Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
If you can't use multiple Secure Sockets Layer (SSL) certificates for your Outlook Anywhere deployment, you can set up your Outlook Anywhere deployment to use a single SSL certificate with redirection. Microsoft Office Outlook 2007 and Outlook 2010 clients that aren't joined to your domain or don't have direct access to Active Directory in your Microsoft Exchange Server 2010 forest will be redirected to another Domain Name System (DNS) address to obtain their user profile information by using the Autodiscover service.
For more information about how a single SSL certificate works with redirection in an Outlook Anywhere deployment, see Understanding Redirection for Outlook Anywhere with a Single SSL Certificate.
Looking for other tasks for managing Outlook Anywhere? Check out Managing Outlook Anywhere.
Configure your Outlook Anywhere deployment to use an SSL certificate with redirection
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "SSL for Outlook Anywhere" and "IIS Manager" entries in the Client Access Permissions topic.
- Configure a valid SSL certificate. You must obtain a valid SSL
certificate from a certification authority (CA) that's trusted by
the client computer's operating system. For more information, see
Obtain a Server
Certificate from a Certification Authority. After you
obtain a valid SSL certificate, apply the certificate to the
default Web site of your Client Access server. For more
information, see Install an SSL
Certificate on a Client Access Server.
- Configure the URLs for Exchange services. You must
configure the external and internal URLs for your available
Exchange services to point to the default Web site, for example,
mail.contoso.com. For more information about how to set the URLs
for the Exchange services, see Configure Exchange
Services for the Autodiscover Service.
- Configure the service connection point object to use a
site dedicated to handling e-mail, for example, mail.contoso.com.
You can do this by running the following command:
Set-ClientAccessServer -id <CAS01> -AutoDiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
- Configure the IP address for the default Web site. You
must set the default Web site to listen on only one IP address.
After you have done this, bind any additional IP addresses to the
network adapter, also known as a NIC, for the Client Access server.
For more information about how to do this, see your Windows server
- Create a new Web site in Internet Information Services (IIS)
Manager for the Autodiscover service redirection by doing the
- In IIS Manager, expand your Client Access server name to select
and right-click Sites, then select Add Web Site.
Enter your domain name under Site name.
- Under Physical path, navigate to %SystemDrive%\inetpub\.
Under inetpub, create a new folder called
Note: You must allow the Users group Read & execute access to the Web site that you create.
- In IIS Manager, expand your Client Access server name to select and right-click Sites, then select Add Web Site. Enter your domain name under Site name.
- Create the Autodiscover redirect. Use Windows Explorer to
locate the folder that you created named Autodiscover_redirect.
Create a new folder named Autodiscover in the Autodiscover redirect
folder, and then use a text editor, such as Notepad, to create a
new blank text file named Autodiscover.xml in the Autodiscover
- Configure the new Web site to redirect to the site that's
dedicated to handling e-mail, for example, mail.contoso.com. In IIS
Manager, right-click the Autodiscover.xml file that you created,
and then click Properties. On the Properties page, select
A redirection to a URL, and then enter the same URL that you
used to configure the server connection point object. For example,
- Test your results to make sure that the site that you're
using to handle e-mail, for example, mail.contoso.com, can be
resolved internally and externally by using your Outlook 2010 or
Outlook 2007 client.
After you configure Outlook Anywhere to use an SSL certificate with redirection, you may also want to: