The Autodiscover service is a mechanism that can do several things.

  • Automatic Mailbox Creation
  • Redirects Outlook 2007 clients to point to the correct server in which their mailbox is located
  • Provides URLs to Web Services for Outlook 2007

When you first launch your Outlook 2007 client (Outlook 2007 required for Autodiscover access), it will search Active Directory for a Service Connection Point (SCP) record.  Every time a CAS Server is installed, it will register this SCP record within Active Directory in the following location:

CN=Autodiscover,CN=Protocols,CN=<CASServer>,CN=Servers,CN=Exchange Administrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services

When an Outlook 2007 client has the ability to find this record because they are domain joined and on the internal network, they will locate all SCP records and choose one at random.  If you have slow links or want to remove this randomness, Autodiscover Site Affinity can be used.  This SCP will return the AutodiscoverInternalURI FQDN in which this client should contact the Autodiscover service.  You can modify this FQDN by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://LocationOfCAS/Autodiscover/Autodiscover.xml

By default, the SCP is configured with the following URL (Uses NetBIOS instead of FQDN):

https://CASServer/Autodiscover/Autodiscover.xml

Now in the above Set-ClientAccessServer cmdlet, I specified the location as LocationOfCAS because the FQDN is largely dependent on a couple things.  You can set it to the NetBIOS as long as the certificate you request contains the NetBIOS name of the CAS.  You can set it to the FQDN of the server as long as the certificate you request contains the fQDN of the server.  You can set it to any FQDN really including your OWA URL (owa.shudnow.net perhaps) as long as that name is on the certificate.

You can use the NetBIOS name in the certificate, but you will be exposing your NetBIOS name to internet users.  Some may think this is a big deal while others don’t care too much.  Personally, and this is just a personal opinion, is who cares.  It’s not like an attacker is going to access your server by the NetBIOS name over the internet.  And if a hacker did get into your network, it’s not because you exposed the NetBIOS name.

Now if you were using ISA and internal PKI, you have the option of utilizing an internal certificate on Exchange 2007 and using a public certificate on ISA and have clients on the internet utilize the ISA certificate in which ISA will proxy the data using the internal certificate.  In this scenario, you can use NetBIOS names on your internal certificate and only the publicly accessible names on the ISA certificate.  Or if you don’t care about exposing the name of the server, you can use the same certificate on Exchange and ISA.  You would need to check with your certificate vendor if this is allowed as it may not be or you may have to pay an additional fee to utilize the same certificate on more than one server.

So an example of how this works for domain joined clients who have access to Active Directory is included on the Autodiscover Whitepaper:

 

 

 

 

 

Advertisements