Deployment Considerations for the Autodiscover Service
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-06-12
The Autodiscover service for Microsoft Exchange Server 2007 provides automatic profile configuration for Microsoft Office Outlook 2007 clients that are connected to your Exchange messaging environment.
For the Autodiscover service to function correctly for Outlook 2007, you must make sure that your Exchange organization meets the following requirements:
You must have at least one Exchange 2007 Client Access server installed in your Exchange deployment. For Exchange features such as the Availability service and Unified Messaging, you must also have the Unified Messaging, Mailbox, and Hub Transport server roles installed on the Client Access server or another server.
The Exchange 2007 Active Directory schema must be applied to the forest where the Autodiscover service will be running.
If you are providing external access to Microsoft Exchange by using Outlook Anywhere (formerly known as RPC over HTTP), and you want your Outlook 2007 clients to be automatically configured by using the Autodiscover service, you must install a valid Secure Sockets Layer (SSL) certificate on the Client Access server that includes both the common name (for example, mail.contoso.com) and a Subject Alternative Name for autodiscover.contoso.com. For information about how to configure your SSL certificate to use a Subject Alternative Name, see How to Configure SSL Certificates to Use Multiple Client Access Server Host Names. Additionally, you must correctly configure your Exchange services, such as the Availability service, before the Autodiscover service can provide the correct external URLs to clients. For more information, see How to Configure Exchange Services for the Autodiscover Service.
When the client tries to connect to your Microsoft Exchange deployment, the client locates the Autodiscover service on the Internet by using the primary SMTP domain address from the user's e-mail address. Based on whether you have configured the Autodiscover service to have a separate name from your organization's existing DNS host name, the Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml. For example, if the user's e-mail address is email@example.com, the Autodiscover service should be located at either https://contoso.com/autodiscover.xml or https://autodiscover.contoso.com/autodiscover/autodiscover.xml. This means that you must have a host record for the Autodiscover service added to your external DNS zone.
For more information, see How to Configure the Autodiscover Service for Internet Access.
We recommend hosting the Autodiscover service on a separate site if you manage a frequently visited Web site that also hosts your e-mail traffic. To host the Autodiscover service on a separate site on the same computer as other Exchange features, follow these steps:
|You must use one IP address per site.|
- (Optional) Configure a separate site on a Client Access computer to host the Autodiscover service You can create a separate site to host Autodiscover service traffic by using the New-AutodiscoverVirtualDirectory cmdlet. This optional step is recommended if the SMTP address domain is the same as the corporate Web site address and your corporate Web site is frequently visited. For example, if the company Web site is www.contoso.com, the e-mail SMTP domain is contoso.com, and the company Web site (www.contoso.com) is frequently visited, we recommend that you create a separate site and host the Autodiscover service on autodiscover.contoso.com.
- (Required) Configure a valid SSL certificate Configure a valid SSL certificate from a certification authority (CA) that the client computer trusts. If you have decided to host the Autodiscover service on a separate site, see How to Configure SSL Certificates to Use Multiple Client Access Server Host Names.
- (Optional) Update the SCP Object You must update the service connection point (SCP) object in the Active Directory directory service to specify to which Client Access server and Autodiscover virtual directory you want clients to connect.
For more information, see How to Configure the Autodiscover Service for Internet Access.
Figure 1 illustrates an environment in which the Autodiscover service is deployed in a different Active Directory site than the Active Directory site where your Exchange servers reside.
Figure 1 Using multiple sites with the Autodiscover service
In Figure 1, the Internet Security and Acceleration (ISA) Server 2006 firewall is publishing two sites by using two Web listeners. The first site, autodiscover.contoso.com, provides access to the Autodiscover virtual directory on the Client Access server and is assigned to one IP address. For internal traffic on the Client Access server, configure one Web listener and publish all virtual directories on this site. The second site, mail.contoso.com, provides access to the other Exchange features and has a unique second IP address. Do not publish the Autodiscover virtual directory on this site.
If you manage a large, distributed organization that has Active Directory sites that are separated by low-bandwidth network connectivity, we recommend that you use site affinity for the Autodiscover service for intranet-based traffic. To use site affinity, you specify which Active Directory sites are preferred for clients to connect to a particular Autodiscover service instance. Specifying which Active Directory sites are preferred is also known as configuring site scope.
You configure site affinity by using the Set-ClientAccessServer cmdlet. This cmdlet lets you specify the preferred Active Directory sites for connecting to the Autodiscover service on a specific Client Access server. After you configure site affinity for the Autodiscover service, the client will connect to the Autodiscover service as you specified. For information on the Set-ClientAccessServer cmdlet, see Set-ClientAccessServer.
Consider a topology that includes one forest with three sites that have the following names:
- US-contoso A contoso site that is located in North America
- Europe-contoso A contoso site that is located in Europe
- APAC-contoso A contoso site that is located in Asia
In this example, the Autodiscover service is enabled on each site and each site includes user mailboxes. The US-contoso site is connected to the Europe-contoso site by using a high-speed connection. The US-contoso site is connected to the APAC-contoso site by using a low-speed connection. The APAC-contoso site is connected to the Europe-contoso site by using a high-speed connection.
Based on these connectivity factors, you might want to allow users in the US-contoso and Europe-contoso sites to use either the US-contoso or the Europe-contoso site, users in Europe-contoso site to use any site to access the Autodiscover service, and users in the APAC-contoso site to use the APAC-contoso or the Europe-contoso site. Finally, the Client Access servers can be reached by using a common internal namespace across all sites.
You can configure site scope for Client Access servers in the US-contoso site, setting them to prefer to use the US-contoso and Europe-contoso Active Directory sites to access the Autodiscover service by using the following command.
Set-ClientAccessServer -Identity "us-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml" -AutodiscoverServiceSiteScope "us-contoso","europe-contoso"
You do not have to specify the Active Directory sites to which your users should connect to access the Autodiscover service on Client Access servers in the Europe-contoso site because it connects well to other sites. The following command enables all users in the Europe-Contoso site to access any Client Access server to use the Autodiscover service:
Set-ClientAccessServer -Identity "europe-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml"
Finally, you can configure site scope for the Autodiscover service on Client Access servers in the APAC-contoso site, setting them to prefer to use the APAC-contoso and Europe-contoso sites because they connect well to these sites. To do this, use the following command:
Set-ClientAccessServer -Identity "apac-cas" -AutodiscoverServiceInternalURI "https://internal.contoso.com/autodiscover/autodiscover.xml" -AutodiscoverServiceSiteScope "apac-contoso","europe-contoso"
Therefore, if a client in the US-contoso site has a mailbox located in the Europe-contoso site and tries to locate the Autodiscover service, the client can select the service instance that has site=US-contoso or site=Europe-contoso.
If you do not specify site scope for the Autodiscover service, the client might return the autodiscoverInternalUri parameter for the APAC-contoso site because of the slow connection to the US-contoso site.
|If you do not configure a specific set of Active Directory sites for clients to use, Outlook 2007 will randomly select Client Access servers to use to access the Autodiscover service.|
For more information about site affinity, see How to Configure the Autodiscover Service to Use Site Affinity.
You can deploy Microsoft Exchange by using multiple forests. Two of the multiple forest deployment scenarios are the resource forest topology and the multiple trusted forest topology. The following sections describe how the Autodiscover service is used in these two deployment scenarios.
If you are using a resource forest topology, user accounts reside in one forest (referred to as a user account forest) and Microsoft Exchange is deployed in a separate forest (referred to as a resource forest). In this scenario, the client contacts Active Directory in the user account forest to locate the URL for the Autodiscover service. Because the service is hosted in the resource forest, you must update Active Directory in the user account forest to include the information that Active Directory requires to enable the client to access the resource forest. To do this, you must create an Autodiscover SCP pointer record in Active Directory in the user account forest. The Autodiscover SCP pointer record includes the Lightweight Directory Access Protocol (LDAP) URL of the resource forest that the client will use to locate the Autodiscover service.
