Friday, 28 May 2010

The Client Access Server Role Pt4

Outlook Anywhere and Autodiscover

Microsoft Outlook 2007/2010 AutoDiscover is an Exchange Server 2007/2010 service, or more specifically Exchange Web Service, which allowed easy to configure Outlook 2007 profiles in your organization. In order to automatically configure and connect previous versions of Outlook to Exchange 2000 and 2003 Servers, you needed to do so using the Custom Installation Wizard from the Office Resource Kit or a similar tool. But now the users can configure their Outlook profile themselves, as they only need to click next a few times and specify their e-mail address and password. This will allow the construction of a Outlook 2007/10 profile to be built irrespective of whether the client machine is AD member or in a workgroup.

The last point made here is an important consideration. An AD machine member is able to query active directory and determine the location of the Exchange server and then communicate directly with that server. An employee on a home desktop would need to VPN into the office network and via the authenticated tunnel be able to make this query and exchange connection.

The Outlook client uses MAPI (Messaging Application Program Interface). It allows client programs to become 'messaging-aware'. Remember that its an API. It needs a transport mechanism to connect to your exchange server. Here comes RPC. MAPI calls are transported using RPC hence the expression MAPI over RPC. This all works great if your machine is physically on the office wire and AD authenticated or as mentioned you first VPN to the office. But you can also now connect Outlook without the use of a VPN!
RPC can be encapsulted by HTTPS which can then traverse your office firewall, become decapsulated by an RPC/HTTP proxy and allow communication with your Exchange server. This is called Outlook Anywhere and relies on the Autodiscover service for seamless Outlook configuration. To accomplish Outlook Anywhere and automatic configuration read on and follow the following steps...

Configuration of Outlook Anywhere

  • Outlook Anywhere is not enabled by default. Before enabling it ensure that you add the RPC/HTTP proxy feature on the CAS server.
  •  Because HTTPS is used, ensure that you have a suitable SAN certificate installed. I will detail how to do this in a later post. It is worth remembering that the client machine must have the trusted root certificate installed.
You can enable Outlook Anywhere by using the following EMS command. As you can see, you will need to determine the method of authentication, the public DNS reference that users use to connect from the Internet and if SSL offloading is used.

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -SSLOffLoading:$false

If you need to change the authentication method later on you can by using the following:

[PS] Set-OulookAnywhere "EX1\RPC (Default Web Site)" -DefaultAuthenticationMethod NTLM

Configuration of Autodiscovery

Now the tricky bit! Autodiscovery allows the automatic configuration of Outlook 2007/10 and mobile devices. In a nutshell, the service provides an XML file to the client providing information on where and how to connect to your exchange server. Internal clients query AD (as domain members) to find the XML file. External Internet clients use DNS. Lets be more specific.

The LDAP query made by domain members is an attempt to locate the Service Connection Point (SCP) for the autodiscover service (which provides the XML file). The SCP object lives in the configuration partition with the other Exchange configuration objects. Try the following:
  • Open LDP
  • Click Browse then Search and supply the following information:

The output you should see will provide the ServiceBindingInformation (the location of the XML file). Something like this

   serviceBindingInformation: https://EX1.compulinx.local/Autodiscover/Autodiscover.xml

As you can see this is the Internal domain reference of the Autodiscover web service and the XML file. Outlook will then connect to the service using the location information provided and download the XML file.

The file will provide the URL location for a number of different services running on the CAS server:

You can trace what happens during the connection by typing the following:

[PS] Test-OutlookWebServices

The output is lengthy, but you can determine a lot from it:

The SCP is located
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id : 1019
Type: Information
Message: A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://EX1.compulinx.local/Autodiscover/Autodiscover.xml.

The Autodiscover Service is contacted

RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1006
Type: Information
Message: Contacted the Autodiscover service at https://

The Availability Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1024
Type: Success
Message: [EXCH] Successfully contacted the AS service at https://
EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 93 milliseconds.

The Unified Messaging Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1026
Type: Success
Message: [EXCH] Successfully contacted the UM service at https://
EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 15 milliseconds.

The RPC/HTTP proxy is contacted (therefore Outlook Anywhere)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1128
Type: Success
Message: [EXPR] Successfully contacted the RPC/HTTP service at https://EX1.compulinx.local/rpc. The elapsed time was 0 milliseconds.

Notice here that the URLs reference the internal name space (ie. the domain.local reference as I am not using split DNS). This all indicates that internal users have no problem using autodiscovery to connect Outlook clients and have them configured automatically. But please understand that the URLs returned are internal references. Workgroup Internet users cant use these URLS (for one thing .local is being used and this is not a valid TLD).

External users must be able to obtain the XML file aswell and also the URLs returned must reference the public DNS namespace.
The CAS server running autodiscover can be found by updating the clients hosts file or updating the public DNS (i.e IP). During configuration of Outlook the user is promted to define a name, an email address and a password. The domain name is taken from this email address and the client appends autodiscover to the domain name. A public DNS lookup is made. Now the client will pass through the corporate firewall where HTTPS has been redirected to your CAS server.
The URL used is https://autodiscover.smtpdomain/Autodiscover/Autodiscover.xml. Once contacted the XML file will be returned. However this time the URLs are public.
You should make sure that the services autodiscovery puts you in touch with have both the correct internal and external references. From the test output above you can see that this needs to be checked for the following:
  • Web services virtual directory
  • Offline Address Book
  • Unified Messaging
  • Outlook Anywhere
The web services infact covers a lot of the services. Includes Out of Office, Availability Service for Free/Busy etc. and unified messaging. To determine current configuration type:

[PS]Get-WebServicesVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-WebServicesVirtualDirectory -Identity "EX1\EWS (Default Web Site)" -InternalURL https://EX1.compulinx.local/EWS/Exchange.asmx -ExternalURL -BasicAuthentication:$true

To determine the current configuration of the offline address book type:

[PS] Get-OABVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-OABVirtualDirectory -Identity "EX1\OAB (Default Web Site)" -InternalURL https://EX1.compulinx.local/OAB -ExternalURL -RequireSSL:$true

To determine the URLs used Outlook Anywhere

[PS] Get-OutlookAnywhere | fl

To configure the correct external URL type:

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -SSLOffLoading:$false
(You did this above when you enabled Outlook Anywhere)

You will also need to check and set the for ActiveSync:

[PS] Get-ActiveSyncVirtualDirectory | fl

[PS] Set-ActiveSyncVirtualDirectory -Identity "EX1\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL

    No comments:

    Post a Comment