Monday, December 27, 2010

Configure the Client Access Servers




You must now configure the Microsoft Exchange Server 2007 Client Access Server that hosts below services:
Microsoft Outlook Web Access (OWA), Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), and the RPC over HTTP protocols.
You must enable specific services, such as POP3 and IMAP4 service. You must also configure the following features to support OWA:
  • Forms-based Authentication
  • User Principal Name logon
  • Secure Sockets Layer (SSL) for the default Web site
Tasks
  1. Configure POP and IMAP Services to Start Automatically
  2. Configure Forms-based Authentication and UPN Logon for Outlook Web Access (OWA)
  3. Enable Outlook Anywhere (RPC over HTTP)
  4. Configure Exchange AutoDiscover Functionality
  5. Add New Unique IP Addresses for the Autodiscover and the Autodiscover Redirection Web Sites and Configure DNS Entries for Both
  1. Set Up and Configure a New Web Site for AutoDiscover Redirection
  2. Set Up and Configure a New Web Site for the AutoDiscover Service
Prerequisites
  • Domain Administrator credentials
Configure POP and IMAP Services to Start Automatically
Use the Exchange Management Shell to configure the POP3 and IMAP4 service startup behavior.
Procedure : To configure POP and IMAP services to start automatically
  1. Log on to CAS as a member of the Domain Administrators group.
  2. Open the Exchange Management Shell.
  3. Type the following commands:
4.      Set-service msExchangePOP3 -startuptype automatic
5.      Set-service msExchangeIMAP4 -startuptype automatic
6.      Start-service msExchangePOP3
7.      Start-service msExchangeIMAP4
Note
If you do not plan to offer POP3 or IMAP, you must turn these off.
Configure Forms-based Authentication and UPN Logon for Outlook Web Access (OWA)
Use the following procedure to configure forms-based authentication and UPN logon.
Procedure: To configure forms-based authentication and UPN logon for OWA
  • In the Exchange Managment Shell, type the following command:
Set-owavirtualdirectory -identity "owa (default Web site)" -FormsAuthentication:1 -LogonFormat PrincipalName
Note
If you are notified to issue an IISReset, please do so.
Enable Outlook Anywhere (RPC over HTTP)
Client Access servers can provide Outlook Anywhere access to clients that are running Microsoft Office Outlook 2007, or RPC over HTTP access to clients that are running Outlook 2003. Before you can enable Outlook Anywhere, you must verify that the Microsoft Windows RPC over HTTP Proxy network component has been installed on the Client Access Server.
Procedure: To verify that the Windows RPC over HTTP Proxy network component is installed
  1. On CAS, on the Windows Control Panel, run Add/Remove Programs.
  2. Click Add/Remove Windows Components.
  3. Highlight Networking Services, and then click Details.
  4. Ensure that RPC over HTTP Proxy is selected.
  5. Click OK twice.
Procedure: To enable Outlook Anywhere and RPC over HTTP
  1. On CAS, open the Exchange Management Console.
  2. In the console tree, expand Server Configuration, and then click Client Access.
  3. In the Actions pane (on the right-hand side), click Enable Outlook Anywhere.
  4. The Enable Outlook Anywhere wizard will open.
  5. In the External Host Name, enter webmail.domain.com.
  6. Select Basic authentication.
  7. When the wizard completes, review the results, and then click Finish.
Configure Exchange AutoDiscover Functionality
We recommend that you host the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. In addition, an AutoDiscover Redirection Web site will need to be set up and configured. To allow external access to the Autodiscover service for Outlook 2007 clients from the Internet, we recommend that you follow these steps in order.
Add New Unique IP Addresses for the Autodiscover and the Autodiscover Redirection Web Sites and Configure DNS Entries for Both
Since there will be two new unique Web sites, one for Autodiscover and one for the Autodiscover Redirection, the CAS machine will need an additional two unique IP addresses. Make sure to take note of which IP address will be used for the Autodiscover Web site and which one will be used for the Autodiscover Redirection Web site.
Procedure : To assign two new unique IP addresses to the CAS machine
  1. On CAS, click Start, click Control Panel, and then click Network Connections. Right-click the proper network adapter for the public-facing interface, and then click Properties.
