Home
%3CLINGO-SUB%20id%3D%22lingo-sub-585109%22%20slang%3D%22en-US%22%3EExchange%20Server%202007%20Server%20Installation%20Templates%20and%20Build%20Automation%20Guidance%20Released%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-585109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%22%3EWe%20have%20always%20recommended%20that%20customers%20prepare%20formal%20server%20build%20documentation%20for%20their%20Exchange%20environments.%20Until%20now%2C%20we've%20not%20provided%20any%20formal%20guidance%20around%20what%20that%20documentation%20should%20look%20like.%20We%20now%20have%20build%20documentation%20templates%20and%20instructions%20for%20preparing%20a%20build%20automation%20DVD.%20You%20can%20use%20these%20templates%20as%20a%20starting%20point%20for%20formally%20documenting%20your%20Exchange%20server%20builds.%20Preparing%20a%20build%20automation%20DVD%20can%20help%20streamline%20the%20installation%20of%20Exchange%202007%20on%20both%20Windows%20Server%202003%20and%20Windows%20Server%202008.%20The%20templates%20and%20build%20automation%20guidance%20can%20be%20found%20here%3A%20%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc533547(EXCHG.80).aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc533547(EXCHG.80).aspx%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22font-size%3A%20small%22%3E.%20Thanks%20to%20Ross%20Smith%20IV%2C%20with%20Exchange%20Center%20of%20Excellence%2C%20for%20his%20extensive%20help%20with%20this%20release.%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22font-size%3A%20small%22%3EThanks%2C%20Tom%20Di%20Nardo%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-611396%22%20slang%3D%22en-US%22%3EISA%202006%20SP1%20Configuration%20with%20Exchange%202010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-611396%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3EWhile%20ISA%202006%20SP1%20includes%20a%20Client%20Access%20Web%20Publishing%20Wizard%20for%20both%20Exchange%202003%20and%20Exchange%202007%2C%20the%20wizard%20does%20not%20have%20any%20knowledge%20of%20Exchange%202010.%20Exchange%202010%20includes%20the%20following%20changes%20with%20respect%20to%20its%20URLs%20and%20virtual%20directories%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExchange%202010%20Client%20Access%20Servers%20(CAS)%20no%20longer%20utilize%20the%20%2Fexchweb%20virtual%20directory.%3C%2FLI%3E%0A%3CLI%3EExchange%202010%20CAS%20no%20longer%20utilizes%20the%20%2Funifiedmessaging%20virtual%20directory.%3C%2FLI%3E%0A%3CLI%3EExchange%202010%20CAS%20provides%20a%20new%20solution%20for%20managing%20end%20user%20configuration%20(e.g.%20Unified%20Messaging%20settings)%2C%20end%20user%20self-service%20(e.g.%20message%20tracking)%2C%20and%20organization-specific%20activities%20(e.g.%20records%20discovery)%2C%20known%20as%20the%20Exchange%20Control%20Panel.%20This%20service%20is%20provided%20via%20the%20%2Fecp%20virtual%20directory%20and%20is%20accessible%20directly%20or%20through%20Outlook%20Web%20App.%3C%2FLI%3E%0A%3CLI%3EExchange%202010%20CAS%20does%20not%20render%20data%20from%20legacy%20mailboxes.%20Instead%2C%20depending%20on%20the%20protocol%20and%2For%20client%2C%20Exchange%202010%20CAS%20will%20either%20proxy%2C%20redirect%2C%20or%20provide%20direct%20access%20to%20the%20appropriate%20version%20of%20Exchange%20(Exchange%202003%20Front-End%2C%20Exchange%202007%20CAS%2C%20or%20Exchange%202003%2F2007%20Mailbox).%20Redirected%20clients%20access%20their%20information%20via%20a%20new%20namespace%2C%20legacy.contoso.com.%20For%20more%20information%2C%20please%20see%20the%20post%20entitled%2C%20%3CA%20target%3D%22_blank%22%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2009%2F11%2F20%2F453272.aspx%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETransitioning%20Client%20Access%20to%20Exchange%202010%3C%2FA%3E%3CI%3E%3C%2FI%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAs%20a%20result%20of%20these%20changes%2C%20certain%20modifications%20must%20be%20made%20to%20the%20rules%20created%20by%20the%20Client%20Access%20Web%20Publishing%20Wizard%20to%20support%20Exchange%202010.%20This%20article%2C%20the%20final%20one%20in%20my%20upgrade%20series%2C%20will%20discuss%20how%20to%20configure%20ISA%202006%20SP1%20as%20part%20of%20your%20deployment%20of%20Exchange%202010%20in%20your%20existing%20Exchange%202003%20or%20Exchange%202007%20environments%20so%20that%20you%20may%20successfully%20allow%20your%20clients%20to%20connect%20to%20both%20Exchange%20versions.%3C%2FP%3E%0A%3CP%3E%3CB%3E%3CI%3ENote%3C%2FI%3E%3C%2FB%3E%3A%20For%20more%20information%20on%20the%20detailed%20steps%20required%20to%20support%20coexistence%20process%20see%20my%20%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Fb%2Fexchange%2Farchive%2F2009%2F11%2F20%2F3408856.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Efirst%20blog%20article%3C%2FA%3E%20in%20the%20series%2C%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Faa998604(EXCHG.140).aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ETechNet%3C%2FA%3E%2C%20or%20within%20the%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fexdeploy2010%2Fdefault.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EDeployment%20Assistant%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EWhile%20this%20article%20will%20not%20cover%20every%20scenario%20possible%20(e.g.%20specifics%20on%20each%20authentication%20solution)%2C%20it%20will%20provide%20basic%20steps%20that%20you%20can%20follow%20to%20ensure%20you%20have%20a%20successful%20deployment.%3C%2FP%3E%0A%3CP%3E%3CB%3E%3C%2FB%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1563539735%22%20id%3D%22toc-hId-1563540727%22%3EEnabling%20External%20Access%20when%20Upgrading%20an%20Exchange%202003%20Environment%20to%20Exchange%202010%20via%20ISA%3C%2FH3%3E%0A%3CP%3EPrior%20to%20implementing%20Exchange%202010%2C%20it%20is%20assumed%20that%20you%20have%20two%20ISA2006%20web%20publishing%20rules%20for%20your%20Exchange%202003%20environment%20that%20allow%20OWA%2C%20Outlook%20Anywhere%2C%20and%20ActiveSync.%20ISA%20is%20configured%20as%20follows%3A%3C%2FP%3E%0A%3CP%3E1.%20A%20web%20listener%20configured%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Authentication%20tab%3A%3CUL%3E%0A%3CLI%3EFor%20ISA%20Pre-Authentication%2C%20the%20Client%20Authentication%20Method%20is%20configured%20as%20%22HTML%20Form%20Authentication%22%20and%20the%20authentication%20validation%20method%20is%20configured%20either%20with%20Windows%20(if%20ISA%20is%20domain-joined)%2C%20LDAP%2C%20or%20RADIUS.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%2C%20the%20Client%20Authentication%20Method%20is%20set%20to%20%22No%20Authentication%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOn%20the%20certificates%20tab%2C%20a%20certificate%20is%20selected%20that%20has%20a%20principal%20name%20of%20mail.contoso.com%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2.%20A%20web%20farm%20configured%20for%20the%20Exchange%202003%20Front-End%20server%20exists.%3C%2FP%3E%0A%3CP%3E3.%20The%20Exchange%202003%20OWA%20web%20publishing%20rule%20(henceforth%20known%20as%20E2003%20OWA)%20is%20configured%20through%20the%20ISA%20Server%20Exchange%20Web%20Client%20Access%20Publishing%20wizard%20with%20the%20following%20settings%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Web%20Farm%20tab%2C%20requests%20are%20forwarded%20to%20the%20%22Exchange%202003%20Front-End%20Web%20Farm%22%20and%20the%20internal%20site%20name%20is%20%22mail.contoso.com%22%2C%20utilizing%20cookie-based%20load%20balancing%20affinity.%3C%2FLI%3E%0A%3CLI%3EThe%20Public%20name%20is%20defined%20as%20%22mail.contoso.com%22%2C%20which%20must%20resolve%20to%20a%20valid%20internal%20IP%20address.%3C%2FLI%3E%0A%3CLI%3EThe%20Authentication%20Delegation%20is%20set%20to%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%2C%20one%20of%20the%20following%20is%20set%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%3A%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20Paths%20are%20defined%20as%3A%3CUL%3E%0A%3CLI%3E%2Fpublic%2F*%3C%2FLI%3E%0A%3CLI%3E%2Fexchange%2F*%3C%2FLI%3E%0A%3CLI%3E%2Fexchweb%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E4.%20The%20Exchange%202003%20Outlook%20Anywhere%20(OA)%20%2F%20ActiveSync%20web%20publishing%20rule(henceforth%20known%20as%20E2003%20OA-EAS)%20is%20configured%20through%20the%20ISA%20Server%20Exchange%20Web%20Client%20Access%20Publishing%20wizard%20with%20the%20following%20settings%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Web%20Farm%20tab%2C%20requests%20are%20forwarded%20to%20the%20%22Exchange%202003%20Front-End%20Web%20Farm%22%20and%20the%20internal%20site%20name%20is%20%22mail.contoso.com%22%2C%20utilizing%20IP-based%20load%20balancing%20affinity.%3C%2FLI%3E%0A%3CLI%3EThe%20Public%20name%20is%20defined%20as%20%22mail.contoso.com%22%2C%20which%20must%20resolve%20to%20a%20valid%20internal%20IP%20address.%3C%2FLI%3E%0A%3CLI%3EThe%20Authentication%20Delegation%20is%20set%20to%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%2C%20one%20of%20the%20following%20is%20set%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%3A%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20Paths%20are%20defined%20as%3A%3CUL%3E%0A%3CLI%3E%2Frpc%2F*%3C%2FLI%3E%0A%3CLI%3E%2FMicrosoft-Server-ActiveSync%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20addition%20if%20utilizing%20ISA%20Pre-Authentication%2C%20the%20Exchange%202003%20Front-End%20Servers%20are%20configured%20as%20follows%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20%2Fexchange%20OWA%20virtual%20directory%20has%20been%20configured%20with%20Basic%20Authentication%20and%2For%20Windows%20Integrated%20Authentication%20and%20not%20Forms%20Based%20Authentication.%3C%2FLI%3E%0A%3CLI%3ESSL%20is%20required.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EFor%20the%20purposes%20of%20this%20discussion%2C%20assume%20that%20you%20deploy%20Exchange%202010%20into%20an%20Exchange%202003%20environment%20that%20resembles%20the%20following%3A%3C%2FP%3E%0A%3CP%3E%3CA%20target%3D%22_blank%22%20href%3D%22https%3A%2F%2Fhelpcenter.xactlycorp.com%2Flegacyfs%2Fonline%2Fmedia%2Fthemes%2Fexchange%2Fimages%2F453623_E2010UpgradeISA1.jpg%22%20original-url%3D%22http%3A%2F%2Fblogs.technet.com%2Fthemes%2Fexchange%2Fimages%2F453623_E2010UpgradeISA1.jpg%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20height%3D%22663%22%20width%3D%22674%22%20src%3D%22http%3A%2F%2Fmigration9.stage.lithium.com%2Flegacyfs%2Fonline%2Fmedia%2Fthemes%2Fexchange%2Fimages%2F453623_E2010UpgradeISA1.jpg%22%20original-url%3D%22http%3A%2F%2Fblogs.technet.com%2Fthemes%2Fexchange%2Fimages%2F453623_E2010UpgradeISA1.jpg%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CB%3E%3CI%3ENote%3A%3C%2FI%3E%3C%2FB%3E%20The%20environment%20depicted%20above%20assumes%20that%20a%20split-brain%20DNS%20infrastructure%20has%20been%20implemented.%20This%20is%20also%20known%20as%20split-horizon%20DNS%2C%20split-view%20DNS%20or%20split%20DNS.%20In%20short%2C%20split-brain%20DNS%20is%20about%20setting%20up%20separate%20%22DNS%20Zones%22%20so%20that%20DNS%20requests%20which%20come%20from%20intranet%20clients%20will%20get%20different%20DNS%20hostname-%26gt%3BIP%20lookup%20answers%20than%20requests%20coming%20from%20Internet%20clients.%20In%20other%20words%2C%20if%20a%20client%20within%20the%20internal%20network%20attempts%20to%20resolve%20mail.contoso.com%2C%20the%20client%20will%20get%20the%20IP%20address%20associated%20with%20the%20CAS2010%20array%20or%20the%20internal%20interface%20of%20ISA%3B%20whereas%2C%20if%20an%20external%20client%20attempts%20to%20resolve%20mail.contoso.com%2C%20the%20client%20will%20get%20the%20IP%20address%20associated%20with%20external%20interface%20of%20the%20ISA2006%20server.