7. Outlook Anywhere
As in Exchange Server 2007, Outlook Anywhere
provides users with access to their email in Outlook over the Internet.
Users who are not accessing their email from inside the domain
typically cannot use remote procedure calls (RPC) to access to their
mailbox, because RPC uses a wide port range that most firewalls don't
allow. Also, RPC performs poorly in high latency scenarios.
Therefore, the Outlook Anywhere service takes the
RPCs used by Outlook and wraps them in HTTPS. HTTPS is a commonly used
protocol across the Internet, so using HTTPS instead of RPCs allows
users to connect to their mailbox. The HTTPS session is terminated at
the RPC proxy server (typically a Client Access server) and the CAS
then uses standard RPCs to access the mailbox on the behalf of the user.
7.1. Enabling Outlook Anywhere
Outlook Anywhere is not enabled by default when you
install the Client Access server role. You will need to manually enable
Outlook Anywhere to take advantage of its functionality. Before you do,
ensure that the RPC over HTTP Proxy feature is installed first. If you
used the Exchange-CAS.xml or Exchange-Typical.xml
Server Manager installation package to prepare your server, this
feature was installed during that process. If not, you can use the
following command to install the RPC over HTTP Proxy feature:
ServerManagerCMD -i RPC-over-HTTP-Proxy
After the RPC over HTTP Proxy feature is installed, you can enable Outlook Anywhere in the EMC under the Server Configuration => Client Access node. You will need to select the CAS and then choose Enable Outlook Anywhere from the Actions menu.
You can also enable Outlook Anywhere with the Enable-OutlookAnywhere command in the EMS. The following example enables Outlook Anywhere with NTLM authentication:
Enable-OutlookAnywhere -Server CAS-1 -ClientAuthenticationMethod NTLM
-ExternalHostname mail.contoso.com -SSLOffloading $False
7.2. SSL Offloading
By default, Outlook Anywhere requires SSL
connections. Multiple SSL connections by several clients can sometimes
cause a performance bottleneck on servers. With Outlook Anywhere, you
have the option of offloading the SSL processing to another server.
When you do this, the client establishes a secure SSL connection with
the server that you offloaded SSL to. The connection from the server
doing the SSL offloading to the CAS is unencrypted.
|
The default self-signed certificate created by
Client Access servers will not work when Outlook clients attempt to use
Outlook Anywhere. Instead, you will need to issue a valid certificate
to your CAS that is trusted by the client computers.
|
8. The Autodiscover Service
The Autodiscover service was introduced in Exchange
Server 2007. This valuable service, which runs on Client Access
servers, provides automatic configuration of Outlook profiles for
Outlook 2007 and newer versions. This provides a way to get users up
and running in an easy manner on a new machine without using scripts,
running Custom Installation wizard installations, or relying on users
to set up their own account (which is always dangerous!). When setting
up an Outlook profile while connected to the domain, users only have to
click the Next button a few times because Outlook picks up all the
relevant information from the account the user logged in with. If not
connected to the domain, users are simply asked to enter their email
address and password. (Note that users must specify their primary
address; otherwise, Autodiscover may not work.)
Aside from the profile configuration, Autodiscover
also provides Outlook with the information needed for downloading the
offline address book, connecting to Outlook Anywhere, and even for
connecting to Exchange Web Services which, among other things, provides
calendar availability information.
|
Originally, Windows Mobile 6 was planned to support
Autodiscover for configuring devices for Exchange ActiveSync.
Unfortunately, this feature didn't make it into Windows Mobile 6, but
it arrived in Windows Mobile 6.1 and continues to exist in Windows
Mobile 6.5. It's interesting to note that Windows Mobile devices use
Autodiscover differently than Outlook does. While Outlook clients
continuously use Autodiscover to ensure that the client is up to date,
Windows Mobile only uses it on the initial configuration of the profile.
|
Autodiscover works in two ways, depending on whether
the client is on the internal LAN and a member of the forest where the
mailbox is held, or external to the LAN.
8.1. Internal Autodiscover
When a computer is connected to the Active Directory
domain, the Autodiscover process is different than when the computer is
not currently connected to the domain. The method used when
Autodiscover is used on a client within the LAN is described here and
shown in Figure 4:
When
Outlook is launched, it checks to see if an Outlook profile exists. If
there is none, it automatically fills in the user's email address and
password from Active Directory.
