White Paper: Exchange 2007 Autodiscover Service

 

Dernière rubrique modifiée : 2011-11-28

Microsoft Exchange Server 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures and maintains server settings for client computers that are running Microsoft Office Outlook 2007. The Autodiscover service can also configure supported mobile devices. An important function of the Autodiscover service is to provide access to Microsoft Exchange features for Outlook 2007 clients that are connected to your Microsoft Exchange messaging environment. These features include the offline address book (OAB), the Availability service, and Unified Messaging (UM). The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to automatically connect to Microsoft Exchange features. Additionally, these Exchange features must be configured correctly to provide external access for Outlook 2007 clients. For more information about how to configure Exchange features, see "How to Configure Exchange Services for the Autodiscover Service" later in this white paper.

Notes

To print this white paper, click Printer Friendly Version in your Web browser.

How the Autodiscover Service Works

When you install the Client Access server role on a computer that is running Exchange 2007, a new virtual directory named Autodiscover is created under the default Web site in Internet Information Services (IIS). This virtual directory handles Autodiscover service requests from Outlook 2007 clients and supported mobile devices in the following circumstances:

  • When a new user account is configured or updated.

  • When a user periodically checks for changes to the Exchange Web Services URLs.

  • When underlying network connection changes occur in your Exchange messaging environment.

Additionally, a new Active Directory object named the service connection point (SCP) is created when you install the Client Access server role.

The SCP object contains the authoritative list of Autodiscover service URLs for the forest. You can update the SCP object by using the Set-ClientAccessServer cmdlet. For more information about the Set-ClientAccessServer cmdlet, see Set-ClientAccessServer.

importantImportant :
Before you save the new Active Directory object, make sure that the Authenticated Users account has Read permissions for the SCP object. If users do not have the correct permissions, they will be unable to search for and read items.

For more information about SCP objects, see Publishing with Service Connection Points.

The following figure illustrates how a client connects to a Client Access server the first time from inside the Exchange messaging organization.

The Autodiscover service process for internal access

Processus fonctionnel de découverte automatique

For external access, the client locates the Autodiscover service on the Internet by using the primary Simple Mail Transfer Protocol (SMTP) domain address from the user's e-mail address. Depending on whether you have configured the Autodiscover service on a separate site, the Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml. The following figure illustrates a simple topology with a client connecting from the Internet.

The Autodiscover service process for external access

Connexion du service de découverte automatique depuis Internet

When the client connects to the Active Directory directory service, the client looks for the SCP object that was created during Setup. In deployments that include multiple Client Access servers, an Autodiscover SCP object is created for each Client Access server. The SCP object contains the ServiceBindingInfo attribute that has the fully qualified domain name (FQDN) of the Client Access server in the form of https://CAS01/autodiscover/autodiscover.xml, where CAS01 is the FQDN for the Client Access server. By using the user credentials, the Outlook 2007 client authenticates to Active Directory and searches for the Autodiscover SCP objects. After the client obtains and enumerates the instances of the Autodiscover service, the client connects to the first Client Access server in the enumerated list and obtains the profile information in the form of XML data that is needed to connect to the user's mailbox and available Microsoft Exchange features.

Outlook 2007 and Autodiscover

The Autodiscover service makes it easier to configure Outlook 2007. Earlier versions of Exchange and Outlook required you to configure all user profiles manually to access Microsoft Exchange. Extra work was required to manage these profiles if changes occurred to the messaging environment. Otherwise, the Outlook clients would stop functioning correctly.

The Autodiscover service uses a user's e-mail address or domain account to automatically configure a user's profile. By using the e-mail address or domain account, the Autodiscover service provides the following information to the client:

  • The user’s display name

  • Separate connection settings for internal and external connectivity

  • The location of the user’s Mailbox server

  • The URLs for various Outlook features that govern such functionality as free/busy information, Unified Messaging, and the offline address book

  • Outlook Anywhere server settings

When a user's Microsoft Exchange information is changed, Outlook automatically reconfigures the user's profile by using the Autodiscover service. For example, if a user's mailbox is moved or the client is unable to connect to the user's mailbox or to available Exchange features, Outlook will contact the Autodiscover service and automatically update the user's profile with the information that is required to connect to the mailbox and Exchange features.

