General guidance on OWA and Autodiscover in hosted environement...
-
7. dubna 2012 22:25
Our organization has agreed to host exchange for another sister organization (we are non-profit orgs). We have a one way trust relationship between our forests (we TRUST them) and we have created Linked mailboxes (mailboxes will be in our forest, their AD accounts will remain in their forest). The linked mailboxes work well, and they can receive mail from their smtp namespace.
Currently they are going to our OWA page (owa.orgA.com). My question is regarding OWA and ActiveSync. They prefer to access their webmail from owa.orgB.com instead of using our existing owa.orgA.com. They have provided us a UC cert (with OWA and Activesync listed) for use. Should I build CAS servers just for their use, so they can get to their owa.orgB.com (as well as AS), or can these two services be provided on my existing CAS servers (which are configured for owa.orgA.com)?
I know that I can do a IIS HTTP redirect to get ActiveSync to work with our existing ActiveSync setup, but how would OWA work using their owa address?
Všechny reakce
-
8. dubna 2012 12:18
After doing further research, it appears that MS does support multiple OWA/ECP websites on the same CAS server, each with their own certificate. Is this correct?
that leaves me wtih one question then, regarding ActiveSync. Will the newly created website, once Exchange configures it, also have a ActiveSync vDir?
- Upravený Rich Stephenson 8. dubna 2012 12:23
-
8. dubna 2012 14:02
hi rich .. tell me one thing do you have CAs as frnt end or some proxy like TMG or ISA as frnt end.. becoz for multiple owa or active sync .. this proxies perform better then making multiple web sites on CAS itself...
though both possibilities are there
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin -
10. dubna 2012 16:41
You can have multiple OWA Vdirs, sure, but you could also have just one OWA Vdir with a cert with multiple names on it. So the same VDir is accessed using different names. Simpler. You can do the same with ActiveSync, one VDir, one cert with multiple names.
However... You have things like AutoDiscover for mobile to take into account - that would give back whatever the ExternalURL has set for the ActiveSync Vdir, it can't give back a service specific name based on the person making the request.
Basically the way I suggest you solve this, is configure non specific names for your URL's, so if a URL such as eas.hoster.com is handed back no-one gets upset, and then use multiple names on the certs to allow users to type their own, easily remembered, URL if they want to.
-
11. dubna 2012 20:04
I have a network load balancer (Kemp) in front of my CAS Servers (my CAS Array is pointing to the NLB).hi rich .. tell me one thing do you have CAs as frnt end or some proxy like TMG or ISA as frnt end.. becoz for multiple owa or active sync .. this proxies perform better then making multiple web sites on CAS itself...
though both possibilities are there
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin
-
11. dubna 2012 20:08
You can have multiple OWA Vdirs, sure, but you could also have just one OWA Vdir with a cert with multiple names on it. So the same VDir is accessed using different names. Simpler. You can do the same with ActiveSync, one VDir, one cert with multiple names.
However... You have things like AutoDiscover for mobile to take into account - that would give back whatever the ExternalURL has set for the ActiveSync Vdir, it can't give back a service specific name based on the person making the request.
Basically the way I suggest you solve this, is configure non specific names for your URL's, so if a URL such as eas.hoster.com is handed back no-one gets upset, and then use multiple names on the certs to allow users to type their own, easily remembered, URL if they want to.
Thanks Greg,
It certainly seems much simpler and less complicated to just have a single SSL cert wtih all of my SMTP domains listed on it.
Is ActiveSync the *only* caveat to this approach? If it is, then I think this should be workable. Can you give me more information about your recommended approach for Autodiscover? Not sure that I followed that completely.
Finally, I have read that if the external DNS provider supports SRV records, then this might be another approach to take with Autodiscover. Would anyone recommend this approach? My external DNS provider supports SRV, so I'm wondering if this might be a good approach as well for Autodiscover.
-
12. dubna 2012 4:11
Basically I recommend using names for URL's that are not company specific if you are hosting, then you never have issues with people seeing names they should not, even if the hosting company gets renamed, sold, etc. For AutoDiscover for example, if you set the externalURL to be something like eas.somenameorother.com, then if a device uses AutoDiscover to configure itself, it will use that name, and work just fine. The user does not see the configuration unless they go in and look at it. If you also add mail.theircompanyname.com to the cert, then they can use eas.theircompanyname.com to configure a device manually too, but then you run the risk of other people seeing their name, on your cert.
If you don't care about names being seen, as you said the organizations you are a sister org, then don't get too deep into it, but know that autodiscover hands back to the device the externalURL value, which is set once. So just goes back to the point of, choosing names that you don't mind everyone seeing.
Not sure if that helps explain it, but it's more complicated to explain then it is to set up, honest.
- Označen jako odpověď Rich Stephenson 12. dubna 2012 18:01
.png)