Outlook
then searches for a Service Connection Point (SCP) object in Active
Directory for Autodiscover. An SCP is a special object that gives
computers a mechanism for advertising an application or service that it
is hosting. The location of the SCP for Autodiscover is shown in Figure 5.
SCP
objects in Active Directory aren't only used for Exchange. Other
applications can use SCPs as well to publish information about a
service that it provides. For Exchange, the information published in
the Autodiscover SCP gives Outlook the FQDN of the servers hosting the
Autodiscover service (the Client Access servers).
Outlook queries the CAS using the FQDN that it got from the SCP.
The server prepares an XML file specifically for the user.
The
Autodiscover XML file is downloaded by the Outlook client, which
applies the settings and connects the user to his or her mailbox.
8.2. External Autodiscover
If the user is outside the Active Directory forest
(for example, on a machine that is not domain joined) or on a machine
that is outside the LAN, the internal Autodiscover process is not used.
If the client cannot contact the Active Directory domain, then it can't
read the SCP. So the Outlook client needs another way to find out where
the Autodiscover service is running. This is accomplished using the
following process, which is also demonstrated in Figure 6.
To find a Client Access server that can provide
Autodiscover functions externally, the Outlook client will try to
connect to one of these two URLs (where the domain is somorita.com):
https://somorita.com/autodiscover/autodiscover.xml
https://autodiscover.somorita.com/autodiscover/autodiscover.xml
For more information on this process, see the following URL:
http://technet.microsoft.com/en-us/library/bb332063.aspx#OutlookAndAD
The following steps are used when Outlook uses Autodiscover to configure the Outlook profile outside the LAN:
Outlook prompts the user to enter his name, password, and email address.
Outlook extracts the FQDN from the email address.
Outlook performs a DNS query for the namespace.
Outlook 2007 clients without a service pack will attempt to connect to https://domain.com/autodiscover/autodiscover.xml. If this fails, an attempt is made to connect to https://autodiscover.domain.com/autodiscover/autodiscover.xml.
If
the previous two attempts fail, Outlook attempts to connect using an
HTTP redirect. Therefore, for the Autodiscover process to work
correctly in Outlook with no service pack, one of the URLs must be
resolvable in DNS.
If
using Outlook 2007 SP1 or later, an additional DNS query will be
performed, looking for a service locator (SRV) record that advertises
Autodiscover. If this record is found, the client uses the hostname in
the record to make another connection attempt to the Autodiscover
service.
Once
the connection has been made, the process continues in the same way as
for internal connections. Exchange creates a specific XML file
containing the relevant details for the user based on the credentials
entered in Step 1.
Outlook downloads the Autodiscover XML file and uses it to build the profile.
8.3. The Autodiscover XML
Now that we've discussed how Autodiscover works,
let's take a look at how we can tune it. First, here's an example of
the XML that is passed to the client:
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/
responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/
responseschema/2006a">
<User>
<DisplayName>Nathan Winters</DisplayName>
<LegacyDN>/o=OEXCH015/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)
/cn=Recipients/cn=nathan_nwinters</LegacyDN>
<DeploymentId>996755d4-d79d-4cf9-94ba-fb91ec8877f8</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>EXVMBX015-3.exch015.msoutlookonline.net</Server>
<ServerDN>/o=OEXCH015/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)
/cn=Configuration/cn=Servers/cn=EXVMBX015-3</ServerDN>
<ServerVersion>720082AD</ServerVersion>
<MdbDN>/o=OEXCH015/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)
/cn=Configuration/cn=Servers/cn=EXVMBX015-3/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://owa015.msoutlookonline.net/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://owa015.msoutlookonline.net/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://owa015.msoutlookonline.net/UnifiedMessaging/
Service.asmx</UMUrl>
<OABUrl>Public Folder</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>owa015.msoutlookonline.net</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<OABUrl>Public Folder</OABUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<External>
<OWAUrl AuthenticationMethod="Fba">https://owa015.msoutlookonline.net/owa
</OWAUrl>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">
https://owa015.msoutlookonline.net/owa</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://owa015.msoutlookonline.net/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</External>
</Protocol>
</Account>
</Response></Autodiscover>
As you can see, a fair amount of information is
included, in particular the URLs for the main services. So where does
this information come from and how is it set?
When the CAS is installed, a virtual
directory called Autodiscover is created in the IIS default website. It
is from here that the configuration file is downloaded by the Outlook
client. To determine which URLs to include in the XML file,
Autodiscover uses the InternalURL and ExternalURL parameters from the various virtual directories.
