Configuring Exchange Server 2010 Client Access Features for Remote Access

View products that this article applies to.

Microsoft Professional Advisory Services is a support option that provides short-term, proactive, consultative support beyond break-fix product maintenance needs. This includes working with the same technician for assistance with issues like product migration, code review, or new program development and is a remote, phone-based support option. This service is typically used for shorter engagements, and is designed for developers and IT professionals who do not require the traditional onsite consulting or sustained account management services that are available from other Microsoft support options.

For additional information on Microsoft Advisory Services, including on how to engage, refer to this Microsoft web page:

http://support.microsoft.com/gp/AdvisoryService

↑ Back to the top

Assumptions

All Exchange 2010 CAS setup Pro Advisory support offerings make the following assumptions:

The current Exchange Environment is healthy and configured per Microsoft�s Best Practices Recommendations as determined by a full Exchange Best Practice Analyzer (ExBPA) health check and is running the latest Exchange Server 2010 Service Pack (SP) and hotfix Rollup Update (RU).
Any pre-existing configuration or other issues that might prevent a successful CAS setup must be resolved prior to beginning work on the Pro Advisory offering as scoped. It is highly recommended that the customer perform the ExBPA health check and resolve any issues prior to beginning work on the Advisory Case Scope.
Should the customer request assistance with bringing the current environment to a healthy state, separate, break-fix support incidents will need to be opened to address each subordinate issue. Further, should any issues arise while performing agreed upon scoped tasks in Migration or New Installation scenarios, a maximum of thirty (30) minutes will be spent troubleshooting the other issues. This troubleshooting will be billed to the current advisory case. If the issue is not resolved in thirty (30) minutes the customer must open a new break-fix Support Incident, at additional cost, to address the problem. The Advisory Support Engineer may work that Break/Fix Support Incident at their discretion.
At the conclusion of this service the Support Engineer and the customer will verify configuration by using the Microsoft Exchange Remote Connectivity Analyzer tool
https://www.testexchangeconnectivity.com

↑ Back to the top

Microsoft advisory services engagement

Scenario Option Questioning

Scenario options are based on the deployment scenarios from the Exchange Server 2007 Autodiscover Service White Paper. The same principles apply to Exchange Server 2010.
Questions that choose the scenario options & additions

Are you transitioning from Exchange Server 2007 Client Access Servers or Exchange Server 2003 Front End servers to Exchange Server 2010 Client Access servers?

