Many of you have been asking how you can upgrade your existing Exchange environment to Exchange 2010 from a client access perspective. For most of you, this will also mean coexisting with legacy Exchange and Exchange 2010 for a period of time. My first blog article in this series discussed the overall steps in how to upgrade your environment from a client access perspective. This article, the third in the series, discusses how Exchange ActiveSync will function in an Exchange 2003 or 2007 environment that has Exchange 2010 deployed.
Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites. As part of our upgrade process, you will be following a model where:
In other words, it would look something like this for an Exchange 2003 upgrade/co-existence:
With this configuration there are typically a few questions that are asked:
What are the configuration changes I must make on the Exchange 2003 Front-End servers to support ActiveSync?
In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2003 mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2003 Front-End servers and associate it with the Exchange 2010 CAS array. For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.
What are the configuration changes I must make on the Exchange 2003 mailbox servers?
Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.
To enable this authentication change on Exchange 2003 you need to either:
Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.
What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?
Hopefully the Exchange 2003 coexistence diagram is self-explanatory, but if it is not, the key thing here is that regardless of the location of the Exchange 2003 mailbox (remember Exchange 2003 is not site aware), CAS2010 will always proxy the request to the Exchange 2003 mailbox server. Also, since Exchange 2003 does not support Autodiscover, the device version does not matter.
POST /Microsoft-Server-ActiveSync/default.eas User=user5&DeviceId=foo&DeviceType=PocketPC&Cmd=FolderSync&Log=PrxTo:mail.contoso.com_LdapC2_ 443 contoso\user5 10.20.100.117 MSFT-PPC/5.1.2301 200 0 0 189
Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites. As part of our upgrade process, you will be following a model where:
In other words, it would look something like this for an Exchange 2007 upgrade/co-existence:
With this configuration there are typically a few questions that are asked:
Are there any configuration changes I must make on my Exchange 2007 Client Access servers?
In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2007 (and possibly 2003) mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2007 CAS array and associate it with the Exchange 2010 CAS array. In addition, you will create a new namespace for legacy access, legacy.contoso.com (note that the name can be anything you want) and associate it with your Exchange 2007 CAS array.
For CAS2007 within the "Internet Facing AD Site" you will want to configure the EAS ExternalURL to utilize the legacy.contoso.com namespace to allow for redirection of devices that support Autodiscover by using the following cmdlet:
Set-ActiveSyncVirtualDirectory
\Microsoft-Server-ActiveSync* -ExternalURL https://legacy.contoso.com/Microsoft-Server-ActiveSync
On the CAS2010, you will set the ExternalURL to be https://mail.contoso.com using the following cmdlet:
Set-ActiveSyncVirtualDirectory
\Microsoft-Server-ActiveSync* -ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync
Unlike Exchange 2003, Exchange 2007 does not require any authentication changes, but let's understand why.
In Exchange 2007, for EAS proxy communication to work between CAS2007 in the "Internet Facing AD Site" and CAS2007 in the "Non-Internet Facing Site", you had to enable Windows Integrated Authentication on the CAS2007 ActiveSync virtual directories in the "Non-Internet Facing Site". If you didn't, you could not proxy EAS traffic.
With Exchange 2007 SP2 (and Exchange 2010), setup creates a new sub-virtual directory under \Microsoft-Server-ActiveSync, called proxy. This proxy virtual directory has Windows Integrated Authentication enabled. When CAS2010 has to proxy EAS traffic to CAS2007 (or to another CAS2010), the \Microsoft-Server-ActiveSync\proxy virtual directory will be used for the proxy traffic.
Note: This behavior is only for CAS2010 to CAS2007/CAS2010 EAS proxy. CAS2007 to CAS2007 EAS proxy still requires Windows Integrated Authentication to be set on the ActiveSync virtual directory.
For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.
What are the configuration changes I must make on the Exchange 2003 mailbox servers, if they exist in the environment?
If your Exchange 2007 environment contains Exchange 2003 mailbox servers, then users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.
To enable this authentication change on Exchange 2003 you need to either:
Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.
What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2007)?
Note: It is assumed that Autodiscover is associated with CAS2010 in the "Internet Facing AD site".
Hopefully the Exchange 2007 coexistence diagram is self-explanatory, but if it is not:
For the first scenario, let's consider the behavior for User1. Since User1 is located in the same AD site as the Internet facing CAS2010 and CAS2007 is also Internet-facing (ExternalURL is populated) User1's experience will depend on whether the device supports Autodiscover.
For the legacy device scenario (i.e., the device does not support Autodiscover or protocol version 12.1 or later):
For the Autodiscover-supported device scenario (e.g., Windows Mobile 6.1 or later):
POST /Microsoft-Server-ActiveSync/default.eas User=user3&DeviceId=foo&DeviceType=PocketPC&Cmd=Settings&Log=RdirTo:https%3a%2f%2flegacy.contoso.com%2fMicrosoft-Server-ActiveSync_Error:MisconfiguredDevice_ 443 contoso\user3 10.20.100.117 MSFT-PPC/5.2.5082 451 0 0 17
Important: Some third-party ActiveSync devices advertise support for protocol version 12.1 or later; however, they do not correctly process the 451 error response by updating the device profile. For these devices you will have to manually update the namespace in the device ActiveSync profile once CAS2010 has been deployed with the legacy.contoso.com namespace. Please contact your device manufacturer to determine when they will provide support for redirection.
Now let's consider User2 from the Exchange 2007 coexistence diagram. User2 could be utilizing a third-party ActiveSync device or a Windows Mobile device. For Windows Mobile support, the device is either 5.0, 6.0, or 6.1+ or later. Note that 6.1+ supports Autodiscover, but since User2 is located in the "Non-Internet Facing AD Site", the redirect functionality does not come into play here.
For this scenario, the important thing to understand is how is the device currently configured? Either the device is utilizing the legacy.contoso.com namespace (due to Autodiscover during device setup or due to the redirect), or the device is utilizing the mail.contoso.com namespace (and thus CAS2010 is proxying to the legacy CAS or Exchange 2003 mailbox server).
For the Autodiscover-supported device scenario case:
For the legacy device case:
Hopefully this information dispels some of the myths around proxying and redirection logic for Exchange ActiveSync in Exchange Server 2010 when upgrading either from Exchange 2007 or Exchange 2003. Please let us know if you have any questions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.