Tuesday, September 16, 2008

Exchange 2007 Certificate Install with Autodiscover

Generate the CSR

New-ExchangeCertificate -GenerateRequest -Path c:\SANCERT.txt -SubjectName "c=US, l=City, s=Washington, o=company, cn=mail.company.com" -DomainName www.mail.company.com, autodiscover.company.com, mailarchive.company.com -PrivateKeyExportable:$true

This will create a CSR text file that will be sent to the third part cert issuer.  

EXAMPLE (yes it is fake):

-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIQceeHYPQhfEuFCNJTLIZjNzANBgkqhkiG9w0BAQUFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
GOsM8XxUg6/tAPqIpsoYNdJttM9TlLZQh6WfQHLmBgiJzQdy4uWdHTmMbm+GxElv
A21yJjtWgIJlKgQKRBJ6aWd7gnRU8DLpOd5gSPdzoIss2Q+QBWBgSL5v3oDZ1j59
z17jzljy/j/BZZVsvcQGJ6WfvPhjkIRo5SiOSZ5pj5e5V+9R1/bhPpr/AupVifix
Zh5kCM2f8bpQ7Lky0y/6g+VBR/DHXv80yioMR1o481Z8NQEqGXRZweisxWrdMuug
zLs81M9W4WD7hiNvgdgB2dHYrFvnyUOgz8NzCPM5N9fOdm98wvafC6UCAwEAAaOC
AbAwggGsMB8GA1UdIwQYMBaAFDBD3GTNGVyp8xnSNwmWkZ4M6NY9MB0GA1UdDgQW
BBSkBs+ovwl4zkfHVb6u763uERYYPjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEB
BAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
lksfoiuPOEifrjpioPUOewopPIOJEFipefIFoIefpOEFIOPEF[foipeEFOPifPEFOIEIOFpOPEFb+Rkgso
z38mcr83UL88DtthcLPYY+BXkfmNv+sb4j1jfDiCO5wsHlL/s2pHhKIl485D31V/
e1VIQELus5tRACV1njH5JoLt6QnDXmZvwRBYJSUr+4vIx1ETDF80QsSvUm5CgruA
xofSeWcz4kxNiin9qWNWSZbC5L8D45+RebXOlr5dzp4Eye5lzAdx1eVAnLKTOm7n
Gli866BFG98yKjgNgX6kQWPgsZN0Oz7UmmkPMuhwuTBRBrya8/D55lC+vMHHkTnZ
1dTlipPYgkgxUXaPF3veQulaA88z1JKO/D7FykCc5tUBAIN7HfI=
-----END CERTIFICATE-----

Once they send it back to you, proceed to the next step.


Checking Certificate Properties

There are two things we need.  First thing is to verify that that the certificate has a valid private key.  Double click the certificate, look below:
















The next piece of information that you’ll need is the thumbprint:















Importing the Certificate into Exchange

Import-ExchangeCertificate -path

This will import the certificate into Exchange and make it available for use.

 

Enable the Certificate

Enable-ExchangeCertificate -Thumbprint C45DD764DE2F36CD907FJSND7682970F1358 -Services "POP, IMAP, IIS, SMTP"

Confirm.

Overwrite existing default SMTP certificate,

'E38LKJS5766237D887DN7SJBF66192CF018801' (expires 9/7/2009 5:59:59 PM), with

certificate ' C45DD764DE2F36CD907FJSND7682970F1358' (expires 1/23/2009

4:59:59 PM)?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

(default is "Y"):a

 

Confirm the Configuration

Get-ExchangeCertificate

Thumbprint                                Services   Subject

----------                                --------   -------

C45DD764DE2F36CD907FJSND7682970F1358  IP.WS      CN=mail.company.com,...

 

I, P, W, S stand for the four layers that you set above;  IMAP, POP, Web (IIS), SMTP

The certificate is now available for the messaging protocols and IIS.


Configure For Use With Autodiscover

**NOTE**

Wherever you see “get-ClientAccessServer | Set-ClientAccessServer” you are getting all CAS servers and setting this on all of them.  If this is not what you want, perform a get-ClientAccessServer and only set it on the ones you want by using “Set-ClientAccessServer –identity SERVER”.

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory –Identity  "SERVER\EWS (Default Web Site)" -InternalUrl https://mail.company.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "SERVER\oab (Default Web Site)" -InternalUrl https://mail.company.com/oab

Get-ClientAccessServer | Set-ClientAccessServer  -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml

 

Get the Certificate in Use

Right click MSExchangeAutodiscoverAppPool in IIS, and then click 'Recycle'

 

Verify

 Load up a web browser and browse to OWA.  Use the browser to check the certificate (usually a lock in the lower corner).  Verify that OWA works, and that autodiscover works in Outlook.  To test Outlook,  hold ctrl and right click on the Outlook icon in the lower right hand corner (system tray).

 









In order to configure externally you can run the following command templates:

Enable-OutlookAnywhere -Server CASSERVER -ExternalHostname "mail.domain.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

Set-OABVirtualDirectory -identity "CASSERVER\OAB (Default Web Site)" -externalurl https://mail.domain.com/OAB -RequireSSL:$true

et-UMVirtualDirectory -identity "CASSERVER\UnifiedMessaging (Default Web Site)" -externalurl https://mail.domain.com/UnifiedMessaging/Service.asmx  -BasicAuthentication:$True

Set-WebServicesVirtualDirectory -identity "CASSERVER\EWS (Default Web Site)" -externalurl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$True

No comments: