Announcement

Collapse
No announcement yet.

Need a couple of things clarified about Autodiscover

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need a couple of things clarified about Autodiscover

    I've had a fun morning today, looking at an issue with a user whose laptop would not download the OAB during a send/receive.

    The client is Outlook 2007 and the Server is Exchange 2010.

    It basically took a lot of messing about, exporting and installing their root CA certificate (they use self signed ONLY) and then having to add stuff to the hosts file on the laptop. It's not the best setup at all.

    They use https://remote.domain.co.uk/owa for OWA and their internal domain has a completely different name.

    Looking in the DNS settings, they have a forward lookup for the domain, and then there's a forward lookup for remote.domain.co.uk itself in there! They have had the OWA and other stuff setup with the same address for both internal and external access. Am I correct in thinking that this on its own is very bad practise and will cause issues?

    I was going to add them an entry to the DNS for autodiscover.domain.co.uk but now can't because I'd have to add a lookup for the external domain itself, without the remote part on it.

    A question I have as a result of looking into all this is:
    When configuring Autodiscover, if the AutoDiscoverServiceInternalUri shows https://remote.domain.co.uk/Autodisc...todiscover.xml, then will pointing things (internally) at autodiscover.domain.co.uk (i.e. in the hosts file, with the server IP associated to it) still perform autodiscover functions?

    And since their self signed certificate doesn't have autodiscover.domain.co.uk as a SAN, can I create a standalone certificate for it?

  • #2
    Re: Need a couple of things clarified about Autodiscover

    Originally posted by Jay Cartay View Post
    Looking in the DNS settings, they have a forward lookup for the domain, and then there's a forward lookup for remote.domain.co.uk itself in there! They have had the OWA and other stuff setup with the same address for both internal and external access. Am I correct in thinking that this on its own is very bad practise and will cause issues?
    Depends on your point of view I suppose, SBS 2008/11 adds the Forward Lookup Zone for the external hostname configured in the Internet Address Wizard automatically. Given that you are talking about Self-Signed Certs and remote.domain.co.uk as the external hostname I suspect that this is SBS.

    You can setup autodiscover using a single hostname (I.e. without a UCC/SAN certificate) so long as you have SRV records configured appropriately (external only). Here's a thread where sembee explains it all to me which contains some useful MS articles.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Need a couple of things clarified about Autodiscover

      When the client is on the domain, it doesn't do an Autodiscover via DNS, it queries the domain. That is the value you have posted.
      The only time that you have internal autodiscover records is when you have clients on the LAN which are not members of the domain.

      A trusted SSL certificate is a must really - the self signed should be considered a place holder. $60/year for the required certificate type.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Need a couple of things clarified about Autodiscover

        Oh I agree they should buy one, but they won't. I am just contracting here, and have been horrified to find that barely any of the customers have proper SSL certs.

        I'm no expert, but have been learning about this stuff over the past 12 months and can see straightaway that there's a lot that isn't right.

        And yes, it is SBS 2011.

        Comment


        • #5
          Re: Need a couple of things clarified about Autodiscover

          I have a standard argument on the will not buy response.

          It will cost me 100 for every new CLIENT you add to get it to work with a self signed certificate.
          Or you buy a certificate for 30 and every client works straight away. (change the for $ or whatever).

          If the client refuses to allow a commercial certificate to use then I walk away, because it simply isn't worth the headaches to get it to work correctly.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment

          Working...
          X