Configure the Client Access Server (EXCAS01)

You must now configure the Microsoft Exchange 2007 SP1 Client Access Server that hosts Microsoft Office Outlook Web Access (OWA), Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), and the RPC over HTTP protocols.

Tasks

Configure POP and IMAP Services to Start Automatically
Configure Forms-based Authentication, External URL, and UPN Logon for OWA
Enable Outlook Anywhere (RPC over HTTPS)
Create an External DNS Zone
Configure SSL Security for the Default Web Site
Configure AutoDiscover Functionality

Configure POP and IMAP Services to Start Automatically

Use the Exchange Management Shell to configure the POP3 and IMAP4 service startup behavior.

Procedure W08-DWHE.57: To configure POP and IMAP services to start automatically

Open the Exchange Management Shell on EXCAS01.

Type the following commands:

	Copy Code
Set-service msExchangePOP3 -startuptype automatic Set-service msExchangeIMAP4 -startuptype automatic Start-service msExchangePOP3 Start-service msExchangeIMAP4

Configure Forms-based Authentication, External URL, and UPN Logon for OWA

Use the following procedure to configure forms-based authentication, external URL, and UPN logon for Outlook Web Access (OWA).

Procedure W08-DWHE.58: To configure forms-based authentication, external URL, and UPN logon for OWA

To make a record of your current OWA virtual directory settings, run the following command from the Exchange Management Shell on EXCAS01:
Copy Code
Get-OwaVirtualDirectory -identity 'EXCAS01\owa (Default Web Site)' | fl | Out-File -filePath 'C:\owa_DefWS_Settings.txt'

	Copy Code
Get-OwaVirtualDirectory -identity 'EXCAS01\owa (Default Web Site)' \| fl \| Out-File -filePath 'C:\owa_DefWS_Settings.txt'

To configure forms-based authentication, external URL, and UPN, type the following command:

	Copy Code
Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:1 -LogonFormat:PrincipalName -ExternalURL 'https://webmail.consolidatedmessenger.com'

To reset IIS, run the following command:
Copy Code
IISRESET /noforce

	Copy Code
IISRESET /noforce

Enable Outlook Anywhere (RPC over HTTPS)

Use the following procedure to enable Outlook Anywhere (RPC over HTTPS).

Procedure W08-DWHE.59: To enable Outlook Anywhere (RPC over HTTPS)

Open the Exchange Management Console on EXCAS01, expand Server Configuration, and then click Client Access.
In the Actions pane, click Enable Outlook Anywhere to open the wizard.
In External Host Name, enter the publicly resolvable FQDN you will use for Outlook Anywhere. In this reference architecture, the host name is: webmail.consolidatedmessenger.com.
Select Basic authentication, and then follow instructions to complete the wizard.

Create an External DNS Zone

In this procedure you create the ConsolidatedMessenger DNS zone. This zone will hold the publicly resolvable DNS records for Outlook Anywhere, Outlook Web Access, and other customer-facing Exchange Web Services sites.

Procedure W08-DWHE.60: To create the ConsolidatedMessenger.com zone

Log on to DNS01 as the local Administrator.
Run the DNS MMC and create a forward lookup zone called ConsolidatedMessenger.com.

Procedure W08-DWHE.61: To create the webmail DNS record

Open the DNS MMC on DNS01.

Create a new host (A) named webmail for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the default Web site on EXCAS01 which contains the /owa virtual directory

Note:
Depending on the unique characteristics of your deployment, the external IP address you typed could potentially be the IP address of an Internet-facing firewall or load balancer, which will be used to publish this Web site to the Internet. It is beyond the scope of this deployment walkthrough to prescribe firewall and load balancing configuration.

Configure SSL security for the Default Web Site

Although the default Web site on the Exchange 2007 Client Access Server is automatically configured with a default, self-signed certificate, this certificate is not supported for Outlook Anywhere, and is not trusted by your external (Internet-based) Microsoft Office Outlook 2007 client computers. In the following procedure, you will unbind the default self-signed certificate, and replace it with an SSL certificate from a trusted third-party Certificate Authority (CA). For the purposes of this reference architecture, the common name for this certificate should be webmail.consolidatedmessenger.com

Procedure W08-DWHE.62: To unbind the default self-signed certificate from the default Web site

Open the Internet Information Services (IIS) Manager on EXCAS01.
Expand Sites, right-click Default Web Site, and then select Edit Bindings.
Remove the https binding.

Procedure W08-DWHE.63: To request and import an SSL certificate for the Default Web Site

You must request, install and bind an SSL certificate from a public Certificate Authority (CA) for the Default Web Site on the CAS server in order for external (Internet-based) customers to securely connect to Outlook Web Access and/or Outlook Anywhere. For more information about how to install a SSL certificate, see the article How to Setup SSL on IIS7 on the Microsoft Internet Information Services (IIS) Web site.

For the purposes of this reference architecture, the common name for this certificate should be webmail.consolidatedmessenger.com.

Procedure W08-DWHE.64: Change the bindings for the Default Web Site

Open the Internet Information Services (IIS) Manager on EXCAS01.
Expand Sites, right-click Default Web Site, and then select Edit Bindings.
Set the bindings to ensure you have two bindings with the following information:

Type

Port

IP Address

http

80

(IP address of EXCAS01)

https

443

(IP address of EXCAS01)

Note:

For the https binding, you need to select an SSL certificate. For this deployment, use the SSL certificate issued to webmail.consolidatedmessenger.com

Note:
For the https binding, you need to select an SSL certificate. For this deployment, use the SSL certificate issued to webmail.consolidatedmessenger.com

Configure AutoDiscover Functionality

We recommend that you host the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. In addition, an AutoDiscover Redirection Web site will need to be set up and configured. To allow external access to the Autodiscover service for Outlook 2007 clients from the Internet, we recommend that you follow these steps in order.

Add New Unique IP addresses for the Autodiscover and the Autodiscover Redirection Web Sites and Configure DNS Entries for Both

Because there will be two new unique Web sites, one for Autodiscover and one for the Autodiscover Redirection, the EXCAS01 server will need an additional two unique IP addresses. Make sure to take note of which IP address will be used for the Autodiscover Web site and which one will be used for the Autodiscover Redirection Web site.

Procedure W08-DWHE.65: To assign two new unique IP addresses to the EXCAS01 server

Log on to EXCAS01 as a member of the Domain Administrators group.
Use the Network Connections console to add two unused and unique IP addresses to the EXCAS01 server.

Procedure W08-DWHE.66: To create the autodiscover DNS record

Open the DNS MMC on DNS01.
Create a new host (A) named autodiscover for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the Autodiscover Web site that you added to the EXCAS01 server in the previous procedure.

Procedure W08-DWHE.67: To create the autodiscoverredirect DNS record

Open the DNS MMC on DNS01.
Create a new host (A) named autodiscoverredirect for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the Autodiscover Redirection Web site that you added to the EXCAS01 server in the previous procedure.

Setup and Configure a New Web Site for AutoDiscover Redirection

In order to use AutoDiscover features with hosted e-mail domains, you must set up and configure a site that will function as a redirector to the main Exchange AutoDiscover Web site. For each hosted e-mail domain that you offer, an alias (CNAME) will be setup in DNS to refer AutoDiscover capabilities to this AutoDiscover Redirection Web site. This AutoDiscover Redirection Web site will re-direct the users to the main Exchange AutoDiscover Web site which will then provide the correct information to Outlook 2007 clients.

Procedure W08-DWHE.68: To create a new Web site for AutoDiscover Redirection

Log on to EXCAS01 as a member of the Domain Administrators group, and then run the Internet Information Services (IIS) Manager.
Right-click the Sites node, and then select Add Web Site.
Follow the on-screen instructions to create a new Web site for AutoDiscover Redirection. Ensure the following information:
- Set the site name to AutoDiscoverRedirect.
- Create a new folder AutoDiscoverRedirect for the Web Site Home Directory.
- Select a new IP address for the Autodiscover Redirection Web site. Accept the default Port of 80.

Procedure W08-DWHE.69: To create an AutoDiscover virtual directory inside the AutoDiscover Redirection Site

In Internet Information Services (IIS) Manager, right-click the AutoDiscoverRedirect Web site, and then select Add Virtual Directory.
Follow the on-screen instructions to create the AutoDiscover virtual directory. Ensure the following information:
- Enter AutoDiscover for the alias.
- When setting the directory, browse to the AutoDiscoverRedirect folder that you created in the previous procedure, and then create a new folder AutoDiscover.