%3C%2FP%3E%0A%3CP%3EThe%20following%20steps%20need%20to%20be%20performed%20in%20order%20to%20allow%20clients%20to%20connect%20either%20to%20legacy.contoso.com%20or%20mail.contoso.com%3A%3C%2FP%3E%0A%3CP%3E%3CB%3E%3CI%3ENote%3C%2FI%3E%3C%2FB%3E%3A%20The%20below%20steps%20correspond%20with%20the%20Exchange%202003%20Upgrade%20Steps%208-12%20in%20the%20article%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2009%2F11%2F20%2F453272.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2009%2F11%2F20%2F453272.aspx%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E1.%20Either%20export%20the%20certificate%20that%20is%20installed%20on%20CAS2010%20or%20obtain%20a%20new%20certificate%20from%20a%20commercial%20certificate%20authority%20for%20ISA2006.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ETo%20export%20the%20certificate%20from%20CAS2010%2C%20execute%20the%20following%20cmdlet%20(note%3A%20In%20order%20to%20export%20the%20certificate%2C%20during%20the%20certificate%20creation%2C%20the%20must%20have%20been%20set%20to%20%24true)%3A%20Export-ExchangeCertificate%20%3CTHUMBPRINT%3E%20-path%20c%3A%5Ccascert.pfx%20-password%20(Get-Credential).password%3C%2FTHUMBPRINT%3E%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20obtaining%20a%20new%20commercial%20certificate%20for%20ISA2006%2C%20as%20a%20best%20practice%2C%20Microsoft%20recommends%20utilizing%20a%20certificate%20that%20supports%20Subject%20Alternative%20Names%3B%20however%2C%20you%20can%20utilize%20a%20wildcard%20certificate%20as%20well.%20If%20you%20choose%20to%20use%20a%20wildcard%20certificate%20there%20are%20some%20additional%20complexities%20to%20consider%3A%20For%20example%2C%20Windows%20Mobile%205.0%20devices%20do%20not%20support%20wildcard%20certificates%2C%20and%20Outlook%20Anywhere%20requires%20special%20additional%20configuration%20as%20detailed%20in%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc535023.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc535023.aspx%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EThis%20commercial%20certificate%20that%20will%20be%20leveraged%20by%20external%20clients%20will%20contain%20at%20a%20minimum%20three%20SAN%20values%20(note%20that%20other%20scenarios%20may%20require%20you%20to%20add%20additional%20values)%3A%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CUL%3E%0A%3CLI%3E%26nbsp%3B%3CUL%3E%0A%3CLI%3Email.contoso.com%20(your%20primary%20OWA%2FEAS%2FOA%20access%20URL)%3C%2FLI%3E%0A%3CLI%3Eautodiscover.contoso.com%3C%2FLI%3E%0A%3CLI%3Elegacy.contoso.com%20(your%20OWA%2FEAS%20namespace%20for%20legacy%20mailbox%20access)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EPrior%20to%20Windows%20Vista%20SP1%2C%20the%20Windows%20RPC%2FHTTP%20client-side%20component%20required%20that%20the%20Subject%20Name%20(aka%20Common%20Name)%20on%20the%20certificate%20match%20the%20%22Certificate%20Principal%20Name%22%20configured%20for%20the%20Outlook%20Anywhere%20connection%20in%20the%20Outlook%20profile.%20Therefore%2C%20as%20a%20best%20practice%2C%20you%20should%20ensure%20that%20mail.contoso.com%20is%20listed%20as%20the%20Subject%20Name%20in%20your%20certificate%20unless%20you%20plan%20on%20changing%20the%20configuration%20which%20can%20be%20achieved%20by%20using%20the%20Set-OutlookProvider%20cmdlet%20with%20the%20EXPR%20parameter%20as%20described%20in%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2008%2F09%2F29%2F449921.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2008%2F09%2F29%2F449921.aspx%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E2.%20Import%20the%20certificate%20into%20the%20ISA2006%20by%20following%20the%20steps%20at%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb794751.aspx%23import%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb794751.aspx%23import%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E3.%20Update%20the%20web%20listener%20(henceforth%20known%20as%20the%20CAS%20web%20listener)%20that%20is%20used%20to%20publish%20your%20Exchange%202003%20Front-End%20infrastructure%20to%20utilize%20the%20new%20certificate%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Toolbox%20pane%2C%20expand%20Web%20Listeners%20and%20double-click%20on%20the%20listener%20responsible%20for%20your%20Exchange%202003%20Front-End%20infrastructure.%3CUL%3E%0A%3CLI%3EClick%20on%20the%20Certificates%20tab%20and%20click%20Select%20Certificates.%3CUL%3E%0A%3CLI%3EVerify%20the%20certificate%20you%20recently%20imported%20is%20listed%20and%20its%20validity%20is%20%22Valid%22.%20Select%20it%20and%20click%20Select.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20leveraging%20ISA%20Pre-Authentication%2C%20click%20on%20the%20SSO%20tab.%3CUL%3E%0A%3CLI%3EClick%20on%20the%20check%20box%20to%20%22Enable%20Single%20Sign%20On%22.%3C%2FLI%3E%0A%3CLI%3EClick%20Add%20and%20enter%20%22.contoso.com%22%20(please%20note%20the%20leading%20period).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA2006.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E4.%20Create%20the%20legacy%20host%20record%20(legacy.contoso.com)%20in%20your%20external%20DNS%20infrastructure%20and%20assign%20it%20an%20IP%20address%20that%20is%20bound%20to%20the%20ISA2006%20external%20NIC.%3C%2FP%3E%0A%3CP%3E5.%20Create%20the%20Autodiscover%20host%20record%20(autodiscover.contoso.com)%20in%20your%20external%20DNS%20infrastructure%20and%20assign%20it%20an%20IP%20address%20that%20is%20bound%20to%20the%20ISA2006%20external%20NIC.%3C%2FP%3E%0A%3CP%3E6.%20On%20ISA2006%2C%20you%20will%20create%20the%20CAS2010%20web%20farm.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Toolbox%20pane%2C%20click%20New%20and%20select%20Server%20Farm.