You must now configure the Microsoft Exchange 2007 SP1 Client Access Server that hosts Microsoft Office Outlook Web Access (OWA), Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), and the RPC over HTTP protocols.

Tasks

  1. Configure POP and IMAP Services to Start Automatically
  2. Configure Forms-based Authentication, External URL, and UPN Logon for OWA
  3. Enable Outlook Anywhere (RPC over HTTPS)
  4. Create an External DNS Zone
  5. Configure SSL Security for the Default Web Site
  6. Configure AutoDiscover Functionality

Configure POP and IMAP Services to Start Automatically

Use the Exchange Management Shell to configure the POP3 and IMAP4 service startup behavior.

Procedure W03-DWHE.42: To configure POP and IMAP services to start automatically

  1. Open the Exchange Management Shell on EXCAS01.

  2. Type the following commands:

      Copy Code 
    Set-service msExchangePOP3 -startuptype automatic
Set-service msExchangeIMAP4 -startuptype automatic
Start-service msExchangePOP3
Start-service msExchangeIMAP4

Configure Forms-based Authentication, External URL, and UPN Logon for OWA

Use the following procedure to configure forms-based authentication, external URL, and UPN logon for Outlook Web Access (OWA).

Procedure W03-DWHE.43: To configure forms-based authentication, external URL, and UPN logon for OWA

  1. To make a record of your current OWA virtual directory settings, run the following command from the Exchange Management Shell on EXCAS01:

      Copy Code 
    Get-OwaVirtualDirectory -identity 'EXCAS01\owa (Default Web Site)' | fl | Out-File -filePath 'C:\owa_DefWS_Settings.txt'

  2. To configure forms-based authentication, external URL, and UPN, type the following command:

      Copy Code 
    Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:1 -LogonFormat:PrincipalName -ExternalURL 'https://webmail.consolidatedmessenger.com'

  3. To reset IIS, run the following command:

      Copy Code 
    IISRESET /noforce

Enable Outlook Anywhere (RPC over HTTPS)

Use the following procedure to enable Outlook Anywhere (RPC over HTTPS).

Procedure W03-DWHE.44: To enable Outlook Anywhere (RPC over HTTPS)

  1. Open the Exchange Management Console on EXCAS01, expand Server Configuration, and then click Client Access.

  2. In the Actions pane, click Enable Outlook Anywhere to open the wizard.

  3. In External Host Name, enter the publicly resolvable FQDN you will use for Outlook Anywhere. In this reference architecture, the host name is: webmail.consolidatedmessenger.com.

  4. Select Basic authentication, and then follow instructions to complete the wizard.

Create an External DNS Zone

In this procedure you create the ConsolidatedMessenger DNS zone. This zone will hold the publicly resolvable DNS records for Outlook Anywhere, Outlook Web Access, and other customer-facing Exchange Web Services sites.

Procedure W03-DWHE.45: To create the ConsolidatedMessenger.com zone

  1. Log on to DNS01 as the local Administrator.

  2. Run the DNS MMC and create a forward lookup zone called ConsolidatedMessenger.com.

Note:
The webmail DNS record will be used by clients on the Internet who connect to Outlook Web Access.

Procedure W03-DWHE.46: To create the webmail DNS record

  1. Open the DNS MMC on DNS01.

  2. Create a new host (A) named webmail for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the default Web site on EXCAS01 which contains the /owa virtual directory.

    Note:
    Depending on the unique characteristics of your deployment, the external IP address you typed could potentially be the IP address of an Internet-facing firewall or load balancer, which will be used to publish this Web site to the Internet. It is beyond the scope of this deployment walkthrough to prescribe firewall and load balancing configuration.
Note:
The mail DNS record will be used by clients on the Internet who connect to POP3 and IMAP4.

Procedure W03-DWHE.47: To create the mail DNS record

  1. Open the DNS MMC on DNS01.

  2. Create a new host (A) named mail for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for EXCAS01 which is bound to the POP3 and IMAP4 services.

    Note:
    Depending on the unique characteristics of your deployment, the external IP address you typed could potentially be the IP address of an Internet-facing firewall or load balancer, which will be used to publish these services to the Internet. It is beyond the scope of this deployment walkthrough to prescribe firewall and load balancing configuration.

Configure SSL Security for the Default Web Site

Although the default Web site on the Exchange 2007 Client Access Server is automatically configured with a default, self-signed certificate, this certificate is not supported for Outlook Anywhere, and is not trusted by your external Microsoft Office Outlook 2007 client computers. In the following procedure, you will remove the default self-signed certificate, and replace it with an SSL certificate from a trusted third-party Certificate Authority (CA).

