Scenario Option Questioning
Scenario options are based on the deployment scenarios from the Exchange Server 2007 Autodiscover Service White Paper. The same principles apply to Exchange Server 2010.Questions that choose the scenario options & additions- Are you transitioning from Exchange Server 2007 Client Access Servers or Exchange Server 2003 Front End servers to Exchange Server 2010 Client Access servers?
Yes = Please see the co-existence information linked in the following articles before proceeding:
No = Proceed - What Exchange Server 2010 remote access features do you need configured?
- Are you configuring more than one Exchange Server 2010 CAS to behave in a CAS Array function?
- No = Proceed
- Yes = Please see the instructions below regarding setting up a CAS Array:
- Do you want to configure the throttling features in Exchange Server 2010 on your Client Access server(s)?
- Do you want Outlook 2003, Outlook 2007, or Outlook 2010 clients to connect to Exchange Server 2010 over the Internet without using a VPN (also known as Outlook Anywhere)?
- Yes = Follow Understanding Outlook Anywhere and be sure to configure the Autodiscover feature mentioned in step 4 and also referenced in this article.
- No = Proceed
- Do you want Outlook and mobile devices to automatically configure their settings based on the user�s e-mail address (this is also known as the Autodiscover Service)?
- No = This is not an advisory/setup case, unless you need assistance configuring only Outlook Anywhere or Exchange ActiveSync � proceed with usual break/fix case
- Yes = Did this ever work?
- Yes = This is not an advisory/setup case, unless you need assistance configuring only Outlook Anywhere or Exchange ActiveSync � proceed with usual break/fix case.
- No = Proceed
- First time setup?
- Yes = Proceed
- No = Microsoft recommends consulting with an advisory engineer before proceeding.
- Do you want mobile devices to be able to synchronize their e-mail wirelessly over the Internet via Exchange ActiveSync (EAS)?
- Do you want users to be able to access their e-mail over the Internet using the Outlook Web App (OWA)?
- No = Proceed
- Yes = Do you want users to be able to access Public Folder data through OWA?
The following questions will determine the Autodiscover deployment method (if you are unable to answer these questions, or are unfamiliar with them, then please read the Exchange 2007 Autodiscover Service White Paper � Supported Scenario�s section prior to continuing):- Do you have more than one domain or forest?
- Yes = Are you hosting multiple e-mail domains (SMTP domains)
- Yes = Are you a commercial hoster, utilizing an HMC environment, or attempting to use address list segregation?
- No = Proceed
- Do you already have a valid SSL certificate installed on your Client Access server?
- Yes = Does this certificate include the Subject Alternative Names for your environment, i.e. DNS name for Autodiscover and the internal FQDN?
- Scenario 2 questions: Do you want to use the Scenario Option 2 (Single-Name Certificate and Autodiscover SRV Record) method to deploy Autodiscover?
- Yes = Does your DNS provider support SRV DNS records?
- No = Proceed further with questions
- Scenario 3 questions: Do you want to use the Scenario Option 3 (Two Single-Name Certificate) Autodiscover deployment method in which you would use a pre-existing single-name certificate on the Default Website and then purchase another single-name certificate specifically for Autodiscover which would be configured on a second website?
- Yes = Have you verified that you cannot get your current server certificate modified so that it has the appropriate Subject Alternative Name (SAN)?
- No = Proceed further with questions
- Scenario 4 questions: Do you want to use the Scenario 4 (Using the Autodiscover Service with Redirection) Autodiscover deployment method which is typically used as an alternative solution to the previous scenarios or when you have users with different primary SMTP addresses?
- Yes = We need to verify once again that you are not a hoster. Are you a hoster of multiple e-mail domains?
- No = Please read the white paper mentioned earlier and restart questioning.
Scenario Option 1: Using a Certificate That Supports Multiple DNS Names
Reasons to use this method: We recommend that you provide all the necessary DNS names in the same certificate by using a Unified Communications certificate that supports the Subject Alternative Name field. Using a Unified Communications certificate reduces the complexity of configuring and managing the Autodiscover service and Exchange services URLs. However, using a Unified Communications certificate may increase the cost, as this kind of certificate can be more expensive than the single name certificates which you already may own. For more information please see this article:
Scenario Option 2: Single-Name Certificate and Autodiscover SRV Record
Reasons to use this method: Although certificates that support Subject Alternative Names are highly recommended, they are not required. Another recommended solution is to use one single-name certificate installed on the Default Web Site. If your DNS provider supports SRV records, this solution is the simplest and least expensive way to deploy Outlook Anywhere in Exchange 2007 environments.