To create the Autodiscover SCP pointer record in the user account forest, run the Export-AutoDiscoveryConfig cmdlet from the resource forest that has the Autodiscover service against the user account forest. For more information, see How to Configure the Autodiscover Service for Multiple Forests.
In the multiple trusted forest scenario, the user accounts and Microsoft Exchange are deployed in multiple forests. Exchange 2007 features such as the Availability service and Unified Messaging rely on the Autodiscover service to access them across forests. In this scenario, the Autodiscover service must be available to users across multiple trusted forests. This scenario resembles the resource forest scenario, except that the Autodiscover SCP object must be configured in all forests. To configure the Autodiscover SCP object in the multiple forest topology, run the Export-AutoDiscoveryConfig cmdlet from each forest that has the Autodiscover service against each target forest where Microsoft Exchange is deployed. For more information, see How to Configure the Autodiscover Service for Multiple Forests.
For hosted environments, the Autodiscover service must be redirected for each hosted domain by using Internet Information Services (IIS). Figure 2 illustrates the Autodiscover service in a hosted environment.
Figure 2 The Autodiscover service in a hosted Exchange environment
For each hosted e-mail domain, you should set up a site together with its corresponding DNS entries. For example, the domain named for example contoso.no should be called autodiscover.contoso.no, and the domain named example.contoso.se should be called autodiscover.contoso.se. In the site in Figure 2, there is no need for any virtual directories and you do not have to set up SSL certificates.
In IIS Manager, configure redirection for each of your sites to https://mail.contoso.com/autodiscover/autodiscover.xml.
|These sites should be configured only for HTTP (port 80) traffic.|
When you configure redirection on these sites, you must use anonymous access and disable authenticated access. Also, make sure that you do not configure other options such as The exact URL entered above, A directory below URL entered, and A permanent redirection for this resource. Configuring redirection in this manner ensures that the Outlook 2007 client receives an HTTP 302 response.
After you configure redirection, Outlook 2007 clients will try to connect to https://contoso.no/autodiscover/ and https://autodiscover.contoso.no/autodiscover/ by using an HTTP POST request. Because these sites are unavailable, Outlook will try an HTTP GET request to http://autodiscover.contoso.no/autodiscover.
|No information, such as the user's e-mail address and password, is sent in this request.|
Because redirection is configured on this site, IIS will return a 302 redirection response for https://mail.contoso.com/. The client will receive the response and prompt the user to accept or reject the request. The user must accept this request. After this occurs, the client will then be redirected by using an HTTPS POST request. In this example, there will be no security alert. Finally, the client will receive the necessary Autodiscover service response.
|When you configure a redirector to redirect clients to a new site, as in the previous example, additional SSL certificates are not required. However, you must configure additional IIS sites.|
If you use a separate site for the Autodiscover service together with an advanced firewall server such as ISA Server 2006, you must configure ISA Server 2006 to have two Web listeners. ISA Server Web listeners are used to indicate the IP address and port for the client to use. The first Web listener is used for the Autodiscover service and the second Web listener is used for the other Microsoft Exchange features, such as Microsoft Exchange ActiveSync and Outlook Anywhere. You can configure the SSL certificate for a single site that uses both Web listeners by using the subject alternate name property of the certificate. For more information, see How to Configure SSL Certificates to Use Multiple Client Access Server Host Names.
By default, Exchange 2007 Setup offers the option to install a self-signed SSL certificate. It is best not to use self-signed certificates for external sites. We recommend that you use a certificate from a trusted certification authority. For more information about how to create and use valid SSL certificates, see the following topics: