Tuesday, January 13, 2009

Updated: Exchange 2007 Splitting OWA and Autodiscover onto two different websites.

This post explains how I split Exchange Web services and Autodiscover into two separate websites so that I could use two separate SSL certificates ($30) instead of a $300 UCC certificate.

We have a wildcard certificate (*.foo.com) for our primary domain. Since we have a metric crapton of servers it saves us loads of money.

The exact minutiae of getting Outlook Anywhere working will be another post. Suffice it to say that A.) It has a showstopper IPV4/IPV6 bug out-of-the-box and B.) Wildcard certificates do not work with Outlook Anywhere.

Happy to have that particular learning experience behind me and $15 later we had a GoDaddy certificate for newmail.foo.com. Yeah!

Now that was working it's time to setup the Autodiscover service. I set a SRV record for autodiscover to point to newmail.foo.com, but the users were getting a pop-up asking for permission to connect to it. I am an anti-popup person. So I setup autodiscover.foo.com in DNS to point to the OWA webserver. Did it work?

No.

Why?

Another SSL problem with the certificate names. "autodiscover.foo.com" != "newmail.foo.com"

ARGH!

The Microsoft solution is to use a certificate with multiple "Subject Alternative Names", also known as a Unified Communications Certificate. They cost about $300. Personally I don't like spending that for a certificate. That's why we got a WILDCARD certificate you asshats!

After a healthy dose of expletives, I set out to move the autodiscover "application" to a separate website using our existing wildcard certificate.

Here is the part where that "doing it the hard way" feeling comes in. I couldn't find any commands or options to setup the /Autodiscover application under the new website.

After about 10 minutes of trying to figure out how to copy the settings over, I ...


  1. Set another IP for the new site.
  2. Popped a hole in Mr. Firewall for http and https.
  3. Opened IIS.
  4. Created the new site.
  5. Edited the bindings to use the right ssl certificate.
  6. Stopped IIS.
  7. Opened c:\windows\system32\inetsrv\config\applicationhost.cfg in notepad.
  8. Copied <sites><Application Path> information from the default site to the autodiscover site. See update note below.
  9. Copied the <locations> information from the default site to the autodiscover site.
  10. Whispered a prayer of penance to the IT gods.
  11. Started IIS.


Update 2009-03-17: I WAS doing it the hard way! There is a powershell command to create a new autodiscover virtual directory. It is new-autodiscovervirtualdirectory.

And wow, It worked! Was I ever surprised?!

Ttfn,
-ellie

No comments: