Configure Outlook Anywhere to Use an SSL Certificate with Redirection
Applies to: Exchange Server 2010
Topic Last Modified: 2011-03-19
If you can't use multiple Secure Sockets Layer (SSL) certificates for your Outlook Anywhere deployment, you can set up your Outlook Anywhere deployment to use a single SSL certificate with redirection. Microsoft Office Outlook 2007 and Outlook 2010 clients that aren't joined to your domain or don't have direct access to Active Directory in your Microsoft Exchange Server 2010 forest will be redirected to another Domain Name System (DNS) address to obtain their user profile information by using the Autodiscover service.
For more information about how a single SSL certificate works with redirection in an Outlook Anywhere deployment, see Understanding Redirection for Outlook Anywhere with a Single SSL Certificate.
Looking for other tasks for managing Outlook Anywhere? Check out Managing Outlook Anywhere.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "SSL for Outlook Anywhere" and "IIS Manager" entries in the Client Access Permissions topic.
Configure a valid SSL certificate. You must obtain a valid SSL certificate from a certification authority (CA) that's trusted by the client computer's operating system. For more information, see Obtain a Server Certificate from a Certification Authority. After you obtain a valid SSL certificate, apply the certificate to the default Web site of your Client Access server. For more information, see Install an SSL Certificate on a Client Access Server.
Configure the URLs for Exchange services. You must configure the external and internal URLs for your available Exchange services to point to the default Web site, for example, mail.contoso.com. For more information about how to set the URLs for the Exchange services, see Configure Exchange Services for the Autodiscover Service.
Configure the service connection point object to use a site dedicated to handling e-mail, for example, mail.contoso.com. You can do this by running the following command:
Set-ClientAccessServer -id <CAS01> -AutoDiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
Configure the IP address for the default Web site. You must set the default Web site to listen on only one IP address. After you have done this, bind any additional IP addresses to the network adapter, also known as a NIC, for the Client Access server. For more information about how to do this, see your Windows server documentation.
Create a new Web site in Internet Information Services (IIS) Manager for the Autodiscover service redirection by doing the following:
In IIS Manager, expand your Client Access server name to select and right-click Sites, then select Add Web Site. Enter your domain name under Site name.
Under Physical path, navigate to %SystemDrive%\inetpub\. Under inetpub, create a new folder called Autodiscover_redirect.
Note: You must allow the Users group Read & execute access to the Web site that you create.
- In IIS Manager, expand your Client Access server name to select and right-click Sites, then select Add Web Site. Enter your domain name under Site name.
Create the Autodiscover redirect. Use Windows Explorer to locate the folder that you created named Autodiscover_redirect. Create a new folder named Autodiscover in the Autodiscover redirect folder, and then use a text editor, such as Notepad, to create a new blank text file named Autodiscover.xml in the Autodiscover folder.
Configure the new Web site to redirect to the site that's dedicated to handling e-mail, for example, mail.contoso.com. In IIS Manager, right-click the Autodiscover.xml file that you created, and then click Properties. On the Properties page, select A redirection to a URL, and then enter the same URL that you used to configure the server connection point object. For example, https://mail.contoso.com/autodiscover/autodiscover.xml.
Test your results to make sure that the site that you're using to handle e-mail, for example, mail.contoso.com, can be resolved internally and externally by using your Outlook 2010 or Outlook 2007 client.