%3CUL%3E%0A%3CLI%3ELabel%20the%20server%20farm%20accordingly%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EAdd%20the%20CAS2010%20servers%20either%20by%20server%20FQDN%20(if%20name%20resolution%20is%20available)%20or%20by%20IP%20address%20(cannot%20be%20used%20with%20Kerberos%20Constrained%20Delegation)%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20server%20farm%20connectivity%20monitoring%2C%20utilize%20the%20preferred%20default%20method%2C%20or%20choose%20a%20method%20that%20is%20appropriate%20for%20your%20environment%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E7.%20If%20leveraging%20ISA%20Pre-Authentication%2C%20on%20Exchange%202010%20CAS%20within%20the%20%22Internet%20Facing%20AD%20Site%22%2C%20you%20will%20disable%20forms-based%20authentication%20by%20executing%20the%20following%20cmdlets%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESet-OWAVirtualDirectory%20cas2010%5COWA*%20-BasicAuthentication%20%24true%20-WindowsAuthentication%20%24true%3C%2FLI%3E%0A%3CLI%3ESet-ECPVirtualDirectory%20cas2010%5CECP*%20-BasicAuthentication%20%24true%20-WindowsAuthentication%20%24true%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E8.%20On%20ISA2006%2C%20you%20will%20create%20the%20OWA%20and%20Autodiscover%20web%20publishing%20rules%20that%20will%20be%20leveraged%20by%20Outlook%20Anywhere%2C%20ActiveSync%20and%20Web%20Services%20clients%20utilizing%20the%20mail.contoso.com%20namespace.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22E2010%20OWA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Web%20Access%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22E2010%20EAS%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Exchange%20ActiveSync%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Autodiscover-OA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Anywhere%20(RPC%2FHTTP(s))%22%20and%20select%20%22Publish%20additional%20folders%20on%20the%20Exchange%20Server%20for%20Outlook%202007%20clients%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22Autodiscover.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20Autodiscover-OA%20web%20publishing%20rule%20you%20just%20created.%3CUL%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Public%20Name%20tab%20and%20add%20%22mail.contoso.com%22%20as%20another%20web%20site%20entry.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Paths%20tab%20and%20add%20the%20following%3A%3CUL%3E%0A%3CLI%3E%2Fecp%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20E2010%20EAS%20web%20publishing%20rule%20you%20just%20created.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20E2010%20OWA%20web%20publishing%20rule%20you%20just%20created.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3CUL%3E%0A%3CLI%3EClick%20on%20the%20Paths%20tab%3A%3CUL%3E%0A%3CLI%3EAdd%3A%20%2Fecp%2F*%3C%2FLI%3E%0A%3CLI%3ERemove%3A%20%2Fexchweb%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E9.%20On%20ISA2006%2C%20you%20will%20create%20the%20legacy%20web%20publishing%20rules%20that%20will%20be%20leveraged%20by%20Outlook%20Web%20Access%2C%20Outlook%20Anywhere%2C%20and%20ActiveSync%20clients%20utilizing%20the%20legacy.contoso.com%20namespace.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Legacy%20OWA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202003%22%20and%20select%20%22Outlook%20Web%20Access%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202003%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Legacy%20OA-EAS%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202003%22%20and%20select%20%22Outlook%20RPC%2FHTTP(s)%22%20and%20%22Exchange%20ActiveSync%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202003%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20web%20publishing%20rules%20you%20just%20created%20and%20uncheck%20the%20%22Enable%22%20setting%20on%20the%20General%20tab.%20That%20way%20these%20rules%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E10.%20Schedule%20downtime%20for%20your%20Internet%20clients%20(this%20will%20be%20a%20small%20outage%20window).%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20following%20web%20publishing%20rules%2C%20enable%20them%20by%20checking%20the%20%22Enable%22%20setting%20on%20the%20General%20tab%3A%3CUL%3E%0A%3CLI%3ELegacy%20OA-EAS%3C%2FLI%3E%0A%3CLI%3ELegacy%20OWA%3C%2FLI%3E%0A%3CLI%3EE2010%20Autodiscover-OA%3C%2FLI%3E%0A%3CLI%3EE2010%20OWA%3C%2FLI%3E%0A%3CLI%3EE2010%20EAS%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFor%20the%20following%20web%20publishing%20rules%2C%20disable%20them%20by%20un-checking%20the%20%22Enable%22%20setting%20on%20the%20General%20tab%3A%3CUL%3E%0A%3CLI%3EE2003%20OWA%3C%2FLI%3E%0A%3CLI%3EE2003%20OA-EAS%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA%20(note%3A%20might%20want%20to%20restart%20the%20Microsoft%20Firewall%20service%20so%20that%20the%20changes%20are%20immediate%20and%20potentially%20flush%20the%20DNS%20cache).%3C%2FLI%3E%0A%3CLI%3ETest%20with%20Internet%20clients%20and%20ensure%20they%20can%20still%20access%20their%20mailboxes.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId--988617226%22%20id%3D%22toc-hId--988616234%22%3EEnabling%20External%20Access%20when%20Upgrading%20an%20Exchange%202007%20Environment%20to%20Exchange%202010%20via%20ISA%3C%2FH3%3E%0A%3CP%3EPrior%20to%20implementing%20Exchange%202010%2C%20it%20is%20assumed%20that%20you%20have%20two%20ISA2006%20web%20publishing%20rules%20for%20your%20Exchange%202007%20environment%20that%20allow%20OWA%2C%20Outlook%20Anywhere%2C%20and%20ActiveSync.%20ISA%20is%20configured%20as%20follows%3A%3C%2FP%3E%0A%3CP%3E1.%20A%20web%20listener%20configured%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Authentication%20tab%3A%3CUL%3E%0A%3CLI%3EFor%20ISA%20Pre-Authentication%2C%20the%20Client%20Authentication%20Method%20is%20configured%20as%20%22HTML%20Form%20Authentication%22%20and%20the%20authentication%20validation%20method%20is%20configured%20either%20with%20Windows%20(if%20ISA%20is%20domain-joined)%2C%20LDAP%2C%20or%20RADIUS.