Deployment Considerations for the Autodiscover Service

For the Autodiscover service to function correctly for Outlook 2007, you must make sure that your Exchange organization meets the following requirements:

  • You must have at least one Exchange 2007 Client Access server installed in your Exchange deployment. For Exchange features such as the Availability service and Unified Messaging, you must also have the Unified Messaging, Mailbox, and Hub Transport server roles installed on the Client Access server or another server.

  • The Exchange 2007 Active Directory schema must be applied to the forest where the Autodiscover service will be running.

The Autodiscover service can be deployed in different ways depending on the specific deployment needs of your Exchange 2007 organization. For example, if you are using multiple sites or multiple forests, you must configure the Autodiscover service to handle these types of Exchange deployments. Additionally, if you are not providing external access to your Exchange messaging infrastructure, there are several steps in the Autodiscover deployment process that you will not have to perform.

The following sections provide information that you must have to successfully deploy the Autodiscover service for your organization.

  • Connecting to the Autodiscover Service from the Internet

  • Using Multiple Sites for Internet Access to the Autodiscover Service

  • Configuring the Autodiscover Service to Use Site Affinity for Internal Communication

  • Configuring the Autodiscover Service for Multiple Forests

    • Configuring the Autodiscover Service in a Resource Forest Topology

    • Configuring the Autodiscover Service in a Multiple Trusted Forest Topology

  • Hosted Environments and the Autodiscover Service

For more information about the management tasks for the Autodiscover service, see "Managing the Autodiscover Service" later in this white paper.

Connecting to the Autodiscover Service from the Internet

If you are providing external access to Microsoft Exchange by using Outlook Anywhere (formerly known as RPC over HTTP), and you want the Autodiscover service to automatically configure your Outlook 2007 clients, you must install a valid Secure Sockets Layer (SSL) certificate on the Client Access server that includes both the common name (for example, mail.contoso.com) and a Subject Alternative Name for autodiscover.contoso.com. For information about how to configure your SSL certificate to use a Subject Alternative Name, see Procédure de configuration de certificats SSL pour utiliser plusieurs noms d'hôte de serveur d'accès au client. Additionally, you must correctly configure your Exchange services, such as the Availability service, before the Autodiscover service can provide the correct external URLs to clients.

When the client tries to connect to your Microsoft Exchange deployment, the client locates the Autodiscover service on the Internet by using the primary SMTP domain address from the user's e-mail address. Based on whether you have configured the Autodiscover service to have a separate name from your organization's existing DNS host name, the Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml. For example, if the user's e-mail address is monica@contoso.com, the Autodiscover service should be located at either https://contoso.com/autodiscover.xml or https://autodiscover.contoso.com/autodiscover/autodiscover.xml. This means that you must add a host record for the Autodiscover service to your external DNS zone.

For more information, see "How to Configure the Autodiscover Service for Internet Access" later in this white paper.

Using Multiple Sites for Internet Access to the Autodiscover Service

We recommend that you host the Autodiscover service on a separate site if you manage a Web site that is visited frequently that also hosts your e-mail traffic. The following figure illustrates an environment in which the Autodiscover service is deployed in a different Active Directory site than the Active Directory site where your Exchange servers reside.

Using multiple sites with the Autodiscover service

Plusieurs sites pour le service de découverte automatique

In the preceding figure, the Internet Security and Acceleration (ISA) Server 2006 firewall publishes two sites by using two Web listeners. The first site, autodiscover.contoso.com, provides access to the Autodiscover virtual directory on the Client Access server and is assigned to one IP address. For internal traffic on the Client Access server, configure one Web listener and publish all virtual directories on this site. The second site, mail.contoso.com, provides access to the other Exchange features and has a unique second IP address. Do not publish the Autodiscover virtual directory on this site.