Yes = Please see the co-existence information linked in the following articles before proceeding:
No = Proceed
What Exchange Server 2010 remote access features do you need configured?
1. Are you configuring more than one Exchange Server 2010 CAS to behave in a CAS Array function?
  - No = Proceed
  - Yes = Please see the instructions below regarding setting up a CAS Array:
    - How to configure an Exchange 2010 CAS Array
    - Using the New-ClientAccessArray cmdlet
2. Do you want to configure the throttling features in Exchange Server 2010 on your Client Access server(s)?
  - Yes = Read Understanding Client Throttling Policies
  - No = Proceed
3. Do you want Outlook 2003, Outlook 2007, or Outlook 2010 clients to connect to Exchange Server 2010 over the Internet without using a VPN (also known as Outlook Anywhere)?
  - Yes = Follow Understanding Outlook Anywhere and be sure to configure the Autodiscover feature mentioned in step 4 and also referenced in this article.
  - No = Proceed
4. Do you want Outlook and mobile devices to automatically configure their settings based on the user�s e-mail address (this is also known as the Autodiscover Service)?
  - No = This is not an advisory/setup case, unless you need assistance configuring only Outlook Anywhere or Exchange ActiveSync � proceed with usual break/fix case
  - Yes = Did this ever work?
    - Yes = This is not an advisory/setup case, unless you need assistance configuring only Outlook Anywhere or Exchange ActiveSync � proceed with usual break/fix case.
    - No = Proceed
  - First time setup?
    - Yes = Proceed
    - No = Microsoft recommends consulting with an advisory engineer before proceeding.
5. Do you want mobile devices to be able to synchronize their e-mail wirelessly over the Internet via Exchange ActiveSync (EAS)?
  - No = Proceed
  - Yes = Follow Understanding Exchange ActiveSync
6. Do you want users to be able to access their e-mail over the Internet using the Outlook Web App (OWA)?
  - No = Proceed
  - Yes = Do you want users to be able to access Public Folder data through OWA?
    - No = Proceed as Outlook Web Access works out of the box.
    - Yes = Follow Enable Users to Access Public Folders from Outlook Web App
The following questions will determine the Autodiscover deployment method (if you are unable to answer these questions, or are unfamiliar with them, then please read the Exchange 2007 Autodiscover Service White Paper � Supported Scenario�s section prior to continuing):
- Do you have more than one domain or forest?
  - Yes = Are you hosting multiple e-mail domains (SMTP domains)
    - Yes = Are you a commercial hoster, utilizing an HMC environment, or attempting to use address list segregation?
      - Yes = Not supported � See Hoster footnote below
      - No = Note that you should use either Scenario Option 2 or Scenario Option 4 below and proceed
    - No = Proceed
- Do you already have a valid SSL certificate installed on your Client Access server?
  - Yes = Does this certificate include the Subject Alternative Names for your environment, i.e. DNS name for Autodiscover and the internal FQDN?
    - Yes = Scenario Option 1 � Using a Certificate That Supports Multiple DNS Names
    - No = What kind of certificate do you want to use: SAN, one single name certificate, or two single name certificates?
      - SAN = Scenario 1 � Using a Certificate That Supports Multiple DNS Names
      - One single name certificate = Proceed with either Scenario Option 2 and Scenario Option 4 questioning
      - Two single name certificates = Proceed with Scenario Option 3 questioning
    - No = Proceed
  - Scenario 2 questions: Do you want to use the Scenario Option 2 (Single-Name Certificate and Autodiscover SRV Record) method to deploy Autodiscover?
    - Yes = Does your DNS provider support SRV DNS records?
      - Yes = Scenario Option 2- Single-Name Certificate and Autodiscover SRV Record Note: You will have to work with your DNS provider to setup the SRV records. Microsoft will not contact the DNS provider, or work with the DNS provider to set these up.
      - No = You cannot do this method of Autodiscover � proceed with further questions
    - No = Proceed further with questions
- Scenario 3 questions: Do you want to use the Scenario Option 3 (Two Single-Name Certificate) Autodiscover deployment method in which you would use a pre-existing single-name certificate on the Default Website and then purchase another single-name certificate specifically for Autodiscover which would be configured on a second website?
  - Yes = Have you verified that you cannot get your current server certificate modified so that it has the appropriate Subject Alternative Name (SAN)?
    - Yes and cannot modify current certificate = This method requires an additional certificate. Follow Scenario Option 3 - Using Two Single-Name Certificates
      - Yes = Scenario Option 3 - Using Two Single-Name Certificates
      - No = Contact your certificate provider to check if they may be able to modify the certificate and then use Scenario Option 1 (Using a Certificate That Supports Multiple DNS Names) Autodiscover deployment method
- No = Proceed further with questions
Scenario 4 questions: Do you want to use the Scenario 4 (Using the Autodiscover Service with Redirection) Autodiscover deployment method which is typically used as an alternative solution to the previous scenarios or when you have users with different primary SMTP addresses?
- Yes = We need to verify once again that you are not a hoster. Are you a hoster of multiple e-mail domains?
  - Yes = Unsupported � See Hoster footnote below
  - No = Scenario Option 4 - Using the Autodiscover Service with Redirection
- No = Please read the white paper mentioned earlier and restart questioning.

Scenario Option 1: Using a Certificate That Supports Multiple DNS Names

Reasons to use this method:

We recommend that you provide all the necessary DNS names in the same certificate by using a Unified Communications certificate that supports the Subject Alternative Name field. Using a Unified Communications certificate reduces the complexity of configuring and managing the Autodiscover service and Exchange services URLs. However, using a Unified Communications certificate may increase the cost, as this kind of certificate can be more expensive than the single name certificates which you already may own. For more information please see this article:

Unified Communications Certificate Partners for Exchange Server and for Communications Server

Scenario Option 2: Single-Name Certificate and Autodiscover SRV Record

Reasons to use this method:

Although certificates that support Subject Alternative Names are highly recommended, they are not required. Another recommended solution is to use one single-name certificate installed on the Default Web Site. If your DNS provider supports SRV records, this solution is the simplest and least expensive way to deploy Outlook Anywhere in Exchange 2007 environments.