  2. Click the Internet Protocol (TCP/IP) item, and then click Properties.
  3. Click Advanced.
  4. In the IP addresses section, click Add.
  5. In the TCP/IP Address dialog box, enter an unused and unique IP address and the proper subnet mask for your network, and then click Add.
  6. Repeat step 5, adding a new unused and unique IP address.
  7. Click OK twice, and then click Close.
Procedure: To create the autodiscover DNS record
  1. Log on to the external DNS01 as the Local Administrator.
  2. Click Start, click All Programs, click Administrative Tools, and then click DNS.
  3. Expand DNS01.
  4. Expand Forward Lookup Zones, right-click the Domain.com zone, and then select New Host (A).
  5. In the Name box, type autodiscover.
  6. Under IP address, type the external interface (static) IP address for the Autodiscover Web site that you added to the CAS  machine in the previous procedure.
  7. Click Add Host, and then verify that the new host record is successfully created.
  8. Close the dnsmgmt management console.
Procedure: To create the autodiscoverredirect DNS record
  1. Log on to the external DNS01 as the Local Administrator.
  2. Click Start, click All Programs, click Administrative Tools, and then click DNS.
  3. Expand DNS01.
  4. Expand Forward Lookup Zones, right-click the Domain.com zone, and then select New Host (A).
  5. In the Name box, type autodiscoverredirect.
  6. Under IP address, type the external interface (static) IP address for the Autodiscover Redirection Web site that you added to the CAS machine in the previous procedure.
  7. Click Add Host, and then verify that the new host record is successfully created.
  8. Close the dnsmgmt management console.
Set Up and Configure a New Web Site for AutoDiscover Redirection
In order to utilize AutoDiscover features with hosted e-mail domains, you must set up and configure a site that will function as a redirector to the main Exchange AutoDiscover Web site. For each hosted e-mail domain that you offer, an alias (CNAME) will be setup in DNS to refer AutoDiscover capabilities to this AutoDiscover Redirection Web site. This AutoDiscover Redirection Web site will redirect the users to the main Exchange AutoDiscover Web site which will then provide the correct information to Outlook 2007 clients.
Procedure: To create a new Web site for AutoDiscover Redirection
  1. On CAS, click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the CAS node.
  3. Expand the Web Sites node.
  4. Right-click the Web Sites node, and then choose New, Web Site.
  5. In the Web Site Creation Wizard dialog box, click Next.
  6. In the Web Site Description dialog box, in the Description field, type AutoDiscoverRedirect, and then click Next.
  7. In the IP Address and Port Settings dialog box, choose the IP address for the Autodiscover Redirection Web site that you added to the CAS  machine. Ensure that the default is TCP port 80 and leave the Host header field empty. When finished, click Next.
  8. In the Web Site Home Directory dialog box, click Browse.
  9. In the Browse for Folder dialog box, browse to a Local Disk, and then click Make New Folder.
  10. Name the folder AutoDiscoverRedirect, and then click OK.
  11. The Web Site Home Directory dialog box will now show a populated path. Click Next.
  12. In the Web Site Access Permissions dialog box, click Next.
  13. Click Finish to close the Web Site Creation Wizard.
Procedure: To create the AutoDiscover virtual directory for the new Web site for AutoDiscover Redirection
  1. While still in Internet Information Services (IIS) Manager, right-click the AutoDiscoverRedirect Web site, and then select New, Virtual Directory.
  2. On the Virtual Directory Creation Wizard, click Next.
  3. On the Virtual Directory Alias page, enter AutoDiscover for the alias, and then click Next.
  4. On Web Site Content Directory, click Browse.
  5. In the Browse for Folder dialog box, browse to the AutoDiscoverRedirect folder that you created in the previous procedure and select it. Click Make New Folder. Name the new folder AutoDiscover, and then click OK.
  6. The Web Site Content Directory dialog box will now show a populated path. Click Next.
  7. On the Virtual Directory Site Access Permissions dialog box, click Next.
  8. Click Finish to close the Virtual Directory Creation Wizard.
  9. Close Internet Information Services (IIS) Manager.
Procedure: To create the AutoDiscover.xml file for the new Web site for AutoDiscover Redirection
  1. Click Start, click All Programs, click Accessories, and then click Notepad.
  2. Click the File menu, and then choose Save As.
  3. In the Save in drop-down box, navigate to the AutoDiscoverRedirect directory that you created earlier. Double-click the Autodiscover subdirectory to select it.
  4. In the File name field, type AutoDiscover.xml.
  5. Change the Save as type selection to All Files.
  6. Click Save.
  7. Close Notepad.
Procedure: To configure the AutoDiscover.xml file for redirection
  1. Click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the CAS  node.
  3. Expand the Web Sites node.
  4. Expand the AutoDiscoverRedirect Web site.
  5. Expand the AutoDiscover virtual directory.
  6. Click the AutoDiscover virtual directory.
  7. Right-click the AutoDiscover.xml file, and then choose Properties.
  8. On the File tab, choose the A redirection to a URL option.
  9. In the Redirect to field, type https://autodiscover.Domain.com/autodiscover/autodiscover.xml.
  10. Do NOT select the The exact URL entered above and A permanent redirection for this resource check boxes. They should both be unselected and not enabled.
  11. Click OK.
  12. Close Internet Information Services (IIS) Manager.
Set Up and Configure a New Web Site for the AutoDiscover Service
In the following procedures, you will set up and configure a new Web site specifically for the AutoDiscover service. We recommend hosting the AutoDiscover service on a separate site than the one that hosts your e-mail traffic. To host the AutoDiscover service on a separate site on the same computer as other hosted Exchange features, follow these steps.
Procedure : To create a new Web site for the AutoDiscover service
  1. On CAS, click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the CAS  node.
  3. Expand the Web Sites node.
  4. Right-click the Web Sites node, and then choose New, Web Site.
  5. In the Web Site Creation Wizard dialog box, click Next.
  6. In the Web Site Description dialog box, in the Description field, type AutoDiscover, and then click Next.
  7. In the IP Address and Port Settings dialog box, choose the IP address for the AutoDiscover Web site that you added to the CAS  machine. Ensure that the default is TCP port 80 and leave the Host header field empty. When finished, click Next.
  8. In the Web Site Home Directory dialog box, click Browse.
  9. In the Browse for Folder dialog box, browse to a Local Disk, and then click Make New Folder.
  10. Name the folder AutoDiscover, and then click OK.
  11. The Web Site Home Directory dialog box will now show a populated path. Click Next.
  12. In the Web Site Access Permissions dialog box, click Next.
  13. Click Finish to close the Web Site Creation Wizard.
  14. Close Internet Information Services (IIS) Manager.
Procedure : To use the Exchange Management Shell to configure a new Web site for the AutoDiscover service
  1. Log on to CAS as a member of the Domain Adminstrators group.
  2. On CAS, click Start, click All Programs, click Microsoft Exchange Server 2007, and then click Exchange Management Shell.
  3. Add the new AutoDiscover Web site by executing the following command in the Exchange Management Shell:
New-AutodiscoverVirtualDirectory -Websitename AutoDiscover -BasicAuthentication:$True -WindowsAuthentication:$True
  1. Remove the old AutoDiscover virtual directory by executing the following command in the Exchange Management Shell:
Remove-AutodiscoverVirtualDirectory -identity "CAS\Autodiscover (Default Web Site)"
Note
You will be prompted for confirmation to remove this Autodiscover Virtual Directory. Choose "Y" when prompted.
  1. To view your current AutoDiscover virtual directory settings for confirmation, you may execute Get-AutodiscoverVirtualDirectory in the Exchange Management Shell at any time.
  2. Close the Exchange Management Shell.
Procedure : To configure the Exchange Services for the Autodiscover Service
  1. On CAS, click Start, click All Programs, click Microsoft Exchange Server 2007, and then click Exchange Management Shell.
  2. Configure the external URL for the offline address book for the Autodiscover service by executing the following command in the Exchange Management Shell:
Set-OABVirtualDirectory -identity "CAS\OAB (Default Web Site)" -externalurl https://webmail.Domain.com/OAB -RequireSSL:$true
  1. Configure the external URL for Unified Messaging for the Autodiscover service by executing the following command in the Exchange Management Shell:
Set-UMVirtualDirectory -identity "CAS\UnifiedMessaging (Default Web Site)" -externalurl https://webmail.Domain.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True
  1. Configure the external URL for Exchange Web Services for the Autodiscover service:
Set-WebServicesVirtualDirectory -identity "CAS\EWS (Default Web Site)" -externalurl https://webmail.Domain.com/EWS/Exchange.asmx -BasicAuthentication:$True
  1. Close the Exchange Management Shell.
Procedure : To request and import an SSL certificate for the Default Web Site
  1. On CAS, click Start, click All Programs, click Microsoft Exchange Server 2007, and then click Exchange Management Shell.