For more information, see "How to Configure the Autodiscover Service for Multiple Sites" later in this white paper.

Configuring the Autodiscover Service to Use Site Affinity for Internal Communication

If you manage a large, distributed organization that has Active Directory sites that are separated by low-bandwidth network connectivity, we recommend that you use site affinity for the Autodiscover service for intranet-based traffic. To use site affinity, you specify which Active Directory sites are preferred for clients to connect to a particular Autodiscover service instance. Specifying which Active Directory sites are preferred is also known as configuring site scope.

You configure site affinity by using the Set-ClientAccessServer cmdlet. This cmdlet lets you specify the preferred Active Directory sites for connecting to the Autodiscover service on a specific Client Access server. After you configure site affinity for the Autodiscover service, the client will connect to the Autodiscover service as you specified.

The following example uses a topology that includes one forest with three sites:

  • US-contoso   A contoso site that is located in North America

  • Europe-contoso   A contoso site that is located in Europe

  • APAC-contoso   A contoso site that is located in Asia

In this example, the Autodiscover service is enabled on each site and each site includes user mailboxes. The US-contoso site is connected to the Europe-contoso site by using a high-speed connection. The US-contoso site is connected to the APAC-contoso site by using a low-speed connection. The APAC-contoso site is connected to the Europe-contoso site by using a high-speed connection.

Based on these connectivity factors, you might want to allow users in the US-contoso and Europe-contoso sites to use either the US-contoso or the Europe-contoso site, users in Europe-contoso site to use any site to access the Autodiscover service, and users in the APAC-contoso site to use the APAC-contoso or the Europe-contoso site. Finally, the Client Access servers can be reached by using a common internal namespace across all sites.

You can configure site scope for Client Access servers in the US-contoso site by setting them to prefer to use the US-contoso and Europe-contoso Active Directory sites to access the Autodiscover service. To do this use the following command.

Set-ClientAccessServer -Identity "us-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml" -AutodiscoverServiceSiteScope "us-contoso","europe-contoso"

You do not have to specify the Active Directory sites to which your users should connect to access the Autodiscover service on Client Access servers in the Europe-contoso site because it connects well to other sites. The following command enables all users in the Europe-Contoso site to access any Client Access server to use the Autodiscover service.

Set-ClientAccessServer -Identity "europe-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml"

Finally, you can configure site scope for the Autodiscover service on Client Access servers in the APAC-contoso site by setting them to prefer to use the APAC-contoso and Europe-contoso sites because they connect well to these sites. To do this, use the following command.

Set-ClientAccessServer -Identity "apac-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml" -AutodiscoverServiceSiteScope "apac-contoso","europe-contoso"

Therefore, if a client in the US-contoso site has a mailbox located in the Europe-contoso site and tries to locate the Autodiscover service, the client can select the service instance that has site=US-contoso or site=Europe-contoso.

If you do not specify site scope for the Autodiscover service, the client might return the autodiscoverInternalUri parameter for the APAC-contoso site because of the slow connection to the US-contoso site.

Notes

If you do not configure a specific set of Active Directory sites for clients to use, Outlook 2007 will randomly select Client Access servers to use to access the Autodiscover service.

For more information about site affinity, see "How to Configure the Autodiscover Service to Use Site Affinity" later in this white paper.

Configuring the Autodiscover Service for Multiple Forests

You can deploy Microsoft Exchange by using multiple forests. Two of the multiple forest deployment scenarios are the resource forest topology and the multiple trusted forest topology. The following sections describe how the Autodiscover service is used in these two deployment scenarios.

Configuring the Autodiscover Service in a Resource Forest Topology

If you are using a resource forest topology, user accounts reside in one forest (referred to as a user account forest) and Microsoft Exchange is deployed in a separate forest (referred to as a resource forest). In this scenario, the client contacts Active Directory in the user account forest to locate the URL for the Autodiscover service. Because the service is hosted in the resource forest, you must update Active Directory in the user account forest to include the information that Active Directory requires to enable the client to access the resource forest. To do this, you must create an Autodiscover SCP pointer record in Active Directory in the user account forest. The Autodiscover SCP pointer record includes the Lightweight Directory Access Protocol (LDAP) URL of the resource forest that the client will use to locate the Autodiscover service.