Scenario Option 3: Using Two Single-Name Certificates

Reasons to use this method:

Sometimes you cannot use a certificate that supports multiple DNS names. For example, this may occur if you want to replace the self-signed certificate with a preexisting certificate exported from an earlier version of Exchange, or if you have already purchased a new single-name certificate before fully understanding the certificate requirements for the Autodiscover service for Exchange 2007. If this describes your situation, there are alternative solutions you can implement to address these types of scenarios which will ultimately give you the same level of functionality. One option is to obtain a second certificate and install it on a second Web site which will be specifically used for Autodiscover.

In this scenario, one certificate is issued with the common name that is used as the entry point for clients that connect from the Internet, for example, mail.contoso.com. The second certificate has a common name that references the FQDN for the Autodiscover service, for example autodiscover.contoso.com. This option requires two separate Web sites and public IP addresses. The Default Web Site will host your primary Exchange features and services such as Outlook Web Access and Exchange ActiveSync while the second Web site will be used to host the Autodiscover service.

Scenario Option 4: Using the Autodiscover Service with Redirection

Reasons to use this method:

Until the release of the update rollup for Outlook 2007, described in Microsoft Knowledge Base article 939184 and referred to in:

Scenario 2: Using One Single-Name Certificate

earlier in this white paper, this kind of deployment scenario was, and may still be, the ideal solution to use in situations such as a hosted Exchange 2007 environment. Using the Autodiscover service with redirection may be the ideal solution because some DNS providers do not support SRV records. However, this kind of deployment can also be used for organizations that are not hosting multiple domains. With this option, you install a single-name certificate on the Default Web Site and create another Web site that contains no certificate. Domain-connected clients continue to locate the Autodiscover service by using the SCP object and will not receive any security warnings as long as the URL for connecting to the Autodiscover service which is stored in the SCP object has been changed to refer to the FQDN of the certificate installed on the Default Web Site.

Clients that connect from the Internet will at first be unable to find Autodiscover by using DNS, as described in:

How the Autodiscover Service Works

earlier in this white paper. However, before failing to connect to the Autodiscover service, Outlook will try an additional method to connect to the Autodiscover URL by using HTTP (instead of HTTPS) and connect to the Autodiscover Web site and then be redirected to the Autodiscover service hosted under the Default Web Site. When these Internet-based Outlook clients connect to this redirection site, they will see a dismissible warning messaging asking them to verify that they are being redirected to a trusted URL. In this case, you must advise your users to accept this warning message and allow Outlook to connect to this trusted URL.

Footnotes

Work may take less time if PowerShell commands are used to configure multiple servers.
If we review the steps with the customer, instead of doing the steps with the customer, then the time can be reduced to 40% of total. Example: Total time would take 232 minutes.
SRV Record Method: If the customer does not have an external URL, or decides they want external Outlook clients to connect to Autodiscover using an SRV record instead of the SAN certificate, then they have to work with their DNS provider which is not supported in this scenario. (Note: we do not contact their DNS provider, or work with their DNS provider)
SSL Certificates: Customer is responsible for procurement of certificate(s) from the third-party company.
OWA Customization: OWA customization is not supported. If customization is desired a separate case should be opened for the Messaging Dev Team.
iPhone: If EAS works for Windows Mobile devices, but not with an iPhone with the latest firmware, then customer needs to work with Apple support for further assistance or create a separate case with Exchange support.
Certificate Based Authentication: This offering does not include deployment of certificate-based authentication. A separate case will need to be opened with Exchange support to configure this type of authentication.
Firewalls: Assistance in configuring firewalls only includes giving the required ports to the customer. We do not support configuring firewalls. If ISA is used, and the customer needs assistance with this, then a separate case must be opened with the ISA support team.
Information Worker � Availability Service: If issues arise with client Free/Busy that cannot be resolved within 30 minutes then a separate case will need to be opened with Exchange for more extensive troubleshooting.
Networking issues: If issues arise that are caused by networking issues that cannot be resolved within 30 minutes, then a separate case will need to be opened with the Networking team for more extensive troubleshooting.
Hosters/Hosting/HMC: Supported by a separate team. Microsoft support will help you find the right resource.

↑ Back to the top

Self-help resources for this scenario

Below is a list of self-help resources for this scenario. Microsoft Support Engineers may also use these resources during an Advisory Services engagement.