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%2C%20the%20Client%20Authentication%20Method%20is%20set%20to%20%22No%20Authentication%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOn%20the%20certificates%20tab%2C%20a%20certificate%20is%20selected%20that%20has%20a%20principal%20name%20of%20mail.contoso.com.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2.%20A%20web%20farm%20configured%20for%20the%20Exchange%202007%20CAS%20exists.%3C%2FP%3E%0A%3CP%3E3.%20The%20Exchange%202007%20OWA%20web%20publishing%20rule%20(henceforth%20known%20as%20E2007%20OWA)%20is%20configured%20through%20the%20ISA%20Server%20Exchange%20Web%20Client%20Access%20Publishing%20wizard%20with%20the%20following%20settings%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Web%20Farm%20tab%2C%20requests%20are%20forwarded%20to%20the%20%22Exchange%202007%20CAS%20Web%20Farm%22%20and%20the%20internal%20site%20name%20is%20%22mail.contoso.com%22%2C%20utilizing%20cookie-based%20load%20balancing%20affinity.%3C%2FLI%3E%0A%3CLI%3EThe%20Public%20name%20is%20defined%20as%20%22mail.contoso.com%22%2C%20which%20must%20resolve%20to%20a%20valid%20internal%20IP%20address.%3C%2FLI%3E%0A%3CLI%3EThe%20Authentication%20Delegation%20is%20set%20to%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%2C%20one%20of%20the%20following%20is%20set%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%3A%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20Paths%20are%20defined%20as%3A%3CUL%3E%0A%3CLI%3E%2Fpublic%2F*%3C%2FLI%3E%0A%3CLI%3E%2Fexchange%2F*%3C%2FLI%3E%0A%3CLI%3E%2Fexchweb%2F*%3C%2FLI%3E%0A%3CLI%3E%2Fowa%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E4.%20The%20Exchange%202007%20EAS%20web%20publishing%20rule%20(henceforth%20known%20as%20E2007%20EAS)%20is%20configured%20through%20the%20ISA%20Server%20Exchange%20Web%20Client%20Access%20Publishing%20wizard%20with%20the%20following%20settings%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Web%20Farm%20tab%2C%20requests%20are%20forwarded%20to%20the%20%22Exchange%202007%20CAS%20Web%20Farm%22%20and%20the%20internal%20site%20name%20is%20%22mail.contoso.com%22%2C%20utilizing%20IP-bsaed%20load%20balancing%20affinity.%3C%2FLI%3E%0A%3CLI%3EThe%20Public%20name%20is%20defined%20as%20%22mail.contoso.com%22%2C%20which%20must%20resolve%20to%20a%20valid%20internal%20IP%20address.%3C%2FLI%3E%0A%3CLI%3EThe%20Authentication%20Delegation%20is%20set%20to%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%2C%20one%20of%20the%20following%20is%20set%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%3A%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20Paths%20are%20defined%20as%3A%3CUL%3E%0A%3CLI%3E%2FMicrosoft-Server-Activesync%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E5.%20The%20Exchange%202007%20Outlook%20Anywhere%20(OA%20web%20publishing%20rule%20(henceforth%20known%20as%20E2007%20OA)%20is%20configured%20through%20the%20ISA%20Server%20Exchange%20Web%20Client%20Access%20Publishing%20wizard%20with%20the%20following%20settings%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOn%20the%20Web%20Farm%20tab%2C%20requests%20are%20forwarded%20to%20the%20%22Exchange%202007%20CAS%20Web%20Farm%22%20and%20the%20internal%20site%20name%20is%20%22mail.contoso.com%22%2C%20utilizing%20IP-based%20load%20balancing%20affinity.%3C%2FLI%3E%0A%3CLI%3EThe%20Public%20name%20is%20defined%20with%20%22Autodiscover.contoso.com%22%20and%20%22mail.contoso.com%3C%2FLI%3E%0A%3CLI%3EThe%20Authentication%20Delegation%20is%20set%20to%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%2C%20one%20of%20the%20following%20is%20set%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%3A%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20Paths%20are%20defined%20as%3A%3CUL%3E%0A%3CLI%3E%2Frpc%2F*%3C%2FLI%3E%0A%3CLI%3E%2FOAB%2F*%3C%2FLI%3E%0A%3CLI%3E%2FUnifiedMessaging%2F*%3C%2FLI%3E%0A%3CLI%3E%2FAutodiscover%2F*%3C%2FLI%3E%0A%3CLI%3E%2FEWS%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20addition%20if%20utilizing%20ISA%20Pre-Authentication%2C%20Exchange%202007%20CAS%20array%20members%20are%20configured%20as%20follows%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20%2Fowa%20virtual%20directory%20has%20been%20configured%20with%20Basic%20Authentication%20and%20not%20Forms%20Based%20Authentication.%3C%2FLI%3E%0A%3CLI%3ESSL%20is%20required.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EFor%20the%20purposes%20of%20this%20discussion%2C%20assume%20that%20you%20deploy%20Exchange%202010%20into%20an%20Exchange%202007%20environment%20that%20resembles%20the%20following%3A%3C%2FP%3E%0A%3CP%3E%3CA%20target%3D%22_blank%22%20href%3D%22https%3A%2F%2Fhelpcenter.xactlycorp.com%2Flegacyfs%2Fonline%2Fmedia%2Fthemes%2Fexchange%2Fimages%2F453624_E2010UpgradeISA2.jpg%22%20original-url%3D%22http%3A%2F%2Fblogs.technet.com%2Fthemes%2Fexchange%2Fimages%2F453624_E2010UpgradeISA2.jpg%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20height%3D%22693%22%20width%3D%22704%22%20src%3D%22http%3A%2F%2Fmigration9.stage.lithium.com%2Flegacyfs%2Fonline%2Fmedia%2Fthemes%2Fexchange%2Fimages%2F453624_E2010UpgradeISA2.jpg%22%20original-url%3D%22http%3A%2F%2Fblogs.technet.com%2Fthemes%2Fexchange%2Fimages%2F453624_E2010UpgradeISA2.jpg%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CB%3E%3CI%3ENote%3A%3C%2FI%3E%3C%2FB%3E%20The%20environment%20depicted%20above%20assumes%20that%20a%20split-brain%20DNS%20infrastructure%20has%20been%20implemented.%20This%20is%20also%20known%20as%20split-horizon%20DNS%2C%20split-view%20DNS%20or%20split%20DNS.%20In%20short%2C%20split-brain%20DNS%20is%20about%20setting%20up%20separate%20%22DNS%20Zones%22%20so%20that%20DNS%20requests%20which%20come%20from%20intranet%20clients%20will%20get%20different%20DNS%20hostname-%26gt%3BIP%20lookup%20answers%20than%20requests%20coming%20from%20Internet%20clients.%20In%20other%20words%2C%20if%20a%20client%20within%20the%20internal%20network%20attempts%20to%20resolve%20mail.contoso.com%2C%20the%20client%20will%20get%20the%20IP%20address%20associated%20with%20the%20CAS2010%20array%20or%20the%20internal%20interface%20of%20ISA%3B%20whereas%2C%20if%20an%20external%20client%20attempts%20to%20resolve%20mail.contoso.com%2C%20the%20client%20will%20get%20the%20IP%20address%20associated%20with%20external%20interface%20of%20the%20ISA2006%20server.%3C%2FP%3E%0A%3CP%3EThe%20following%20steps%20need%20to%20be%20performed%20in%20order%20to%20allow%20clients%20to%20connect%20either%20to%20legacy.contoso.com%20or%20mail.contoso.com%3A%3C%2FP%3E%0A%3CP%3E%3CB%3E%3CI%3ENote%3C%2FI%3E%3C%2FB%3E%3A%20The%20below%20steps%20correspond%20with%20the%20Exchange%202007%20Upgrade%20Steps%209-12%20in%20the%20article%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2009%2F11%2F20%2F453272.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2009%2F11%2F20%2F453272.aspx%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E1.%20Either%20export%20the%20certificate%20that%20is%20installed%20on%20CAS2010%20or%20obtain%20a%20new%20certificate%20from%20a%20commercial%20certificate%20authority%20for%20ISA2006.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ETo%20export%20the%20certificate%20from%20CAS2010%2C%20execute%20the%20following%20cmdlet%20(note%3A%20In%20order%20to%20export%20the%20certificate%2C%20during%20the%20certificate%20creation%2C%20the%20must%20have%20been%20set%20to%20%24true)%3A%20Export-ExchangeCertificate%20%3CTHUMBPRINT%3E%20-path%20c%3A%5Ccascert.pfx%20-password%20(Get-Credential).password%3C%2FTHUMBPRINT%3E%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20obtaining%20a%20new%20commercial%20certificate%20for%20ISA2006%2C%20as%20a%20best%20practice%2C%20Microsoft%20recommends%20utilizing%20a%20certificate%20that%20supports%20Subject%20Alternative%20Names%3B%20however%2C%20you%20can%20utilize%20a%20wildcard%20certificate%20as%20well.%20If%20you%20choose%20to%20use%20a%20wildcard%20certificate%20there%20are%20some%20additional%20complexities%20to%20consider%3A%20For%20example%2C%20Windows%20Mobile%205.0%20devices%20do%20not%20support%20wildcard%20certificates%2C%20and%20Outlook%20Anywhere%20requires%20special%20additional%20configuration%20as%20detailed%20in%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc535023.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc535023.aspx%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EThis%20commercial%20certificate%20that%20will%20be%20leveraged%20by%20external%20clients%20will%20contain%20at%20a%20minimum%20three%20SAN%20values%20(note%20that%20other%20scenarios%20may%20require%20you%20to%20add%20additional%20values)%3A%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CUL%3E%0A%3CLI%3E%26nbsp%3B%3CUL%3E%0A%3CLI%3Email.contoso.com%20(your%20primary%20OWA%2FEAS%2FOA%20access%20URL)%3C%2FLI%3E%0A%3CLI%3Eautodiscover.contoso.com%3C%2FLI%3E%0A%3CLI%3Elegacy.contoso.com%20(your%20OWA%2FEAS%20namespace%20for%20legacy%20mailbox%20access)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EPrior%20to%20Windows%20Vista%20SP1%2C%20the%20Windows%20RPC%2FHTTP%20client-side%20component%20required%20that%20the%20Subject%20Name%20(aka%20Common%20Name)%20on%20the%20certificate%20match%20the%20%22Certificate%20Principal%20Name%22%20configured%20for%20the%20Outlook%20Anywhere%20connection%20in%20the%20Outlook%20profile.%20Therefore%2C%20as%20a%20best%20practice%2C%20you%20should%20ensure%20that%20mail.contoso.com%20is%20listed%20as%20the%20Subject%20Name%20in%20your%20certificate%20unless%20you%20plan%20on%20changing%20the%20configuration%20which%20can%20be%20achieved%20by%20using%20the%20Set-OutlookProvider%20cmdlet%20with%20the%20EXPR%20parameter%20as%20described%20in%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2008%2F09%2F29%2F449921.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2008%2F09%2F29%2F449921.aspx%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E2.%20Import%20the%20certificate%20into%20the%20ISA2006%20by%20following%20the%20steps%20at%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb794751.aspx%23import%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb794751.aspx%23import%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E3.%20Update%20the%20web%20listener%20(henceforth%20known%20as%20the%20CAS%20web%20listener)%20that%20is%20used%20to%20publish%20your%20Exchange%202007%20CAS%20infrastructure%20to%20utilize%20the%20new%20certificate%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Toolbox%20pane%2C%20expand%20Web%20Listeners%20and%20double-click%20on%20the%20listener%20responsible%20for%20your%20Exchange%202007%20CAS%20infrastructure.%3CUL%3E%0A%3CLI%3EClick%20on%20the%20Certificates%20tab%20and%20click%20Select%20Certificates.%3CUL%3E%0A%3CLI%3EVerify%20the%20certificate%20you%20recently%20imported%20is%20listed%20and%20its%20validity%20is%20%22Valid%22.%20Select%20it%20and%20click%20Select.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20leveraging%20ISA%20Pre-Authentication%2C%20click%20on%20the%20SSO%20tab.%3CUL%3E%0A%3CLI%3EClick%20on%20the%20check%20box%20to%20%22Enable%20Single%20Sign%20On%22.%3C%2FLI%3E%0A%3CLI%3EClick%20Add%20and%20enter%20%22.contoso.com%22%20(please%20note%20the%20leading%20period).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3Ed.%20Apply%20the%20changes%20to%20ISA2006.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E4.%20Create%20the%20legacy%20host%20record%20(legacy.contoso.com)%20in%20your%20external%20DNS%20infrastructure%20and%20assign%20it%20an%20IP%20address%20that%20is%20bound%20to%20the%20ISA2006%20external%20NIC.%3C%2FP%3E%0A%3CP%3E5.%20On%20ISA2006%2C%20you%20will%20create%20the%20CAS2010%20web%20farm.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Toolbox%20pane%2C%20click%20New%20and%20select%20Server%20Farm.%3CUL%3E%0A%3CLI%3ELabel%20the%20server%20farm%20accordingly%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EAdd%20the%20CAS2010%20servers%20either%20by%20server%20FQDN%20(if%20name%20resolution%20is%20available)%20or%20by%20IP%20address%20(cannot%20be%20used%20with%20Kerberos%20Constrained%20Delegation)%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20server%20farm%20connectivity%20monitoring%2C%20utilize%20the%20preferred%20default%20method%2C%20or%20choose%20a%20method%20that%20is%20appropriate%20for%20your%20environment%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E6.%20If%20leveraging%20ISA%20Pre-Authentication%2C%20on%20Exchange%202010%20CAS%20within%20the%20%22Internet%20Facing%20AD%20Site%22%2C%20you%20will%20disable%20forms-based%20authentication%20by%20executing%20the%20following%20cmdlets%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESet-OWAVirtualDirectory%20cas2010%5COWA*%20-BasicAuthentication%20%24true%20-WindowsAuthentication%20%24true%3C%2FLI%3E%0A%3CLI%3ESet-ECPVirtualDirectory%20cas2010%5CECP*%20-BasicAuthentication%20%24true%20-WindowsAuthentication%20%24true%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E7.%20On%20ISA2006%2C%20you%20will%20create%20the%20Exchange%202010%20OWA%20and%20Autodiscover%20web%20publishing%20rules%20that%20will%20be%20leveraged%20by%20Outlook%20Anywhere%2C%20ActiveSync%20and%20Web%20Services%20clients%20utilizing%20the%20mail.contoso.com%20namespace.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22E2010%20OWA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Web%20Access%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22E2010%20EAS%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Exchange%20ActiveSync%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22E2010%20Autodiscover-OA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Anywhere%20(RPC%2FHTTP(s))%22%20and%20select%20%22Publish%20additional%20folders%20on%20the%20Exchange%20Server%20for%20Outlook%202007%20clients%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22mail.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202010%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22Autodiscover.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22E2010%20Autodiscover-OA%22%20web%20publishing%20rule%20you%20just%20created.%3CUL%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Public%20Name%20tab%20and%20add%20%22mail.contoso.com%22%20as%20another%20web%20site%20entry.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Paths%20tab%20and%20add%20the%20following%3A%3CUL%3E%0A%3CLI%3E%2Fecp%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22E2010%20EAS%22%20web%20publishing%20rule%20you%20just%20created.%3CUL%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22E2010%20OWA%22%20web%20publishing%20rule%20you%20just%20created.%3CUL%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Paths%20tab%3A%3CUL%3E%0A%3CLI%3EAdd%3A%20%2Fecp%2F*%3C%2FLI%3E%0A%3CLI%3ERemove%3A%20%2Fexchweb%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E8.%20On%20ISA2006%2C%20you%20will%20create%20the%20legacy%20web%20publishing%20rules%20that%20will%20be%20leveraged%20by%20Outlook%20Web%20Access%2C%20Outlook%20Anywhere%2C%20and%20ActiveSync%20clients%20utilizing%20the%20legacy.contoso.com%20namespace.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Legacy%20OWA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Web%20Access%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202007%20CAS%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Legacy%20EAS%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Exchange%20ActiveSync%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202007%20CAS%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20within%20the%20Tasks%20pane%2C%20click%20Publish%20Exchange%20Web%20Client%20Access.%3CUL%3E%0A%3CLI%3EEnter%20a%20name%20like%20%22Legacy%20OA%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20Exchange%20version%2C%20select%20%22Exchange%20Server%202007%22%20and%20select%20%22Outlook%20Anywhere%20(RPC%2FHTTP(s))%22%20and%20select%20%22Publish%20additional%20folders%20on%20the%20Exchange%20Server%20for%20Outlook%202007%20clients%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Publish%20a%20server%20farm%20of%20load%20balanced%20Web%20servers%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22Use%20SSL%20to%20connect%20to%20the%20published%20Web%20server%20or%20server%20farm%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20internal%20site%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Exchange%202007%20CAS%20server%20farm%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20public%20name%2C%20enter%20%22legacy.contoso.com%22%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20CAS%20web%20listener%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EFor%20authentication%20delegation%3A%3CUL%3E%0A%3CLI%3EFor%20scenarios%20leveraging%20ISA%20Pre-Authentication%20select%20one%20of%20the%20following%3A%20%22Basic%20Authentication%22%2C%20%22Negotiate%20(Kerberos%2FNTLM)%22%2C%20or%20%22Kerberos%20Constrained%20Delegation%22.%20Please%20note%20that%20the%20authentication%20method%20you%20select%20may%20require%20additional%20configuration%3B%20please%20see%20your%20ISA%20documentation%20for%20more%20information.%3C%2FLI%3E%0A%3CLI%3EFor%20scenarios%20without%20ISA%20Pre-Authentication%20select%2C%20%22No%20delegation%2C%20but%20client%20may%20authenticate%20directly%22%20and%20click%20Next.