To create the Autodiscover SCP pointer record in the user account forest, run the Export-AutoDiscoveryConfig cmdlet from the resource forest that has the Autodiscover service against the user account forest. For more information, see "How to Configure the Autodiscover Service with Multiple Forests" later in this white paper.

Configuring the Autodiscover Service in a Multiple Trusted Forest Topology

In the multiple trusted forest scenario, the user accounts and Microsoft Exchange are deployed in multiple forests. Exchange 2007 features such as the Availability service and Unified Messaging rely on the Autodiscover service to access user accounts across forests. In this scenario, the Autodiscover service must be available to users across multiple trusted forests. This scenario resembles the resource forest scenario, except that the Autodiscover SCP object must be configured in all forests. To configure the Autodiscover SCP object in the multiple forest topology, run the Export-AutoDiscoveryConfig cmdlet from each forest that has the Autodiscover service against each target forest where Microsoft Exchange is deployed. For more information, see "How to Configure the Autodiscover Service with Multiple Forests" later in this white paper.

Hosted Environments and the Autodiscover Service

For hosted environments, the Autodiscover service must be redirected for each hosted domain by using Internet Information Services (IIS). The following figure illustrates the Autodiscover service in a hosted environment.

The Autodiscover service in a hosted Exchange environment

Service de découverte automatique dans un environnement hébergé

For each hosted e-mail domain, you should set up a site together with its corresponding DNS entries. For example, the domain named contoso.no should be called autodiscover.contoso.no, and the domain named example.contoso.se should be called autodiscover.contoso.se. In the site in the preceding figure, there is no need for any virtual directories and you do not have to set up SSL certificates.

In IIS Manager, configure redirection for each of your sites to https://mail.contoso.com/autodiscover/autodiscover.xml.

Notes

These sites should be configured only for HTTP (port 80) traffic.

When you configure redirection on these sites, you must use anonymous access and disable authenticated access. Also, make sure that you do not configure other options such as The exact URL entered above, A directory below URL entered, and A permanent redirection for this resource. Configuring redirection in this manner causes the Outlook 2007 client to receive an HTTP 302 response.

After you configure redirection, Outlook 2007 clients will try to connect to https://contoso.no/autodiscover/ and https://autodiscover.contoso.no/autodiscover/ by using an HTTP POST request. Because these sites are unavailable, Outlook will try an HTTP GET request to http://autodiscover.contoso.no/autodiscover.

Notes

No information, such as the user's e-mail address and password, is sent in this request.

Because redirection is configured on this site, IIS will return a 302 redirection response for https://mail.contoso.com/. The client will receive the response and prompt the user to accept or reject the request. The user must accept this request. After this occurs, the client will then be redirected by using an HTTPS POST request. In this example, there will be no security alert. Finally, the client will receive the necessary Autodiscover service response.

Notes

When you configure a redirector to redirect clients to a new site, as in the previous example, additional SSL certificates are not required. However, you must configure additional IIS sites.

Managing the Autodiscover Service

Managing the Autodiscover service for your users includes performing tasks such as ensuring that your users will be able to use the Autodiscover service after their mailboxes are moved from one forest to another forest.

The following sections describe the common management tasks for the Autodiscover service. Depending on your deployment, some of these procedures may not have to be performed.

How to Configure the Autodiscover Service for Internet Access

If you have deployed Exchange 2007 in your messaging environment, you can let the Autodiscover service automatically configure Microsoft Office Outlook 2007 clients for Exchange features such as the Availability service, Unified Messaging, and Outlook Anywhere. If you plan to allow external access to the Autodiscover service for Outlook 2007 clients that connect from the Internet, you must configure a valid Secure Sockets Layer (SSL) certificate from a certification authority (CA) that is trusted by the client computer's operating system.

