Update 10/4/2007: Since this post has been published, we've updated the Exchange 2007 Autodiscover Service whitepaper to include this information. Please consult the whitepaper for most up-to-date ...
Updated Jul 01, 2019
Version 2.0
Blog Post
David,
Sounds like the problem we encountered. Basically the exact problem described in the post with autodiscover also exists with the CAS server's name (eg. cas.domain.local). We have remote clients wanting to connect solely via Outlook Anywhere. If the certificate does not contain cas.domain.local then the client will refuse to connect unless it has first connected to the server via a local, non-HTTPS connection (for some reason Outlook won't set up the profile).
The problem is that I don't believe any CA will give you a certificate for cas.domain.local, since you don't "own" this domain. So none of the solutions posed above will work. I suppose you have to self-sign and clients have to import this certificate - but unless you have a secure channel already established to transport the self-signed certificate then there is no security in this option. Not to mention the hassle.
I would be interested in Microsoft's response to this problem because AFAIK they consider it a good idea to use a domain like domain.local.
Sounds like the problem we encountered. Basically the exact problem described in the post with autodiscover also exists with the CAS server's name (eg. cas.domain.local). We have remote clients wanting to connect solely via Outlook Anywhere. If the certificate does not contain cas.domain.local then the client will refuse to connect unless it has first connected to the server via a local, non-HTTPS connection (for some reason Outlook won't set up the profile).
The problem is that I don't believe any CA will give you a certificate for cas.domain.local, since you don't "own" this domain. So none of the solutions posed above will work. I suppose you have to self-sign and clients have to import this certificate - but unless you have a secure channel already established to transport the self-signed certificate then there is no security in this option. Not to mention the hassle.
I would be interested in Microsoft's response to this problem because AFAIK they consider it a good idea to use a domain like domain.local.