A while ago, we posted the default authentication and SSL settings for Exchange-related virtual directories in Exchange Server 2007. The settings below hold true for Exchange Server 2010 RTM and SP1. You will notice that Unified Messaging is no longer on the list and that is because this virtual directory and the Set-UMVirtualDirectory CMDlet no longer exist in Exchange server 2010. The Unified Messaging mailbox can be created and configured using Enable- or Set-UMMailbox.
Exchange Server 2010 with the Client Access Server (standalone):
|
Location |
Authentication |
SSL Setting |
Management |
|
Default Web Site |
Anonymous |
Required |
IIS Management Console |
|
aspnet_client |
Anonymous |
Required |
IIS Management Console |
|
Autodiscover |
Anonymous / Basic / Windows Authentication |
Required |
Exchange Management Shell |
|
ECP |
Anonymous / Basic |
Required |
Exchange Management Console or Shell |
|
EWS |
Anonymous / Windows Authentication |
Required |
Exchange Management Shell |
|
Microsoft-Server-ActiveSync |
Basic |
Required |
Exchange Management Console or Shell |
|
OWA |
Basic |
Required |
Exchange Management Console or Shell |
|
Powershell |
Anonymous |
Not Required |
Exchange Management Shell |
|
RPC |
Basic / Windows Authentication |
Required |
Exchange Management Shell |
|
RpcWithCert |
all options Disabled |
Required (128 bit not checked) |
N/A |
|
OAB |
Windows Authentication |
Not Required |
Exchange Management Console or Shell |
Exchange Server 2010 Mailbox role (standalone):
|
Location |
Authentication |
SSL Setting |
Management |
|
Default Web Site |
Anonymous |
Required |
IIS Management Console |
|
PowerShell |
Anonymous |
Not Required |
Exchange Management Shell |
CMDlet list for those that can only be modified in the Management Shell:
Set-AutoDiscoverVirtualDirectory
Set-WebServicesVirtualDirectory
Set-PowershellVirtualDirectory
Set-OutlookAnywhere (for the RPC virtual directory)
First, it would be nice if the default redirect was also included in the list.
Second, it would be nice if someone scripted setting these to their default. If you want to allow IIS to redirect the root directory to OWA and to redirect HTTP to HTTPS, the IIS in Windows 2008 replicates the root changes to the subdirectories and we always have to change the subdirectories back to their default.
Of course the thing that isn’t written down is that the setting for these virtual directories are not independent. I believe that the redirect for /Public is linked to /OWA and also maybe /Exchange change it in one place and it changes in the other.
Are you sure, Anonymous Access is really required for Autodiscover? Actually I’m getting some strange errors when it is allowed (Outlook cannot find the Exchangeserver), which seam to be resolved when I disallow Anonymous Access. This is with a CAS-Array, not a standalone CAS. Could you maybe have a list with the settings for servers in a CAS-Array, too?
Another thing: Could you please make a WARNING that the Authententication methods are for the specific directory ONLY. So they are not necessarily to be inherited by subdirectories. For examle OWA might be fine with just basic authentication, the subfolder OWAauth however requires anonymous access (at least when OWA-Forms-Based-Authentication is used)
No I have not reset the permission for all subfolders, however if I would have issues which I guess are related to the settings listed above I might try to configure my server EXACTLY that way, which would cause even more trouble, when the settings for subdirectories need to be different.
I think Anonymous Access is required for Autodiscover.
We are currently planning our upgrade to Exchange 2010. We are using Exchange 2007 SP2. Our confusion is around the need to create a legacy.domain.com entry to be used with the external url configurations. Currently, we do not expose our Exchange environment to the internet – any access to it is through an SSL VPN solution. So, our Exchange 2007 servers do not have an external OWA or EAS entry on them. Will we need to create an legacy.domain.com, or does the Exchange 2010 point users back to the Exchange 2007 environment? Or do we just have to configure the internal urls?
Thanks.
it would be more helpfull and easy to read if the above details are put in a table as the done for 2007 (http://msexchangeteam.com/archive/2008/02/01/447989.aspx)
thanks in advance
Adding to the commenter above me – the table is broken and nearly useless. one can’t tell which folder does each auth modes list belonges to.
please fix the table with cell boarders.