Thursday, February 11, 2010

Publishing Autodiscover through ISA

This post is based more on personal experience rather than researched fact... just a heads up. May or may not work in other environments, but it was a troublesome enough discovery process that I thought it was worth sharing. The problem was that I had an ISA 2006 box publishing my Exchange 2007 access methods (OWA, RPC/HTTPS, Autodiscover, etc). And everything was working fine, except for Autodiscover. The Autodiscover process would hang while trying to get its settings through the ISA server, then give up. In the ISA logs, I could see that the requests to autodiscover.domain.com were getting rejected because they required authorization.

Here's some additional background on my environment setup:
- ISA 2006 is configured with Authentication to my internal LDAP (Active Directory) servers
- The rule publishing my Outlook Anywhere services was configured for Authenticated Users only. It included the /Autodiscover site as one of its sites to allow traffic for.
- I was using a SAN SSL certificate (from godaddy) with webmail.domain.com as its principal name, and autodiscover.domain.com as one of the SAN names.

I'll cut to the chase and explain what I did and why. I had to remove /Autodiscover from the list of accepted sites on my default Outlook Anywhere rule, then create a new rule just for Autodiscover. The new rule featured the following differences from the original rule:
- On the "To:" tab, I still had the principal name of the certificate... webmail.pih.net. However, in the "Public Name" tab I specified "autodiscover.domain.com" as the only Website/IP.
- On the Paths tab I left the default path of "/*"... you could also specify /Autodiscover, but I didn't care to.
- On the Users tab, I had to remove "Authenticated Users" and add in "All Users". This was the real trick that got autodiscover working, I think.
- I put the rule lower on the list than the rest of the rules for good measure.

Once this change was applied, Autodiscover worked like a charm. No more ISA logs barking about denied connections (still got a few failed connections, the usual error 64 and 10054 stuff... thats normal for an RPC/HTTPS connection mind you...), and autodiscover goodness all around. I noticed that now Autodiscover pops up a box asking for login credentials during its discovery process (even though I specified the same credentials already during configuration of the outlook profile), but this is a small price to pay for working Autodiscover.

I later verified this configuration with Microsoft, by the way... an ISA engineer to be specific. He did not explain why this was, but indicated it may be an Outlook Client problem... its not responding to the request from ISA to authenticate... so the rule allowed the outlook client to bypass authentication on the ISA server and authenticate directly against the exchange server instead. A slight security breach, but nothing to be terribly concerned about considering its just for Autodiscover.

1 comment:

  1. Thanks for sharing. Although I haven't experienced a similar problem with Autodiscover, I have found your thoughts useful. All my SAN SSL Certs are through SSL247.co.uk and have been perfectly fine.

    ReplyDelete