Procedure W03-DWHE.48: To remove the default self-signed certificate from the Default Web Site

  1. Open the Internet Information Services (IIS) Manager on EXCAS01.

  2. Expand Web Sites, right-click Default Web Site, and then select Properties.

  3. On the Directory Security tab, click Server Certificate, and then select Remove the current certificate.

  4. Follow on-screen instructions to complete the task.

Procedure W03-DWHE.49: To request and import an SSL certificate for the Default Web Site

Procedure W03-DWHE.50: To change the bindings for the Default Web Site

  1. Open the Internet Information Services (IIS) Manager on EXCAS01.

  2. Expand Web Sites, right-click Default Web Site, and then select Properties.

  3. On the Web Site tab, click Advanced to open the Advanced Web Site Identification page.

  4. Perform the following settings:

    • In the Multiple identities for this Web site section, bind the IP address of EXCAS01 to port 80.
    • In the Multiple SSL identities for this Web site section, bind the IP address of EXCAS01 to port 443.

Configure AutoDiscover Functionality

We recommend that you host the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. In addition, an AutoDiscover Redirection Web site will need to be set up and configured. To allow external access to the Autodiscover service for Outlook 2007 clients from the Internet, we recommend that you follow these steps in order.

Add New Unique IP addresses for the Autodiscover and the Autodiscover Redirection Web Sites and Configure DNS Entries for Both

Because there will be two new unique Web sites, one for Autodiscover and one for the Autodiscover Redirection, the EXCAS01 server will need an additional two unique IP addresses. Make sure to take note of which IP address will be used for the Autodiscover Web site and which one will be used for the Autodiscover Redirection Web site.

Procedure W03-DWHE.51: To assign two new unique IP addresses to the EXCAS01 server

  1. Log on to EXCAS01 as a member of the Domain Administrators group.

  2. Use the Network Connections console to add two unused and unique IP addresses to the EXCAS01 server.

Procedure W03-DWHE.52: To create the autodiscover DNS record

  1. Open the DNS MMC on DNS01.

  2. Create a new host (A) named autodiscover for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the Autodiscover Web site that you added to the EXCAS01 server in the previous procedure.

Procedure W03-DWHE.53: To create the autodiscoverredirect DNS record

  1. Open the DNS MMC on DNS01.

  2. Create a new host (A) named autodiscoverredirect for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the Autodiscover Redirection Web site that you added to the EXCAS01 server in the previous procedure.

Setup and Configure a New Web Site for AutoDiscover Redirection

In order to use AutoDiscover features with hosted e-mail domains, you must set up and configure a site that will function as a redirector to the main Exchange AutoDiscover Web site. For each hosted e-mail domain that you offer, an alias (CNAME) will be setup in DNS to refer AutoDiscover capabilities to this AutoDiscover Redirection Web site. This AutoDiscover Redirection Web site will re-direct the users to the main Exchange AutoDiscover Web site which will then provide the correct information to Outlook 2007 clients.

Procedure W03-DWHE.54: To create a new Web site for AutoDiscover Redirection

  1. Log on to EXCAS01 as a member of the Domain Administrators group, and then run the Internet Information Services (IIS) Manager.

  2. Right-click the Web Sites node, and then select New, Web Site.

  3. Follow the on-screen instructions to create a new Web site for AutoDiscover Redirection. Ensure the following information:

    • Enter AutoDiscoverRedirect for Web Site Description.
    • In the IP Address and Port Settings dialog box, choose the IP address for the Autodiscover Redirection Web site that you added to the EXCAS01 server. Ensure that the default is TCP port 80 and leave the Host header field empty.
    • Create a new folder AutoDiscoverRedirect for the Web Site Home Directory.

Procedure W03-DWHE.55: To create the AutoDiscover virtual directory for the new Web site for AutoDiscover Redirection

  1. While still in Internet Information Services (IIS) Manager, right-click the AutoDiscoverRedirect Web site, and then select New, Virtual Directory.

  2. Follow the on-screen instructions to create the AutoDiscover virtual directory. Ensure the following information:

    • On the Virtual Directory Alias page, enter AutoDiscover for the alias.
    • When selecting Web Site Content Directory, browse to the AutoDiscoverRedirect folder that you created in the previous procedure, and then create a new folder AutoDiscover.

Procedure W03-DWHE.56: To create the AutoDiscover.xml file for the new Web site for AutoDiscover Redirection

  1. Open Notepad to create a new file.

  2. Save the file to the AutoDiscoverRedirect/Autodiscover folder. Set the file type to All Files. Set the file name to AutoDiscover.xml.

Procedure W03-DWHE.57: To configure the AutoDiscover.xml file for redirection

  1. In Internet Information Services (IIS) Manager, select the AutoDiscover virtual directory from the AutoDiscoverRedirect Web site.

  2. In the right pane, right-click the AutoDiscover.xml file, and then select Properties.

  3. On the File tab, choose the A redirection to a URL option.

  4. In the Redirect to field, type https://autodiscover.consolidatedmessenger.com/autodiscover/autodiscover.xml.

  5. Do NOT select the The exact URL entered above and A permanent redirection for this resource check boxes. They should both be unselected and not enabled.

Setup and Configure a New Web Site for the AutoDiscover Service

In the following procedures, we will setup and configure a new Web site specifically for the AutoDiscover service. We recommend hosting the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. To host the AutoDiscover service on a separate site on the same computer as other hosted Exchange client access features, follow these steps:

Procedure W03-DWHE.58: To create a new Web site for the AutoDiscover service

  1. Log on to EXCAS01 as a member of the Domain Administrators group. Open the Internet Information Services (IIS) Manager.

  2. Expand and right-click the Web Sites node of EXCAS01, and then choose New, Web Site to open the Web Site Creation Wizard.

  3. Follow the on-screen instructions to create a new Web site for the AutoDiscover service. Ensure the following information:

    • In the IP Address and Port Settings dialog box, choose the IP address for the AutoDiscover Web site that you added to the EXCAS01 server. Ensure that the default is TCP port 80 and leave the Host header field empty.
    • Create a new folder AutoDiscover in the local disk for the Web Site Home Directory.

Procedure W03-DWHE.59: To request and import an SSL certificate for the AutoDiscover Web Site

  1. Follow the steps in Microsoft Knowledge Base article KB 298805 How to enable SSL for all customers who interact with your Web site in Internet Information Services in order to request and assign an SSL certificate for the AutoDiscover Web site.

    For the purposes of this reference architecture, the common name for this certificate should be autodiscover.consolidatedmessenger.com.

Procedure W03-DWHE.60: Verify the SSL binding for the AutoDiscover Web Site

  1. In Internet Information Services (IIS) Manager, expand the Web Sites node.

  2. Right-click the AutoDiscover virtual directory and then select Properties.

  3. On the Web Site tab, click Advanced.

  4. On the Advanced Web Site Identification page, in the Multiple SSL identities for this Web site section, verify that the correct IP address for the Autodiscover Web site is currently bound to port 443. If necessary, edit the IP address assignment in order to assign the correct IP address.

Procedure W03-DWHE.61: To use the Exchange Management Shell to configure a new Web site for the AutoDiscover service

  1. Log on to EXCAS01 as Fabrikam\Administrator. Open the Exchange Management Shell.

  2. To make a record of your current AutoDiscover virtual directory settings, run the following command:

      Copy Code 
    Get-AutodiscoverVirtualDirectory | fl | Out-File -filePath 'C:\Autodiscover_DefWS_Settings.txt'

  3. Remove the old AutoDiscover virtual directory by executing the following command in the Exchange Management Shell:

      Copy Code 
    Remove-AutodiscoverVirtualDirectory -identity 'EXCAS01\Autodiscover (Default Web Site)'

  4. Add the new AutoDiscover virtual directory by executing the following command in the Exchange Management Shell:

      Copy Code 
    New-AutodiscoverVirtualDirectory -Websitename AutoDiscover -BasicAuthentication:$True -WindowsAuthentication:$True -ExternalURL 'https://autodiscover.consolidatedmessenger.com'

Procedure W03-DWHE.62: To configure the Exchange Services for the Autodiscover Service

  1. On EXCAS01, open the Exchange Management Shell.

  2. Configure the external URL for Unified Messaging for the Autodiscover service by executing the following command in the Exchange Management Shell:

      Copy Code 
    Set-UMVirtualDirectory -identity 'EXCAS01\UnifiedMessaging (Default Web Site)' -externalurl https://webmail.consolidatedmessenger.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True

  3. Configure the external URL for Exchange Web Services for the Autodiscover service.

      Copy Code 
    Set-WebServicesVirtualDirectory -identity 'EXCAS01\EWS (Default Web Site)' -externalurl https://webmail.consolidatedmessenger.com/EWS/Exchange.asmx -BasicAuthentication:$True

(Optional) Configure SRV records to enable Outlook 2007 to locate the Exchange Autodiscover service

A new feature released in a rollup package for Office Outlook 2007 enables it to query DNS for a Service Location (SRV) record in order to locate the Exchange AutoDiscover service. This feature is described in KB Article 940881.. The rollup package is described in KB article 939184, Description of the update rollup for Outlook 2007: June 27, 2007.

This allows you to use SRV records instead of autodiscover redirection. However, the limitation is that some customers may have their domains registered with DNS hosters who do not support SRV records. Also, only users who have the KB939184 rollup package will be able to take advantage of this feature.