242 Chapter 5 • Managing the Client Access Server
Outlook 2007 discovers the Availability Service URL using the AutoDiscover service. Actually,
the AutoDiscover service is to Outlook what DNS is to a Web browser, acting like a DNS Web
Service for Outlook. It is used to fi nd various services like the Availability service, and the UM and
OAB services. It simply tells Outlook 2007 where to go to locate the various Web services required:
UM, OAB, and Availability.
You should be aware of many aspects when confi guring the Availability service. I recommend
you check out the Availability Service FAQ over at the Exchange 2007 Wiki, found at
www.exchangeninjas.com/AvailabilityServiceFAQ.
Table 5.1 Free/Busy Retrieval Methods
Client Source Mailbox Target Mailbox Free/Busy Retrieval
Outlook 2007 Exchange 2007 Exchange 2007 The Availability service will
read the free/busy info
directly from the calendar
in the target mailbox.
Outlook 2007 Exchange 2007 Exchange 2003 The Availability service
will make an HTTP
connection to the /Public
virtual directory of the
Exchange 2003 mailbox.
Outlook 2003 Exchange 2007 Exchange 2007 Free/busy info will be
published in source
Public Folders.
Outlook 2003 Exchange 2007 Exchange 2003 Free/busy info will be
published in source
Public Folders.
Outlook Web Exchange 2007 Exchange 2007 OWA 2007 will call the
Access 2007 Availability service API,
which reads the free/busy
info from the target mailbox.
Outlook Web Exchange 2007 Exchange 2003 OWA 2007 will call the

Access 2007 Availability service API, and
then make an HTTP connection
to the /Public virtual directory
of the Exchange 2003 mailbox.
Any Exchange 2003 Exchange 2007 Free/busy info is published in
source Public Folders.
Managing the Client Access Server • Chapter 5 243
Client Access Servers and the
SSL Certifi cate Dilemma
In previous versions of Exchange, you simply issued a request for an SSL certifi cate, and when
received, assigned this certifi cate to the Default Web Site in the IIS Manager. That was basically it.
Exchange 2007, however, is a different beast, especially when it comes to securing client connectivity
to the CAS using SSL certifi cates.
You may have noticed that a default self-signed SSL certifi cate is assigned to the Default
Web Site during the installation of the Exchange 2007 CAS role. If you take a closer look at this
certifi cate, you’ll notice it contains multiple subject alternative names (Figure 5.4).
Figure 5.4 SSL Certifi cate with Subject Alternative DNS Names
244 Chapter 5 • Managing the Client Access Server
I hear some of you grumbling, “So, what is that all about?” Well, instead of having to require
multiple certifi cates, maintain the confi guration of multiple IP addresses, IIS Web sites for each
IP port, and a certifi cate combination, you can create a single certifi cate that enables clients to
successfully connect to each host name using SSL and subject alternative names. You see, in order to
support Outlook Anywhere, OWA, Exchange ActiveSync (EAS) and especially the new Web-based
AutoDiscover service, which requires a common name of autodiscover.domain.com, you must use an
SSL certifi cate containing subject alternative names.
Since the default SSL certifi cate is self-signed and, therefore by default, untrusted by clients, and
because Outlook Anywhere and Exchange ActiveSync require a trusted SSL certifi cate, we have to
replace this certifi cate with an SSL certifi cate issued by a trusted third-party provider. Unfortunately,
only a few SSL certifi cate providers can issue an SSL certifi cate containing one or more subject
alternative names. To make matters worse, these providers charge something like $600 per year for

such a certifi cate.
NOTE
At the time of this writing, only Entrust.com, GeoTrust.com, and VeriSign offered
these types of SSL certifi cates. Hopefully this will change as more and more
organizations begin to deploy Exchange 2007.
If you don’t assign an SSL certifi cate with additional subject alternative names, where one of
these matches the hostname of the Exchange 2007 CAS, internal Outlook 2007 clients will
generate certifi cate security warnings since the SSL certifi cate won’t match the name used to
confi gure these clients. Notice, however, that Outlook 2007 won’t generate a warning if the
self-signed untrusted default SSL certifi cate assigned to the Default Web Site. This is by design.
When the Exchange 2007 CAS role is installed, the setup wizard creates an Active Directory service
discovery record, and if the Outlook 2007 client can see that record (meaning they are on the
internal network), it ignores the trust warning. It uses the service discovery record as the trust
(assuming someone that can write that to the Active Directory can be trusted regarding the URL
for the CAS), rather than checking that it trusts the issuer of the cert. The idea behind this is that
while you are on the intranet, Exchange is secure out of the box, using SSL and ignoring any
prompts.
So why not just leave the self-signed SSL certifi cate on the Default Web Site? Well, because then
Outlook Anywhere and Exchange ActiveSync wouldn’t work, since these two features require the
common name on the SSL certifi cate to match the external URL used to access the CAS, so the
certifi cate will be trusted by the client. In addition, OWA 2007 would generate a security warning
when a user connects to his mailbox using OWA 2007.
“Okay,” you say, “fair enough, but what do I do if my organization can’t afford to throw $600
towards an SSL certifi cate each year?” Well, in that case, the solution would be to use multiple
Web sites. Besides the Default Web Site (which you should leave in its default state with the
self-signed untrusted SSL certifi cate assigned), we would need two additional Web sites.
Managing the Client Access Server • Chapter 5 245
■
One for Exchange ActiveSync (EAS), OWA, and Outlook Anywhere
■

One for the AutoDiscover service
In order to confi gure this type of setup, you must do the following:
First, add two additional virtual IP addresses to the NIC on your Exchange 2007 CAS, as shown
in Figure 5.5.
Figure 5.5 Additional Virtual IP Addresses
Now assign a specifi c IP address to the Default Web Site, as shown in Figure 5.6.
246 Chapter 5 • Managing the Client Access Server
Create two new Web sites using IIS Manager, and call them something like Clients and
AutoDiscover. When creating the Web sites, use the default settings and specify the same path as the
one confi gured in the Default Web Site (C:\InetPub\wwwroot). Make sure to also select Read and
Run Scripts (such as ASP) only.
When the Web sites have been properly created, we can create the required virtual directories
using the Exchange Management Shell. To create the OWA and Exchange ActiveSync directories,
enter the following commands, bearing in mind that the –WebSiteName value is case sensitive:
New-OWAVirtualDirectory –OwaVersion: Exchange2007 –Name “owa” –WebSiteName
“Clients”
New-ActiveSyncVirtualDirectory –WebSiteName “Clients”
New-AutodiscoverVirtualDirectory -WebSiteName AutoDiscover -
BasicAuthentication:$true –WindowsAuthentication:$true
Figure 5.6 Assigning a Specifi c IP Address to the Default Web Site