Scenario Option 3: Using Two Single-Name Certificates
Reasons to use this method: Sometimes you cannot use a certificate that supports multiple DNS names. For example, this may occur if you want to replace the self-signed certificate with a preexisting certificate exported from an earlier version of Exchange, or if you have already purchased a new single-name certificate before fully understanding the certificate requirements for the Autodiscover service for Exchange 2007. If this describes your situation, there are alternative solutions you can implement to address these types of scenarios which will ultimately give you the same level of functionality. One option is to obtain a second certificate and install it on a second Web site which will be specifically used for Autodiscover.
In this scenario, one certificate is issued with the common name that is used as the entry point for clients that connect from the Internet, for example, mail.contoso.com. The second certificate has a common name that references the FQDN for the Autodiscover service, for example autodiscover.contoso.com. This option requires two separate Web sites and public IP addresses. The Default Web Site will host your primary Exchange features and services such as Outlook Web Access and Exchange ActiveSync while the second Web site will be used to host the Autodiscover service.
Scenario Option 4: Using the Autodiscover Service with Redirection
Reasons to use this method: Until the release of the update rollup for Outlook 2007, described in Microsoft Knowledge Base article 939184 and referred to in:
earlier in this white paper, this kind of deployment scenario was, and may still be, the ideal solution to use in situations such as a hosted Exchange 2007 environment. Using the Autodiscover service with redirection may be the ideal solution because some DNS providers do not support SRV records. However, this kind of deployment can also be used for organizations that are not hosting multiple domains. With this option, you install a single-name certificate on the Default Web Site and create another Web site that contains no certificate. Domain-connected clients continue to locate the Autodiscover service by using the SCP object and will not receive any security warnings as long as the URL for connecting to the Autodiscover service which is stored in the SCP object has been changed to refer to the FQDN of the certificate installed on the Default Web Site.
Clients that connect from the Internet will at first be unable to find Autodiscover by using DNS, as described in:
earlier in this white paper. However, before failing to connect to the Autodiscover service, Outlook will try an additional method to connect to the Autodiscover URL by using HTTP (instead of HTTPS) and connect to the Autodiscover Web site and then be redirected to the Autodiscover service hosted under the Default Web Site. When these Internet-based Outlook clients connect to this redirection site, they will see a dismissible warning messaging asking them to verify that they are being redirected to a trusted URL. In this case, you must advise your users to accept this warning message and allow Outlook to connect to this trusted URL.
Footnotes- Work may take less time if PowerShell commands are used to configure multiple servers.
- If we review the steps with the customer, instead of doing the steps with the customer, then the time can be reduced to 40% of total. Example: Total time would take 232 minutes.
- SRV Record Method: If the customer does not have an external URL, or decides they want external Outlook clients to connect to Autodiscover using an SRV record instead of the SAN certificate, then they have to work with their DNS provider which is not supported in this scenario. (Note: we do not contact their DNS provider, or work with their DNS provider)
- SSL Certificates: Customer is responsible for procurement of certificate(s) from the third-party company.
- OWA Customization: OWA customization is not supported. If customization is desired a separate case should be opened for the Messaging Dev Team.
- iPhone: If EAS works for Windows Mobile devices, but not with an iPhone with the latest firmware, then customer needs to work with Apple support for further assistance or create a separate case with Exchange support.
- Certificate Based Authentication: This offering does not include deployment of certificate-based authentication. A separate case will need to be opened with Exchange support to configure this type of authentication.
- Firewalls: Assistance in configuring firewalls only includes giving the required ports to the customer. We do not support configuring firewalls. If ISA is used, and the customer needs assistance with this, then a separate case must be opened with the ISA support team.
- Information Worker � Availability Service: If issues arise with client Free/Busy that cannot be resolved within 30 minutes then a separate case will need to be opened with Exchange for more extensive troubleshooting.
- Networking issues: If issues arise that are caused by networking issues that cannot be resolved within 30 minutes, then a separate case will need to be opened with the Networking team for more extensive troubleshooting.
- Hosters/Hosting/HMC: Supported by a separate team. Microsoft support will help you find the right resource.