  2. Create a certificate request file by executing the following command in the Exchange Management Shell:
New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=Fabrikam,o=Fabrikam Corporation,cn=webmail.domain.com" -domainname CAS,CAS.fabrikam.com,fabrikam.com,Domain.com, webmail.Domain.com,mail.Domain.com,smtp.Domain.com -path c:\CAS_certreq.txt
  1. Use the resulting CAS_certreq.txt file to request a certificate either from an online Certificate Authority or the Certificate Authority that you have deployed in your environment.
  2. If you are using the Microsoft Certificate Authority that you have deployed in your environment, you should do the following:
    1. Connect to the Certificate Server Web site using Internet Explorer at http://PKIRoot/certsrv/.
    2. Click the Request a certificate link.
    3. Click the advanced certificate request link.
    4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    5. In the Saved Request text box, copy and paste the entire contents of the CAS_certreq.txt file.
    6. Choose Web Server for the Certificate Template.
    7. Click the Submit button.
    8. Click the Download certificate link and save your certificate on the C: drive.
  3. Once you have your certificate, import the certificate by executing the following command in the Exchange Management Shell (substituting your actual path and file name for ):
Import-ExchangeCertificate -path .cer -friendlyname "Fabrikam CAS"
Note
In the output from the Import-ExchangeCertificate cmdlet, you will notice a Thumbprint for your new certificate. This will need to be utilized in the next step.
  1. Assign the certificate to IIS, POP3, and IMAP4 by executing the following command in the Exchange Management Shell (substituting your actual certificate thumbprint for ):
Enable-ExchangeCertificate -thumbprint -services "IIS,POP,IMAP"
  1. Close the Exchange Management Shell.
For the following procedure, you will need to have obtained an SSL certificate for autodiscover.Domain.com from a Trusted Root Authority prior to accomplishing this procedure. If you utilize a private Trusted Root Authority to generate this certificate, then the certificate chain must be downloaded and trusted by any Outlook clients.
Procedure: To request and import an SSL certificate for the AutoDiscover Web Site
  1. On EXCASUM01, click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the CAS node.
  3. Expand the Web Sites node.
  4. Right-click Autodiscover, and then choose Properties.
  5. Click the Directory Security tab.
  6. Click Server Certificate.
  7. In the Welcome to the Web Server Certificate Wizard dialog box, click Next.
  8. If you are using the Microsoft Certificate Authority that you have deployed in your environment, you should do the following:
    • On the Server Certificate page, click the Create a new certificate option, and then click Next.
    • On the Delayed or Immediate Request page, click the Send the request immediately to an online certification authority option and then click Next.
    • On the Name and Security Settings page, ensure the Name field says AutoDiscover, then click Next.
    • On the Organization Information page, enter Consolidated Messenger for the Organization and Hosting for the Organizational Unit and then click Next.
    • On the Your Site's Common Name page, enter autodiscover.Domain.com for the Common name and then click Next.
    • On the Geographical Information page, enter your appropriate Country/Region, State/province, and City/locality information and then click Next.
    • On the SSL Port page, accept the default of 443 and then click Next.
    • On the Choose a Certification Authority page, click Next.
    • On the Certificate Request Submission page, click Next.
    • Click Finish.
  9. If you have received a certificate from an online certification authority instead of the Microsoft Certificate Authority, use the IIS Certificate Wizard to import that certificate file and bind it to the Autodiscover Web site. The IIS Certificate Wizard is invoked by clicking the Server Certificate button on the Web site properties page.
  10. On the AutoDiscover Properties dialog box, click OK.
  11. Close the Internet Information Services (IIS) Manager.
Procedure : Verify the SSL binding for the AutoDiscover Web Site
  1. In Internet Information Services (IIS) Manager, expand the Web Sites node.
  2. Right-click the AutoDiscover virtual directory and then select Properties.
  3. On the Web Site tab, click Advanced.
  4. On the Advanced Web Site Identification page, in the Multiple SSL identities for this Web site section, verify that the correct IP address for the Autodiscover Web site is currently bound to port 443. If necessary, edit the IP address assignment in order to assign the correct IP address.

No comments:

Post a Comment