We recommend that you host the Autodiscover service on a separate site if you manage a Web site that is frequently visited and that hosts your e-mail traffic. To allow external access to the Autodiscover service for Outlook 2007 clients that are connected from the Internet, we recommend that you follow these steps in order.

Notes

You must use one IP address per site.

  1. (Optional) Configure a separate site on a Client Access server to host the Autodiscover service   You can create a separate site to host Autodiscover service traffic by using the New-AutodiscoverVirtualDirectory cmdlet. This optional step is recommended if the SMTP address domain is the same as the Web site address for your organization and your organization's Web site is frequently visited. For example, if the Web site is www.contoso.com, the e-mail SMTP domain is contoso.com, and the Web site (www.contoso.com) is frequently visited, we recommend that you create a separate site and host the Autodiscover service on autodiscover.contoso.com. For more information, see Procédure de création d'un répertoire virtuel du service de découverte automatique.

  2. (Required) Configure a valid SSL certificate   Configure a valid SSL certificate from a CA that the client computer trusts. If you have decided to host the Autodiscover service on a separate site, see Procédure de configuration de certificats SSL pour utiliser plusieurs noms d'hôte de serveur d'accès au client.

  3. (Optional) Update the SCP object   If you have created an additional IIS site for the Autodiscover service, you must update the service connection point (SCP) object in Active Directory to specify to which Client Access server and Autodiscover virtual directory you want clients to connect.

  4. (Required) Configure Exchange services   The Exchange services such as the Availability service and the Offline Address Book (OAB) must be configured for settings such as the external host name and authentication settings. For more information, see "How to Configure Exchange Services for the Autodiscover Service" later in this white paper.

After you have completed these steps, you should configure the firewall for the address space and configure the SSL certificate for the Autodiscover service.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. 

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations.

To use the Exchange Management Shell to configure a new Web site for the Autodiscover service

  1. If you have not already done this, create a new Web site for the Autodiscover service by using IIS Manager.

  2. Create a new Autodiscover virtual directory in IIS for the Autodiscover service by running the following command:

    New-AutodiscoverVirtualDirectory -Websitename <websitename> -BasicAuthentication:$true -WindowsAuthentication:$true
    

    Notes

    A Web site that uses SSL requires that you use a unique IP address.

  3. Configure a trusted third-party SSL certificate on the Autodiscover service Web site.

For more information about syntax and parameters, see New-AutodiscoverVirtualDirectory.

How to Configure the Autodiscover Service for Multiple Sites

If your Exchange deployment has two or more trusted forests, you must update Active Directory so that users who are running Microsoft Office Outlook 2007 in one forest can access the Client Access servers in the remote (or target) forest to use the Autodiscover service. To do this, run the Export-AutodiscoverConfig cmdlet in each forest that contains the Client Access servers that provide the Autodiscover service against the target forests. This will configure the Autodiscover pointer service connection point (SCP) information in Active Directory.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations.

To use the Exchange Management Shell to configure the Autodiscover service for multiple forests

  1. On an Exchange 2007 Client Access server in the source forest, obtain the user name and password for the account that has the required permissions for the target forest by running the following command:

    $a = Get-Credential
    
  2. On an Exchange 2007 Client Access server in the source forest, run the following command:

    Export-AutoDiscoverConfig -DomainController DomainControllerName -TargetForestDomainController TargetForestDomainControllerName -TargetForestCredentials $a -MultipleExchangeDeployments $true
    

For more information about syntax and parameters, see Export-AutoDiscoverConfig.

How to Configure the Autodiscover Service to Use Site Affinity

You can use the Set-ClientAccessServer cmdlet in the Exchange Management Shell to configure the Autodiscover service to use site affinity on a computer that is running Exchange 2007 that has the Client Access Server role installed.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations.