Procedure W08-DWHE.70: To configure the AutoDiscover Virtual Directory for redirection

In Internet Information Services (IIS) Manager, expand the AutoDiscoverRedirect Web site, and then select the AutoDiscover virtual directory.
In the center pane, below IIS, double-click HTTP Redirect. Select Redirect requests to this destination.
In the Redirect to field, type https://autodiscover.consolidatedmessenger.com/autodiscover/autodiscover.xml
Do NOT select either of the check boxes in the Redirect Behavior section. They should both be unselected and not enabled.
Apply the settings.

Setup and Configure a New Web Site for the AutoDiscover Service

In the following procedures, we will setup and configure a new Web site specifically for the AutoDiscover service. We recommend hosting the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. To host the AutoDiscover service on a separate site, follow these steps:

Procedure W08-DWHE.71: To create a new Web site for the AutoDiscover service

Log on to EXCAS01 as a member of the Domain Administrators group, and then run the Internet Information Services (IIS) Manager.
Right-click the Sites node, and then select Add Web Site.
Follow the on-screen instructions to create a new Web site for AutoDiscover Redirection. Ensure the following information:
- Set the site name to AutoDiscover.
- Create a new folder AutoDiscover for the Web Site Home Directory.
- Select a new IP address for the Autodiscover Web site. Accept the default Port of 80.

Procedure W08-DWHE.72: To use the Exchange Management Shell to configure a new Web site for the AutoDiscover service

Log on to EXCAS01 as Fabrikam\Administrator. Open the Exchange Management Shell.
To make a record of your current AutoDiscover virtual directory settings, run the following command:
Copy Code
Get-AutodiscoverVirtualDirectory | fl | Out-File -filePath 'C:\Autodiscover_DefWS_Settings.txt'
Remove the old AutoDiscover virtual directory by executing the following command in the Exchange Management Shell:
Copy Code
Remove-AutodiscoverVirtualDirectory -identity 'EXCAS01\Autodiscover (Default Web Site)'

	Copy Code
Get-AutodiscoverVirtualDirectory \| fl \| Out-File -filePath 'C:\Autodiscover_DefWS_Settings.txt'

	Copy Code
Remove-AutodiscoverVirtualDirectory -identity 'EXCAS01\Autodiscover (Default Web Site)'

Add the new AutoDiscover virtual directory by executing the following command in the Exchange Management Shell:

	Copy Code
New-AutodiscoverVirtualDirectory -Websitename AutoDiscover -BasicAuthentication:$True -WindowsAuthentication:$True -ExternalURL 'https://autodiscover.consolidatedmessenger.com'

Procedure W08-DWHE.73: To configure the Exchange Services for the Autodiscover Service

On EXCAS01, open the Exchange Management Shell.

Configure the external URL for Unified Messaging for the Autodiscover service by executing the following command in the Exchange Management Shell:

	Copy Code
Set-UMVirtualDirectory -identity 'EXCAS01\UnifiedMessaging (Default Web Site)' -externalurl https://webmail.consolidatedmessenger.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True

Configure the external URL for Exchange Web Services for the Autodiscover service.

	Copy Code
Set-WebServicesVirtualDirectory -identity 'EXCAS01\EWS (Default Web Site)' -externalurl https://webmail.consolidatedmessenger.com/EWS/Exchange.asmx -BasicAuthentication:$True

Procedure W08-DWHE.74: To request and import an SSL certificate for the AutoDiscover Web Site

You must request, install, and bind an SSL certificate for the AutoDiscover Web site to enable external (Internet-based) users to automatically configure their Microsoft Office Outlook 2007 settings. For more information about how to install a SSL certificate, see the article How to Setup SSL on IIS7 on the Microsoft Internet Information Services (IIS) Web site.

For the purposes of this reference architecture, the common name for this certificate should be autodiscover.consolidatedmessenger.com.

(Optional) Configure SRV records to enable Outlook 2007 to locate the Exchange Autodiscover service

A new feature released in a rollup package for Office Outlook 2007 enables it to query DNS for a Service Location (SRV) record in order to locate the Exchange AutoDiscover service. This feature is described in KB Article 940881. The rollup package is described in KB article 939184, Description of the update rollup for Outlook 2007: June 27, 2007

This allows you to use SRV records instead of autodiscover redirection. However, the limitation is that some customers may have their domains registered with DNS hosters who do not support SRV records. Also, only users who have the KB939184 rollup package will be able to take advantage of this feature.

Type	Port	IP Address
http	80	(IP address of EXCAS01)
https	443	(IP address of EXCAS01)