Exchange 2010 Deployment and Transitions MMCUG 9232011
-
Upload
reclambyuk -
Category
Documents
-
view
224 -
download
0
Transcript of Exchange 2010 Deployment and Transitions MMCUG 9232011
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
1/43
page 1L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Exchange 2010 C lient Access
Sep23,2011
Alan Wang
Technical Specialist
Project Leadership Associates
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
2/43
page 2L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
H o w O u t l o o k C o n n e c t s t o E x c h a n g e 2 0 1 0
InLegacyExchange(2003/2007),Outlookclientsconnectdirectlytothemailboxserver
2003FEisresponsibleforOWA\ActiveSync\OutlookAnywhere
2007CAS
is
responsible
for
OWA\ActiveSync\OutlookAnywhere\EWS\OAB
Exchange2010CASnowbecomestheRPCendpointforOutlookclients
mailbox database is no longer attached to any specific mailbox server.
Database in a DAG group can be mounted\activated on any DAG node.
How does Outlook client know the database has been activated toanother server? It doesnt know where the database is located.
It knows the name of the database and what CAS server it needs toconnect to. Then the CAS server will proxy the RPC call to the mailboxserver where the database is mounted.
Each database has an attribute called RPCClientAccessServer, whichtells the client in order to connect to the database, you need toconnect to this CAS server\array.
2010 CAS becomes more important than it ever used to be. If CAS isdown, Outlook clients lose connection even the database staymounted.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
3/43
page 3L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
S t o r e A c c e s s P a t h s
Middle
Tier
Mailbox MAPIRPC DAV*
Exchange
Business
Logic
Store
Exchange Components(EWS,ActiveSync,UM,
OWA,MailboxAgents,
TransportAgents)
Outlook,other
MAPI
clients
Entourage,3rd
partyapps
Middle
Tier
MAPI,RFR&
NSPIRPC
ExchangeCore
BusinessLogic
Exchange
Business
Logic
Mailbox MAPIRPC
Store
Exchange Components
(EWS,ActiveSync,UM,
OWA,MailboxAgents,
TransportAgents)Outlook,other
MAPIclients
Entourage,3rd
partyapps
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
4/43
page 4L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
E x c h a n g e2 0 1 0
M i d d l e
T i e r
W h a t
i s
i t ?
NewservicesinExchange2010thatresideonCAS
Restrict all Outlook data access to a singlecommon path by migrating Mailbox and
Directory endpoints to CASWhatithandles:
Outlook data connections go to RPC ClientAccess Service on CAS instead of connectingto Mailbox servers
Address Book Service on CAS replacesDSProxy interface, handles all OutlookDirectory connections
Public folder connections connect directly tothe Mailbox server, but through RPC Client
Access Service running on Mailbox server MBX
Ex chan ge CAS
Ar ray
Out lookCl ien ts
GC
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
5/43
page 5L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
T h eM i d d l e
T i e r
W h a t
i t
P r o v i d e s
Providesabetterclientexperienceduringswitchovers/failovers
When a MBX server fails over, Outlook client will only see~30 sec disconnect, as compared to 1 min -TTL before
UsesthesamebusinesslogicforOutlookandCASclients
Data validation, especially Calendar logging + repair
Compliance
Archive mailbox infrastructure Content/body conversion
Scalingmailboxconnections
More concurrent connections/mailboxes per Mailbox
serverReducescodeandclientlogicinExchangeStoreprocessforincreasedreliability
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
6/43
page 6L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
M a i l b o xD a t a b a s e
C o n f i g u r a t i o n
RPCClientAccessServer valueonusersmailboxdatabasedeterminestheCASserverorarrayclient
willuse
Endpoint value determined by existence of CAS servers or array in thesite in which database is created
Autodiscover will provide the value to Outlook 2007+
Manual profile creation will change the Exchange Server name in profileto this value if another NSPI endpoint is entered, having retrieved thecorrect endpoint from Active Directory
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
7/43
page 7L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
O u t l o o k C o n n e c t i v i t y B e h a v i o r
AllOutlookversionsbehaveconsistentlyinasingledatacenterHAscenario
Profile points to Client Access Server array
Profile is unchanged by failovers or loss of CASAllOutlookversionsshouldbehaveconsistentlyinadatacenteractivationscenario
Primary datacenter Client Access Server array DNS name is bound tovirtual IP address of standby datacenters CAS array load balancer
Autodiscover continues to hand out primary datacenter CAS name as
Outlook RPC endpoint Profile remains unchanged
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
8/43
page 8L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
O u t l o o k C r o s s S i t e D B * o v e r E x p e r i e n c e
ThedefaultbehavioristoperformadirectconnectfromtheCASarrayinthefirstdatacentertothe
mailboxhostingtheactivecopyintheseconddatacenter
YoucanonlygetaredirecttooccurbychangingtheRPCClientAccessServerpropertyonthe
database
However, the Outlook client may not automatically apply the changesfor the Home Server property*
You can force a profile update by performing a profile repair
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
9/43
page 9L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Namespaces
E2003
OutlookWeb
Access
/ ow a
ExchangeWebServices
/ ew s
Offline
Address
Book / oab
UnifiedMessaging
/ u n i f ied m essagin g
Autodiscover
/ au t od iscov er
Outlook Web Access/exchange,/exchweb, /public
Exchange ActiveSync
/microsoft-server-
activesync
Outlook Anywhere
/rpc
POP/IMAP/SMTP
Outlook MobileAccess
/oma
OutlookWeb
App
- / ow a
ExchangeControlPanel
/ ecp
E2003/E2007services
mail.contoso.com mail.contoso.commail.contoso.com
autodiscover.contoso.com
autodiscover.contoso.com
legacy.contoso.com
E2007 E2010
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
10/43
page 10L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
E x c h a n g e 2 0 1 0 V i r t u a l D i r e c t o r i e s
OWAVirtualDirectory
- InternalURL https://mail.contoso.com/owa
- ExternalURL https://mail.contoso.com/owa
ECPVirtualDirectory
- InternalURL https://mail.contoso.com/ecp returned by EXCH
- ExternalURL https://mail.contoso.com/ecp returned by EXPR
ActiveSyncVirtualDirectory
- InternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync- ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync
WebServicesVirtualDirectory
- InternalURL https://mail.contoso.com/ews/Exchange.asmx -returned by EXCH
- ExternalURL https://mail.contoso.com/ews/Exchange.asmx -returned by EXPR
OABVirtualDirectory
- InternalURL https://mail.contoso.com/OAB - returned by EXCH
- ExternalURL https://mail.contoso.com/OAB - returned by EXPR
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
11/43
page 11L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
If the request is made by an Outlook Exchange RPC client,the EXCH provider will return the InternalUrl configured onthe best CAS server for the following services: AvailabilityService, OAB virtual directory and Unified Messagingvirtual directory
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
12/43
page 12L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
If the request is made by an Outlook Anywhere Exchange HTTPclient, the EXPR provider will return the External URL configured onthe best CAS server for the same services: Availability Service, OABvirtual directory and Unified Messaging virtual directory andExternalHostName for Outlook Anywhere.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
13/43
page 13L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - SSL Certificates
Best practice: minimize the number of
certificates 1 certificate for all CAS servers + reverse proxy +
Edge/HUB
Use Subject Alternative Name (SAN)certificate which can cover multiple hostnames
Dont list machine hostnames in certificate
hostname list Dont list ClientAccessArray name in certificate
hostname list
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
14/43
page 14L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - SSL CertificatesBasic Names:
mail.contoso.com (Common Name of the SAN cert)
Autodiscover.contoso.com Legacy.contoso.com (for co-exist between 2003\2007 & 2010)
MailDR.contoso.com (for datacenter failover) - optional
Failback.contoso.com (for datacenter failback) - optional
Smtp.contoso.com (if secure SMTP is required) - optional
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
15/43
page 15L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Dep loy ing E2010 - SSL Certificates MakesuretheCommonNamematchesthePrincipalCertName ofOutlookEXPRProvider
SetOutlookProvider Identity
EXPR
CertPrincipalName msstd:*.contoso.com
* .Cont oso.com
Mai l .Contoso.com
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
16/43
page 16L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - Split DNS
Best Practice: Use Split DNS for Exchange
hostnames used by clients Goal: minimize number of hostnames
mail.contoso.com for Exchange connectivity onintranet and Internet
mail.contoso.com has different IP addresses inintranet/Internet DNS
Important before moving down this path, be
sure to map out all the host names (outside ofExchange) that you will want to create in theinternal zone
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
17/43
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
18/43
page 18L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
L o a dB a l a n c i n g
R e c o m m e n d a t i o n s
Recommended
Hardware Load Balancers
Integrated is alive monitoring recommended
Fixing of MAPI and directory endpoint ports
Create CAS Array and load-balance selected or all CAS ina site
Client IP affinity or cookie-based authentication whereappropriate
NotRecommended
DNS Round Robin
Windows Network Load Balancing Do not load-balance cross-site, create two arrays instead
and load-balance separately
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
19/43
page 19L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
L o a d
B a l a n c i n g
P r o t o c o l
P e r s i s t e n c e
R e c o m m e n d a t i o n s
Pers is tence:Requ i red
Pers is tence:Recommended
Pers is ten ce: NotRequ i red
Outlook Web App Outlook Anywhere Offline Address Book
Exchange ControlPanel
Activesync AutoDiscover
Exchange WebServices
Address Book Service POP3
RPC Client AccessService
Remote PowerShell IMAP4
Recommended
Reduced performance without persistence
Notrequired
Does not suffer performance hit without persistence
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
20/43
page 20L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - CAS Load Balancing
OWA and EWS load balancing require ClientServer
affinity OWA supports cookie based but other clients do not and requireIP based
Tell Autodiscover where to send clients: configure load
balanced internalURL and externalURL parameters onvirtual directories
Example: Set-WebServicesVirtualDirectory cas2010\ews*-ExternalURL https://mail.contoso.com/ews/exchange.asmx
Tell Outlook clients where to go for intranet MAPI access Use New-clientaccessarray and set-mailboxdatabase
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
21/43
page 21L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - CAS Load Balancing
CAS AutoDiscoverServiceInternalUriproperty should be set toNLB FQDN
Ensure the Web Services property InternalNLBBypassURL isset to the Server FQDN
Configure virtual directory URLs according to this table:
Vi r t u a l Di r ect o r y I n t er n alUR
L
Externa lURL
( I n t e r n e t Fa ci n gAD Si t e)
Ex terna lURL
( N o n - I n t e r n e tFac ing AD Si t e)
/OWA Server FQDN NLB FQDN $null
/ECP NLB FQDN NLB FQDN $null
/Microsoft-Server-ActiveSync
NLB FQDN NLB FQDN $null
/OAB NLB FQDN NLB FQDN $null
/EWS NLB FQDN NLB FQDN $null
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
22/43
page 22L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Deploy ing E2010 - CAS Load Balancing
Real World Gotcha:
Outlook 2007\2010 clients get cert warning after the 1st Exchange2010 CAS server is brought online
Cause
Outlook 2007\2010 happens to usehttps://cas2010.contoso.com/autodiscover/autodiscover.xml forAutodiscover lookup
Solutions
Set AutodiscoverServiceInternalURI for CAS2010 tohttps://autodiscover.contoso.com/autodiscover/autodiscover.xml
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
23/43
page 23L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
D y n a m i co r
S t a t i c
P o r t s
DynamicportrangeforoutgoingconnectionsonWindows2008/R2is 49152
to65535,butthisrangeischangedwhenyouinstalltheCASroleto6005to
59530 If you want to utilize the dynamic port range, ensure that
this entire port range is open on any firewalls betweenclients and CAS role servers
You
can
define
static
ports
for
both
the
MAPI
and
directory
endpoints If deploying static ports, the guidance is to choose two
numbers above the dynamic range (6005 to 59530) butless than the max user port (60554)
So choose two numbers between 59531 and 60554Whydeploystaticports?
Reduces the range of destination ports in load balancerconfig and memory
Easier firewall configuration (if applicable)
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
24/43
page 24L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
S e t t i n g S t a t i c P o r t s i n E x c h a n g e 2 0 1 0 S P 1
OnCASroleservers
MAPI: HKLM\SYSTEM\CurrentControlSet\
Services\MSExchangeRPC\ParametersSystemTCP/IP Port [DWORD] is value for port to use
Directory:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeAB\Parameters \RpcTcpPort [REG_SZ] is value the port touse
Onpublicfolderservers
MAPI: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystemTCP/IP Port [DWORD] is value for IP port to use
NotethatOutlookAnywhereportsshouldnotbechangedastheyare
hardcodedinOutlook
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
25/43
page 25L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Transit ioning Client Access toExchange 2010
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
26/43
page 26L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Internet facing AD Site
Internal ADSite
Inter
net
FE, BE, CAS, HUB,UM, MBX 2003 or
2007
CAS, HUB,UM,
MBX 2010
UpgradeInternet facing
sites firstUpgrade
Internal sitessecond
CAS, HUB,UM, MBX
Deploy E2010 serversCAS first; MBX last Start with a few Gradually add more
servers as you movemailboxes
2
MoveMailboxes
5
CAS-CASproxy
Upgradeexisting
servers to SP2
1
Legacy hostname for oldFE/CAS SSL cert purchase End Users dont see this
hostname Used when Autodiscover and
redirection from CAS2010 tellclients to talk to
FE2003/CAS2007 forMBX2003/MBX2007 access
3
Decommission
old servers
6
Move
HUB2010
Move Internet hostnames toCAS2010
UM phone number toUM2010
SMTP end point toHUB2010
4
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
27/43
page 27L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Remote Connect iv i ty Ana lyzer https://www.testexchangeconnectivity.com/ Test
Exchange ActiveSync (EAS)
Outlook Anywhere (RPC/HTTP) Autodiscover EWS SMTP and more
Remember: RCA lies
If you see any failure result, dont consider it as a true failure. Try use adifferent account to duplicate the failure and also try a real client\device forthe same test.
Ive wasted a lot time trying to figure out a failure reported by RCA wherethe real client didnt have any problem at all.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
28/43
page 28L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
T r a n s i t i o n i n gE x c h a n g e
2 0 0 3
t o
2 0 1 0
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
29/43
page 29L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
T r a n s i t i o n i n gE x c h a n g e
2 0 0 7
t o
2 0 1 0
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
30/43
page 30L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
S wi tch in g t o C AS 2010 - P rep St ep s - 1
1. Obtain and deploy a new certificate that includes the
required host name valuesa. mail.contoso.comb. autodiscover.contoso.com
c. legacy.contoso.com
2. Upgrade all Exchange servers to Service Pack 2a. Enable Integrated Windows Authentication on Exchange 2003
MSAS virtual directory (KB 937031)
3. Install and configure CAS2010 servers
a. Configure InternalURLs and ExternalURLs
b. Configure the Exchange2003URL parameter to behttps://legacy.contoso.com/exchange
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
31/43
page 31L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
S wi tch in g t o CA S20 10 - P re p S te ps - 2
4. Join CAS2010 to a load balanced array
a. Create CAS2010 RPC Client Access Service array
b. Ensure MAPI RPC and HTTPS ports are load balanced
5. Install HUB2010 and MBX2010 servers
a. Configure routing coexistence
b. Configure OAB web-based distribution to generate on 20106. Create Legacy record in DNS (internal/external)
7. Create Legacy publishing rules in your reverseproxy/firewall solution pointed to FE2003 / CAS2007
array
8. Use ExRCA to verify connectivity for Legacy namespace
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
32/43
page 32L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Switching to CAS2010
The switchover involves a minor serviceinterruption
1. Update internal DNS and havemail.contoso.com point to CAS2010array
2. Update/Create Autodiscover publishingrule and point to CAS2010 array
3. Update Mail publishing rules and pointto CAS2010 array
a. Remember to update paths with newExchange 2010 specific virtual directories
4. Disable Outlook Anywhere on legacyExchange
5. Test that CAS2010 isredirecting/proxying to CAS2007(externally and internally)
ISA
E200x SP2E2010
CAS+HUB+MBX
autodiscovermail
1
2
2
1Clients access E2010 throughAutodiscover and mail
Redirection (legacy),proxying and direct access toE2003/E2007
2
legacy
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
33/43
page 33L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
Clientsaccess
CAS2010
first
FourdifferentthingshappenforE2003/E2007mailboxes
1 . Au tod iscov er tellsclients to talk toCAS2007
2 . HTTP r ed ir ect toFE2003 or CAS2007
3 . Pr ox y in g of requests
from CAS2010 toCAS2007
4 . Di r ect CAS2 0 10suppo r t for theservice against
BE2003 andMBX2007
CAS2010Serv ice E2 0 0 3 / E2 0 0 7 m a il b oxt r e a t m e n t
OWA E2003: Single Sign-On FBARedirect
E2007 Same AD Site: SSO FBARedirect
E2007 Externally Facing ADSite: Manual Redirect
E2007 Internally Facing ADSite: Proxy
EAS E2007: Autodiscover & redirect(WM6.1 and newer), Proxying(WM6 and older, all non-Microsoft)
E2003: Direct CAS2010support.
Clients which use new EAS2010
features need to re-syncOutlookAnywhere &OAB
Direct CAS2010 support
EWS Should use AutoDiscover
POP/IMAP E2007:CAS to CAS ProxyE2003: Direct CAS2010 support
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
34/43
page 34L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
ActiveSync Transit ion: 2003 to 2010
Regardless of the location of the Exchange 2003 mailbox, CAS2010 will always proxy the request to the Exchange 2003 mailbox
Since Exchange 2003 does not support Autodiscover, the device version does not matter
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
35/43
page 35L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
ActiveSync Transit ion: 2007 to 2010
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
36/43
page 36L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
For the legacy device scenario (i.e., the device does not support Autodiscover or protocolversion 12.1 or later): User1's device is already configured to use the namespace mail.contoso.com. User1's device attempts to synchronize. CAS2010 will authenticate the user and access Active Directory and retrieve the
following information:- User's mailbox version- User's mailbox location (AD Site)- The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)- The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)
While the user's mailbox does reside in the "Internet Facing AD Site" and theExternalURL is populated on CAS2007 in that site, because the device does not supportredirection via Autodiscover, CAS2010 will proxy the connection to the Exchange 2007CAS infrastructure in the "Internet Facing AD Site". Specifically the request is proxied to
CAS2007 (InternalURL value) \Microsoft-Server-ActiveSync\Proxy virtual directory. CAS2007 will authenticate the user and retrieve and render the mailbox data from the
Exchange 2007 mailbox server and will provide the rendered data back to the CAS2010server.
CAS2010 will expose the data to the end user.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
37/43
page 37L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
For the Autodiscover-supported device scenario (e.g., Windows Mobile 6.1 or later): User3's device is already configured to use the namespace mail.contoso.com. User3's device attempts to synchronize. CAS2010 will authenticate the user and access Active Directory and retrieve the following
information:
- User's mailbox version- User's mailbox location (AD Site)- The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)- The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)
Since the user's mailbox does reside in the "Internet Facing AD Site", the ExternalURL ispopulated on CAS2007 in that site, and the device does support redirection viaAutodiscover (this is determined by the protocol version of ActiveSync when establishinga synchronization; it must be version 12.1 or later), CAS2010 will return a response(HTTP error code 451) indicating that the device should use legacy.contoso.com
namespace for all synchronization events.
You can see the response in the IIS logs:POST /Microsoft-Server-ActiveSync/default.easUser=user3&DeviceId=foo&DeviceType=PocketPC&Cmd=Settings&Log=RdirTo:https%3a%2f%2flegacy.contoso.com%2fMicrosoft-Server-ActiveSync_Error:MisconfiguredDevice_ 443 contoso\user3 10.20.100.117 MSFT-PPC/5.2.5082 451 0 0 17
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
38/43
page 38L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
The device updates its profile to use legacy.contoso.com and attempts to synchronizewith legacy.contoso.com.
CAS2007 will authenticate the user and retrieve and render the mailbox data from theExchange 2007 mailbox server and will provide the rendered data back to the device.
Important: Some third-party ActiveSync devices advertise support for protocol version12.1 or later; however, they do not correctly process the 451 error response by updatingthe device profile. For these devices you will have to manually update the namespace inthe device ActiveSync profile once CAS2010 has been deployed with thelegacy.contoso.com namespace.
Always use proxy instead of redirection to avoid problem caused bydifferent versions of the devices.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
39/43
page 39L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
C av ea ts a nd G ot chas - Sum ma ry
SSO redirect is only between 2010 and 2007 in the same AD site, orfrom 2010 to 2003
Redirect between 2010 and 2007 in another externally facing 2007site is manual, just as it was in 2007
OWA never proxies inside the same AD site
If there is no ExternalURL set on CAS 2007 then CAS 2010 will
redirect to the InternalURL for OWA SSO only works with FBA, so if you are using Basic against a
server, or directly accessing a 2003 BE, then you need FBA
If you are doing FBA on ISA then you need to either point internal
clients at ISA if you want FBA, or enable WI on CAS For SSO with ISA\TMG to work, you need to use the same listener
to publish 2010 and 2007 OWA
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
40/43
page 40L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
C av ea ts a nd Gotc ha s - Sum ma ry
CAS 2010 will always proxy EAS request for 2003 user and theproxy goes directly to the BE 2003 server. So you dont need WI
authentication for EAS on the FE 2003 server. Leave ExternalURL for ActiveSyncDirectory to $Null. So CAS 2010
will always proxy EAS request for 2007 users instead of redirect.
FBA is required for OWA silent redirect (SSO). So if you cannot
enable FBA for whatever reason, you can change the silent redirectto manual using the following command
Get-OwaVirtualDirectory servername CAS2010 | Set-OwaVirtualDirectory LegacyRedirectType Manual
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
41/43
page 41L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
C av ea ts a nd G ot chas - Sum ma ry
A real world example
Exchange 2003 environment without FE and reverse proxy. FBA not enabled on Exchange 2003 server.
ActiveSync is being deployed.
Goal is to do SSO during co-exist with 2010
ActiveSync gets broken as soon as FBA is enabled on the Exchange 2003 server.
http://support.microsoft.com/kb/817379
Follow the Method 2 in the above article, then deploy Exchange 2010
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
42/43
page 42L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
C av ea ts a nd Gotc ha s - Sum ma ry
Most popular ActiveSync error 500 after moving mailbox to 2010
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
Check Includeinheritable permissionfrom this objects parentafter the mailbox ismoved and initiatesynchronization within
15 minutes.
-
8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011
43/43
page 43L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .
AlanWang
TechnicalSpecialist CommunicationandCollaboration
ProjectLeadershipAssociates(PLA)| 120SouthLaSalle,Suite1200,Chicago,IL60603
Mobile:630.888.0164|Lync:312.258.5323
Email:
LinkedInProfile:
http://www.linkedin.com/pub/alanwang/16/128/778
PersonalTechnical
Blog
http://UCOutLoud.blogspot.com
Twitter
@UCOutLoud