To use the Exchange Management Shell to configure site affinity for the Autodiscover service

  • Run the following command:

    Set-ClientAccessServer -Identity "ServerName" -AutodiscoverServiceInternalURI "https://internalsitename/autodiscover/autodiscover.xml" AutodiscoverServiceSiteScope "SiteName"
    

For more information about syntax and parameters, see Set-ClientAccessServer.

How to Configure the Autodiscover Service When You Use Multiple Forests

If your Exchange deployment has two or more trusted forests, you must update Active Directory so that users who are running Microsoft Office Outlook 2007 in one forest can access the Client Access servers in the remote (or target) forest to use the Autodiscover service. To do this, run the Export-AutodiscoverConfig cmdlet in each forest that contains the Client Access servers that provide the Autodiscover service against the target forests. This will configure the Autodiscover pointer service connection point (SCP) information in Active Directory.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations.

To use the Exchange Management Shell to configure the Autodiscover service for multiple forests

  1. On an Exchange 2007 Client Access server in the source forest, obtain the username and password for the account that has the required permissions for the target forest by running the following command:

    $a = Get-Credential
    
  2. On an Exchange 2007 Client Access server in the source forest, run the following command:

    Export-AutoDiscoverConfig -DomainController DomainControllerName -TargetForestDomainController TargetForestDomainControllerName -TargetForestCredentials $a -MultipleExchangeDeployments $true
    

For more information about syntax and parameters, see Export-AutoDiscoverConfig.

How to Configure the Autodiscover Service for Cross Forest Moves

You can use the Exchange Management Shell to configure your Microsoft Exchange deployment to handle mailboxes that are moved from one forest to another for the Autodiscover service.

For a cross-forest mailbox move, the two forests must be trusted. For the Autodiscover service to handle this move, you must configure a mail contact in the original forest where the user's mailbox resided.

When you configure a mail contact, the user will authenticate to the original forest where the mailbox resided, and the user will receive a redirect that uses the new e-mail address. The client will then try to contact the Autodiscover service by using the new e-mail address against the new forest.

For example, mail1.contoso.com and mail2.contoso.com are separate, trusted forests and the mailbox for a user is kwekua@mail1.contoso.com. This user originally resided in the forest named mail1.contoso.com and was moved to the forest named mail2.contoso.com.

For this example, you have to set a contact in mail1.contoso.com by using the following command in the Exchange Management Shell.

New-MailContact -ExternalEmailAddress 'SMTP:kwekua@mail2.contoso.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'mail1.contoso.com/Users' -FirstName 'Kweku' -Initials '' -LastName 'Ako Adjei'

After you configure the contact, when the user connects to mail1.contoso.com and uses the mail1.contoso.com credentials, the following request is sent to the Outlook 2007 client.

<?xml version="1.0" encoding="utf-8" ?>\r\n

<Autodiscover xmlns="http://schemas.contoso.com/exchange/autodiscover/outlook/requestschema/2006">\r\n

<Request>\r\n

<EMailAddress>kwekua@mail1.contoso.com</EMailAddress>\r\n

<AcceptableResponseSchema>http://schemas.contoso.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\r\n

</Request>\r\n

</Autodiscover>

The Outlook 2007 client will receive the following redirect response from mail1.contoso.com.

<?xml version="1.0" encoding="utf-8"?>\r\n

<Autodiscover xmlns="http://schemas.contoso.com/exchange/autodiscover/responseschema/2006"><Response xmlns="http://schemas.contoso.com/exchange/autodiscover/outlook/responseschema/2006a">\r\n

<Account>\r\n

<Action>redirectAddr</Action>\r\n

<RedirectAddr>kwekua@mail2.contoso.com</RedirectAddr>\r\n

</Account>\r\n

</Response></Autodiscover>

The user will then be able to connect to the Autodiscover service by using this new e-mail address in the mail2.contoso.com forest.

Before You Begin

To perform the following procedure on an Exchange 2007 Client Access server, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations.

To use the Exchange Management Shell to create a new mail contact for the Autodiscover service to handle cross-forest mailbox moves

  • Run the following command:

    New-MailContact -ExternalEmailAddress 'SMTP:kwekua@mail2.contoso.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'mail1.contoso.com/Users' -FirstName 'Kweku' -Initials '' -LastName 'Ako Adjei'
    

For more information about syntax and parameters, see new-MailContact.

How to Configure Exchange Services for the Autodiscover Service

This section explains how to configure Microsoft Exchange services, such as the Availability service, for the Autodiscover service on a Microsoft Exchange 2007 computer that has the Client Access server role installed.

When you enable Outlook Anywhere, you must also configure external access to Microsoft Exchange services for the Autodiscover service. This includes the URLs for the Availability service, Exchange Web Services, Unified Messaging (UM), and the offline address book.

If you do not configure the external URL values, the Autodiscover service information provided to the Microsoft Office Outlook 2007 client may be incorrect for clients that are connecting from outside your network. They may be able to connect to their Microsoft Exchange mailbox. However, they will be unable to use Exchange features such as Out of Office functionality, the Availability service, Unified Messaging, or offline address book downloads.

Generally, the internal URL is configured by Microsoft Exchange Setup. However, the external URLs must be configured by using the virtual directory cmdlet for each component.

In this section, you will configure external host name, authentication, and encryption settings for the following Web services:

  • Outlook Anywhere

  • Offline address book

  • Unified Messaging

  • Exchange Web Services

If you performed a custom installation of Exchange 2007 and you will not be using an Exchange service such as Unified Messaging, you will not have to complete the procedure to configure the external URL for Unified Messaging for the Autodiscover service later in this section. Additionally, if you are not providing external access to your Exchange services, you can safely ignore these procedures.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. 

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Considérations relatives aux autorisations

To use the Exchange Management Shell to configure the external host name for Outlook Anywhere for the Autodiscover service

  • Run the following command:

    Enable-OutlookAnywhere -Server CAS01 -ExternalHostname "mail.contoso.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False
    

For more information about syntax and parameters, see Enable-OutlookAnywhere.

To use the Exchange Management Shell to configure the external URL for the offline address book for the Autodiscover service

  • Run the following command:

    Set-OABVirtualDirectory -identity "CAS01\OAB (Default Web Site)" -externalurl https://mail.contoso.com/OAB -RequireSSL:$true 
    

For more information about syntax and parameters, see set-OabVirtualDirectory.

To use the Exchange Management Shell to configure the external URL for Unified Messaging for the Autodiscover service

  • Run the following command:

    Set-UMVirtualDirectory -identity "CAS01\UnifiedMessaging (Default Web Site)" -externalurl https://mail.contoso.com/UnifiedMessaging/Service.asmx  -BasicAuthentication:$True
    

For more information about syntax and parameters, see Set-UMVirtualDirectory.

To use the Exchange Management Shell to configure the external URL for Exchange Web Services for the Autodiscover service

  • Run the following command:

    Set-WebServicesVirtualDirectory -identity "CAS01\EWS (Default Web Site)" -externalurl https://mail.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$True
    

For more information about syntax and parameters, see Set-WebServicesVirtualDirectory.

Autodiscover Security

If you use a separate site for the Autodiscover service together with an advanced firewall server such as ISA Server 2006, you must configure ISA Server 2006 to have two Web listeners. ISA Server Web listeners are used to indicate the IP address and port for the client to use. The first Web listener is used for the Autodiscover service and the second Web listener is used for the other Microsoft Exchange features, such as Microsoft Exchange ActiveSync and Outlook Anywhere. You can configure the SSL certificate for a single site that uses both Web listeners by using the subject alternate name property of the certificate. For more information, see Procédure de configuration de certificats SSL pour utiliser plusieurs noms d'hôte de serveur d'accès au client.

By default, Exchange 2007 Setup offers the option to install a self-signed SSL certificate. It is best not to use self-signed certificates for external sites. We recommend that you use a certificate from a trusted certification authority. For more information about how to create and use valid SSL certificates, see the following topics:

For More Information

For more information about Exchange 2007 features, see the following resources: