Exchange

From Edgar BV Wiki
Jump to navigation Jump to search

Remote access to Outlook Web Access via Apache

You need to have mod_headers and all the mod_proxy things enabled. Also SSL needs to be enabled and a certificate needs to be generated. If you've changed your hostname this can be done using:

make-ssl-cert generate-default-snakeoil --force-overwrite

Then in apache you need to create a new virtualhost:

<VirtualHost remote.mydomain.com:443>
        ServerAdmin webmaster@localhost
        ServerName remote.mydomain.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

RewriteEngine On
RewriteRule ^/$ /owa [R,L]
RequestHeader set Front-End-Https "On"
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://mydomain-ad.local/
ProxyPassReverse / https://mydomain-ad.local/
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>

Autodiscover

Autodiscover is important.

You need to make sure you have an SRV record set in your DNS.

From Setting up autodiscover for SBS 2011


If you are using Exchange 2007 or Exchange 2010 (SBS or non-SBS) and are using a single-name certificate, this article is for you.
When you migrate to SBS 2008 or SBS 2011 and you already have a domain name, you don’t need to use the built-in domain registration wizard that is included in the SBS setup process.
This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client auto-configuration. This is because you are using a single-name cert, which isn’t what Exchange 2007/2010 was designed to use. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007/2010 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS) and ActiveSync.
The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:
1. Get rid of any CNAME or A records for “autodiscover”, and any wildcard “*” records in the public DNS zone. This is a critical step, so don’t just drift past it.
2. Build the SRV record to look like this:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.smallbizco.net
Weight and priority should normally both be set to zero.
Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:
- https://domainname.com/autodiscover/autodiscover.xml
- https://autodiscover.domainname.com/autodiscover/autodiscover.xml
- http://autodiscover.domainname.com/autodiscover/autodiscover.xml
After failing these steps, it will look for an SRV record, and if you haven’t created one, there won’t be one. We’ll come back to this point shortly.
Because your certificate is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server.
An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.
Got it? Great!
BTW, if you have a single-name cert on a non-SBS Exchange 2007 or Exchange 2010 server, you still want to use an SRV record as described above, but there will be other changes you will need to make to your environment as well, primarily resetting the URLs on most of your Exchange virtual directories so that they all point to the name that is on your certificate. This is something that the SBS wizards take care of automagically.

Testing autodiscover

To check autodiscover services you can hold down ctrl whilst right clicking on the Outlook icon in the system tray and choosing "Test E-mail configuration"


You can also check by surfing to https://mydomain-ad.local/autodiscover/autodiscover.xml and seeing if you get a response.

There is an external Microsoft test at https://www.testexchangeconnectivity.com/ where you want to turn on Ignore trust for SSL

http://olivierbony.wordpress.com/tag/activesync/