242 Chapter 5 • Managing the Client Access Server Outlook 2007 discovers the Availability Service URL using the AutoDiscover service. Actually, the AutoDiscover service is to Outlook what DNS is to a Web browser, acting like a DNS Web Service for Outlook. It is used to fi nd various services like the Availability service, and the UM and OAB services. It simply tells Outlook 2007 where to go to locate the various Web services required: UM, OAB, and Availability. You should be aware of many aspects when confi guring the Availability service. I recommend you check out the Availability Service FAQ over at the Exchange 2007 Wiki, found at www.exchangeninjas.com/AvailabilityServiceFAQ. Table 5.1 Free/Busy Retrieval Methods Client Source Mailbox Target Mailbox Free/Busy Retrieval Outlook 2007 Exchange 2007 Exchange 2007 The Availability service will read the free/busy info directly from the calendar in the target mailbox. Outlook 2007 Exchange 2007 Exchange 2003 The Availability service will make an HTTP connection to the /Public virtual directory of the Exchange 2003 mailbox. Outlook 2003 Exchange 2007 Exchange 2007 Free/busy info will be published in source Public Folders. Outlook 2003 Exchange 2007 Exchange 2003 Free/busy info will be published in source Public Folders. Outlook Web Exchange 2007 Exchange 2007 OWA 2007 will call the Access 2007 Availability service API, which reads the free/busy info from the target mailbox. Outlook Web Exchange 2007 Exchange 2003 OWA 2007 will call the Access 2007 Availability service API, and then make an HTTP connection to the /Public virtual directory of the Exchange 2003 mailbox. Any Exchange 2003 Exchange 2007 Free/busy info is published in source Public Folders. Managing the Client Access Server • Chapter 5 243 Client Access Servers and the SSL Certifi cate Dilemma In previous versions of Exchange, you simply issued a request for an SSL certifi cate, and when received, assigned this certifi cate to the Default Web Site in the IIS Manager. That was basically it. Exchange 2007, however, is a different beast, especially when it comes to securing client connectivity to the CAS using SSL certifi cates. You may have noticed that a default self-signed SSL certifi cate is assigned to the Default Web Site during the installation of the Exchange 2007 CAS role. If you take a closer look at this certifi cate, you’ll notice it contains multiple subject alternative names (Figure 5.4). Figure 5.4 SSL Certifi cate with Subject Alternative DNS Names 244 Chapter 5 • Managing the Client Access Server I hear some of you grumbling, “So, what is that all about?” Well, instead of having to require multiple certifi cates, maintain the confi guration of multiple IP addresses, IIS Web sites for each IP port, and a certifi cate combination, you can create a single certifi cate that enables clients to successfully connect to each host name using SSL and subject alternative names. You see, in order to support Outlook Anywhere, OWA, Exchange ActiveSync (EAS) and especially the new Web-based AutoDiscover service, which requires a common name of autodiscover.domain.com, you must use an SSL certifi cate containing subject alternative names. Since the default SSL certifi cate is self-signed and, therefore by default, untrusted by clients, and because Outlook Anywhere and Exchange ActiveSync require a trusted SSL certifi cate, we have to replace this certifi cate with an SSL certifi cate issued by a trusted third-party provider. Unfortunately, only a few SSL certifi cate providers can issue an SSL certifi cate containing one or more subject alternative names. To make matters worse, these providers charge something like $600 per year for such a certifi cate. NOTE At the time of this writing, only Entrust.com, GeoTrust.com, and VeriSign offered these types of SSL certifi cates. Hopefully this will change as more and more organizations begin to deploy Exchange 2007. If you don’t assign an SSL certifi cate with additional subject alternative names, where one of these matches the hostname of the Exchange 2007 CAS, internal Outlook 2007 clients will generate certifi cate security warnings since the SSL certifi cate won’t match the name used to confi gure these clients. Notice, however, that Outlook 2007 won’t generate a warning if the self-signed untrusted default SSL certifi cate assigned to the Default Web Site. This is by design. When the Exchange 2007 CAS role is installed, the setup wizard creates an Active Directory service discovery record, and if the Outlook 2007 client can see that record (meaning they are on the internal network), it ignores the trust warning. It uses the service discovery record as the trust (assuming someone that can write that to the Active Directory can be trusted regarding the URL for the CAS), rather than checking that it trusts the issuer of the cert. The idea behind this is that while you are on the intranet, Exchange is secure out of the box, using SSL and ignoring any prompts. So why not just leave the self-signed SSL certifi cate on the Default Web Site? Well, because then Outlook Anywhere and Exchange ActiveSync wouldn’t work, since these two features require the common name on the SSL certifi cate to match the external URL used to access the CAS, so the certifi cate will be trusted by the client. In addition, OWA 2007 would generate a security warning when a user connects to his mailbox using OWA 2007. “Okay,” you say, “fair enough, but what do I do if my organization can’t afford to throw $600 towards an SSL certifi cate each year?” Well, in that case, the solution would be to use multiple Web sites. Besides the Default Web Site (which you should leave in its default state with the self-signed untrusted SSL certifi cate assigned), we would need two additional Web sites. Managing the Client Access Server • Chapter 5 245 ■ One for Exchange ActiveSync (EAS), OWA, and Outlook Anywhere ■ One for the AutoDiscover service In order to confi gure this type of setup, you must do the following: First, add two additional virtual IP addresses to the NIC on your Exchange 2007 CAS, as shown in Figure 5.5. Figure 5.5 Additional Virtual IP Addresses Now assign a specifi c IP address to the Default Web Site, as shown in Figure 5.6. 246 Chapter 5 • Managing the Client Access Server Create two new Web sites using IIS Manager, and call them something like Clients and AutoDiscover. When creating the Web sites, use the default settings and specify the same path as the one confi gured in the Default Web Site (C:\InetPub\wwwroot). Make sure to also select Read and Run Scripts (such as ASP) only. When the Web sites have been properly created, we can create the required virtual directories using the Exchange Management Shell. To create the OWA and Exchange ActiveSync directories, enter the following commands, bearing in mind that the –WebSiteName value is case sensitive: New-OWAVirtualDirectory –OwaVersion: Exchange2007 –Name “owa” –WebSiteName “Clients” New-ActiveSyncVirtualDirectory –WebSiteName “Clients” New-AutodiscoverVirtualDirectory -WebSiteName AutoDiscover - BasicAuthentication:$true –WindowsAuthentication:$true Figure 5.6 Assigning a Specifi c IP Address to the Default Web Site . services like the Availability service, and the UM and OAB services. It simply tells Outlook 2007 where to go to locate the various Web services required: UM, OAB, and Availability. You should be aware. names. Since the default SSL certifi cate is self-signed and, therefore by default, untrusted by clients, and because Outlook Anywhere and Exchange ActiveSync require a trusted SSL certifi cate,. Server Create two new Web sites using IIS Manager, and call them something like Clients and AutoDiscover. When creating the Web sites, use the default settings and specify the same path as the one confi