    30. 30. Links<br />Exchange 2007 Autodiscover Whitepaper<br />http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx<br />Autodiscover en Exchange 2007 (LANvision 8/2006)<br />http://www.ngn.nl/ngndirs/up/ZstwnvyHcD_LanVision32.pdf<br />Understanding the Autodiscover Service (Exchange 2010)<br />http://technet.microsoft.com/en-us/library/bb124251.aspx<br />
    31. 31. Bedanktvoor<br />uwaandacht!<br />Contact<br />E-mailmichel.de.rooij@interaccess.nl<br />Blog: http://eightwone.wordpress.com<br />Twitter: @mderooij<br />

    ×