Autodiscover only configures external to our firewall correctly if I have a VPN connection to my internal network. From the SP1 Autodiscover White Paper (http://technet.microsoft.com/en-us/library/bb332063.aspx), this would be step 6, step 4 in the illustration: 1. Outlook 2007 sends a Lightweight Directory Access Protocol (LDAP) query to Active Directory looking for all available SCP objects. 2. Outlook 2007 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list. The in-site list provides the SCP records that have AutodiscoverSiteScope information. AutodiscoverSiteScope is a parameter that is set on the Client Access server by using the Set-ClientAccessServer cmdlet. The parameter specifies the site for which the Autodiscover service is authoritative. The AutodiscoverSiteScope information contained in the SCP records for the in-site list matches the Active Directory site for the Outlook client. If there are no in-site records, an out-of-site SCP record list will be generated. The list is not sorted in any particular order. Therefore, the list is approximately in the order of oldest SCP records (based on creation date) first. 3. Outlook first tries to connect to each Autodiscover URL that it had previously generated from either an in-site list or an out-of-site list. If that doesn't work, Outlook will try to connect to the predefined URLs (for example, https://autodiscover.contoso.com/autodiscover/autodiscover.xml) by using DNS. If that fails also, Outlook will try the HTTP redirect method and, failing that, Outlook will try to use the SRV record lookup method. If all lookup methods fail, Outlook will be unable to obtain Outlook Anywhere configuration and URL settings. 4. The Autodiscover service queries Active Directory to obtain the connection settings and URLs for the Exchange services that have been configured. 5. The Autodiscover service returns an HTTPS response with an XML file that includes the connection settings and URLs for the available Exchange services. 6. Outlook uses the appropriate configuration information and connection settings to connect to your Exchange messaging environment. However, isnstep 6, it apparently connects to the Exchange mailbox server using MAPI rather than using Outlook Anywhere (RPC over HTTP), since that connection fails unless VPN is running and it says explicitly that is is connecting to the mailbox server. I have had MS tech support look over my setup, and supposedly they were able to connect to my test account externally, but my results have been 100% requiring a direct connection using VPNto the mailbox server before the autodiscover completes and then the Outlook 2007 client PC is able to connect using Outlook Anywhere. What am I missing here?

Hi, Please understand the external client is not able to contact DC to look for SCP object. Therefore, it tries to locate the Autodiscover service by using Domain Name System (DNS). The client will determine right side of the users e-mail address domain.com, and check DNS by using two predefined URLs. For example, if your SMTP domain is contoso.com, Outlook will try the following two URLs to try to connect to the Autodiscover service: https://contoso.com/autodiscover/autodiscover.xml https://autodiscover.contoso.com/autodiscover/autodiscover.xml Please ensure that the external client is able to resolve the autodiscover.domain.com or domain.com into correct IP address. You can add a record in host file to test the issue. I suggest you read the autodiscover whitepaper The Autodiscover service process for external access section Mike

I have read the whitepaper beginning to end,myCAS server does have an external autodiscover A record, it can resolve autodiscover just fine - passes the Test Autodiscover just fine. I have even setup a test account and an MS supprot person was able to use autodiscover to connect. What puzzles me is thatwas the only externalautodiscoverthat did not require a VPN connection to this day. I still have an open case and we will be trying again to figure it out. I will post if something interesting is discovered.

Answer to the problem is a riddle: Q: "When is IPV6 turned off, but not turned off?" A: When you turn it off in Network configuration! To really turn it off and fix the problem I was seeing, you have to hack the registry. What was happening was that although IPV6 was turned off in Network configuration, it was still trying to communicate via IPV6. To fix it, I had to go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parametersand add a DWORD called "DisabledComponents" and set the value to ffffffff, wich turns off IPV6 except for loopback. This is a document fix for Windows Vista, but does not appear in the Windows 2008 KB as far as I can tell. I hope after the 7 hour call to MS support that it will be added to the KB as a fix for Exchange 2007 autodiscover problems.