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20appropriate%20users%20and%20click%20Next.%3C%2FLI%3E%0A%3CLI%3EClick%20Finish.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22Legacy%20OA%22%20web%20publishing%20rule%20you%20just%20created.%3CUL%3E%0A%3CLI%3EOn%20the%20General%20tab%2C%20uncheck%20the%20%22Enable%22%20setting.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EClick%20on%20the%20Paths%20tab%3A%3CUL%3E%0A%3CLI%3ERemove%3A%20%2FAutodiscover%2F*%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20OK.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22Legacy%20OWA%22%20web%20publishing%20rule%20you%20just%20created%20and%20uncheck%20the%20%22Enable%22%20setting%20on%20the%20General%20tab.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20%22Legacy%20EAS%22%20web%20publishing%20rule%20you%20just%20created%20and%20uncheck%20the%20%22Enable%22%20setting%20on%20the%20General%20tab.%20That%20way%20this%20rule%20will%20not%20go%20into%20effect%20until%20you%20change%20the%20external%20DNS%20mappings.%3CUL%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E9.%20Schedule%20downtime%20for%20your%20Internet%20clients%20(this%20will%20be%20a%20small%20outage%20window).%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOpen%20the%20ISA%202006%20Management%20Console.%3C%2FLI%3E%0A%3CLI%3ENavigate%20to%20your%20Firewall%20Policy%20settings.%3C%2FLI%3E%0A%3CLI%3EFor%20the%20following%20web%20publishing%20rules%2C%20enable%20them%20by%20checking%20the%20%22Enable%22%20setting%20on%20the%20General%20tab%3A%3CUL%3E%0A%3CLI%3ELegacy%20OA%3C%2FLI%3E%0A%3CLI%3ELegacy%20OWA%3C%2FLI%3E%0A%3CLI%3ELegacy%20EAS%3C%2FLI%3E%0A%3CLI%3EE2010%20Autodiscover-OA%3C%2FLI%3E%0A%3CLI%3EE2010%20OWA%3C%2FLI%3E%0A%3CLI%3EE2010%20EAS%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFor%20the%20following%20web%20publishing%20rules%2C%20disable%20them%20by%20un-checking%20the%20%22Enable%22%20setting%20on%20the%20General%20tab%3A%3CUL%3E%0A%3CLI%3EE2007%20OWA%3C%2FLI%3E%0A%3CLI%3EE2007%20EAS%3C%2FLI%3E%0A%3CLI%3EE2007%20OA%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20the%20changes%20to%20ISA%20(note%3A%20might%20want%20to%20restart%20the%20Microsoft%20Firewall%20service%20so%20that%20the%20changes%20are%20immediate%20and%20potentially%20flush%20the%20DNS%20cache).%3C%2FLI%3E%0A%3CLI%3ETest%20with%20Internet%20clients%20and%20ensure%20they%20can%20still%20access%20their%20mailboxes.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-754193109%22%20id%3D%22toc-hId-754194101%22%3EQ%26amp%3BA%3C%2FH3%3E%0A%3CP%3E%3CB%3EDoes%20the%20configuration%20you%20described%20above%20leverage%20the%20OWA%20Single-Sign-On%20(SSO)%20redirection%20experience%3F%3C%2FB%3E%3C%2FP%3E%0A%3CP%3EFor%20the%20scenario%20where%20you%20are%20not%20leveraging%20ISA%20Pre-Authentication%2C%20yes%2C%20this%20configuration%20supports%20the%20OWA%20single-sign%20on%20experience%20by%20using%20a%20single%20web%20listener%20for%20all%20of%20the%20web%20publishing%20rules.%3C%2FP%3E%0A%3CP%3EFor%20the%20scenario%20where%20you%20are%20leveraging%20ISA%20Pre-Authentication%2C%20no%2C%20as%20this%20configuration%20utilizes%20the%20ISA%20single-sign%20on%20experience%20for%20Outlook%20Web%20Access.%20The%20Outlook%20Web%20Access%20SSO%20redirection%20only%20occurs%20when%20you%20utilize%20Forms%20Based%20Authentication%20at%20the%20Exchange%20layer%20on%20both%20E2010%20and%20legacy%20Exchange.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1797963852%22%20id%3D%22toc-hId--1797962860%22%3EConclusion%3C%2FH3%3E%0A%3CP%3EHopefully%20this%20information%20improves%20your%20understanding%20of%20external%20client%20access%20coexistence%20with%20legacy%20versions%20of%20Exchange%20while%20upgrading%20to%20Exchange%20Server%202010%20in%20conjunction%20with%20ISA%202006.%26nbsp%3B%20Please%20let%20us%20know%20if%20you%20have%20any%20questions.%3C%2FP%3E%0A%3CP%3E-%20Ross%20Smith%20IV%3C%2FP%3E%3C%2FLINGO-BODY%3E

We have always recommended that customers prepare formal server build documentation for their Exchange environments. Until now, we've not provided any formal guidance around what that documentation should look like. We now have build documentation templates and instructions for preparing a build automation DVD. You can use these templates as a starting point for formally documenting your Exchange server builds. Preparing a build automation DVD can help streamline the installation of Exchange 2007 on both Windows Server 2003 and Windows Server 2008. The templates and build automation guidance can be found here: http://technet.microsoft.com/en-us/library/cc533547(EXCHG.80).aspx. Thanks to Ross Smith IV, with Exchange Center of Excellence, for his extensive help with this release. Thanks, Tom Di Nardo

5 Comments
Not applicable
Thanks!
Especially the hotfix list is very interesting. I always try to keep up with hotfixes but I cannot find the ones officially listed to apply at forehand.
So now I assume the listed hotfixes are 'neccessary and tested' and can always be applied on a Exchange 2007 Server?

I think Microsoft should publish a list with must have hotfixes for all their server and workstation installations. Like the hotfix list for clustering for example. Some fixes do not get published on WU but are needed in corp environments.

Not applicable
Why no CCR on 2008????  That would be the most critical for us at this point!
Not applicable
I second the CCR on 2008 question... that would have been the most useful one for me.  
Not applicable
Will there be a "template" for CCR on 2008.  If so, what's the timeline?
Not applicable
What is the Exchange 2007 requirement for IE7 (if any)?  On-going IE6 support aside, we haven't seen any impact as yet.