Outlook Web Access and Exchange 2007, 2003 and 2000 coexistence
Published Feb 07 2007 01:28 PM 18.5K Views

NOTE: The content of this article has been published in the official Exchange 2007 documentation. We recommend that you check the documentation for the most up-to-date version. Please go here: http://technet.microsoft.com/en-us/library/bb885041.aspx EDIT: We have updated this post on 2/15/07 to include additional detail about public folder access. To get started, let me take you on a trip down memory lane to dark ages of computing and e-mail. Journey with me to the years 2000 and 2003, when Exchange was a much different product. In Exchange 2003 and 2000, there were two server configurations: front-end (FE) and back-end (BE). From OWA's point of view, the FE server was little more than a proxy. It accepted requests and forwarded them to the BE server. The BE handled all the business logic and rendered the UI. If you looked at the IIS metabase on an FE or BE server, you'd see three virtual directories normally associated with OWA:

/exchange: handles mailbox access requests for OWA and WebDAV /public: handles requests for public folders /exchweb: contains resource files used by OWA and WebDAV
If you accessed /exchange on an FE server, you would be prompted to enter your credentials and then proxied to /exchange on the BE server, which would serve up OWA. Fast forward to 2007, where we made a great leap forward with Exchange. We did away with the FE and BE roles in favour of the CAS and Mailbox roles. The key difference between CAS and FE is that CAS contains the business logic and renders the OWA UI. This presented us with a challenge: how do we allow Exchange 2007 CAS servers to coexist with Exchange 2007 Mailbox and Exchange 2003/2000 Mailbox servers? The solution depends on how the server is configured. First things first, though:
  • If you intend to keep E2007 and E2003/2000 servers running side by side, we recommend that you keep the E2007 CAS and E2007 Mailbox servers on separate machines. If you want to combine CAS and Mailbox on a single server while still maintaining E2003/2000 servers, you will need to expose two URLs. One goes to the E2007 server (e.g., https://e2007.contoso.com/owa), while the other goes to the E2003/2000 servers (e.g., https://e2003.contoso.com/exchange).
  • We don't support putting an Exchange 2003/2000 FE server in front of an Exchange 2007 Mailbox server. OWA 2007 also doesn't support Exchange 2007 public folders yet. Look for it in an Exchange 2007 Service Pack. In addition, you should replace all your E2003/2000 FE servers with E2007 CAS servers before moving your mailboxes to E2007 (see this page in Exchange 2007 documentation). Note that a CAS will require more powerful hardware than an FE server, so account for that in your planning (see this blog post for details).
If you look at IIS on CAS-only, Mailbox-only, and CAS+Mailbox servers, you'll see that they look very similar:

CAS-only

 

Mailbox-only

 

CAS+Mailbox

 

/owa

 

/exchange

 

/public

 

/exchweb

 

/exchange

 

/public

 

 

/owa

 

/exchange

 

/public

 

/exchweb

 
Looks, in this case, are deceiving. /owa, which handles OWA 2007 business logic and UI rendering, is the only one that behaves the same wherever it appears. The remaining virtual directories, affectionately dubbed "legacy virtual directories", handle Exchange 2003/2000 and WebDAV requests. They work differently based on which server roles are installed. By reserving /owa for OWA 2007, we made the Exchange 2007 legacy virtual directories analogous to Exchange 2003/2000 virtual directories. From the legacy virtual directory point of view, the CAS role acts like an Exchange 2003/2000 FE server. That is, it takes requests and proxies them to a BE server. The logic for this is in exprox.dll, which is applied as a scriptmap on the legacy virtual directories. Exprox doesn't do anything beyond proxy requests from the CAS to the Exchange 2007/2003/2000 Mailbox server. All the intelligence for handling legacy requests lives in davex.dll, which is the scriptmap on the Mailbox server's legacy virtual directories. Davex contains logic for handling DAV requests, redirecting Exchange 2007 mailbox users to /owa, and serving up the Exchange 2003/2000 OWA experience. It is important to understand that exprox only directs traffic to davex on a mailbox server. Davex figures out what the right or the best server to use is. There are two important caveats when working with davex:
  1. Davex responds to both DAV and OWA requests. If you are pointing your browser to a URL, such as https://mail.company.com/exchange, and davex responds to it, it is treating it as an OWA request.
  2. Davex will redirect a request based on the internal (intranet) name of the server. This means that users on the internet may receive a DNS error because the internal name of a server may not be the one that is exposed on the internet.
To understand how it all fits together, let's take a look at a few examples: Example #1 1 Exchange 2007 CAS-only server 1 Exchange 2007 Mailbox-only server All mailboxes are Exchange 2007
  • Requests for /owa return the OWA 2007 experience
  • Requests for /exchange: exprox proxies requests to /exchange on the Mailbox server, where davex redirects the user to /owa on the CAS
  • Requests for /public: exprox proxies the user to /public on the Mailbox server. Davex then looks for an E2003 PF server but doesn't find one. It then returns an error message.
  • Requests for /exchweb: exprox either proxies them to /exchange or /public on the Mailbox server, or does nothing with them (more on this later)
Example #2 1 Exchange 2007 CAS-only server 1 Exchange 2003 BE server All mailboxes on the BE server
  • Requests for /owa returns the following error since there are no Exchange 2007 mailboxes.
Outlook Web Access could not find a mailbox for DOMAIN\USER. If the problem continues, contact technical support for your organization and tell them the following: The mailbox may be stored on a Microsoft Exchange 2000 or Microsoft Exchange 2003 server, or the Active Directory user account was created recently and has not yet replicated to the Active Directory site where this Client Access server is hosted.
  • Requests for /exchange on the CAS are proxied to /exchange on the BE server, which returns the OWA 2003 experience
  • Requests for /public on the CAS are proxied to /public on the BE server, which returns the OWA 2003 PF experience
  • Requests for /exchweb: exprox either proxies them to /exchange or /public on the Mailbox server, or does nothing with them
Example #3 1 Exchange 2007 CAS-only server 1 Exchange 2007 Mailbox-only server 1 Exchange 2003 BE server Mailboxes on both Exchange 2007 and 2003 servers If the your mailbox is on an E2007 server
  • requests to /owa will return the OWA 2007 experience
  • requests to /exchange on the CAS or Mailbox server will redirect the user to /owa. Authentication credentials transparently passed through.
  • requests to /exchange on the BE will direct the user to the CAS, but the user may need to be authenticated again
  • requests to /public will be directed to /public on the BE server
  • requests to /exchweb will be directed to the BE server or return nothing
If your mailbox is on an E2003 server
  • requests to /owa will yield the error message from Example 2
  • requests to /exchange or /public on a CAS will be proxied by exprox to /exchange or /public on the BE server and yield the OWA 2003 experience
  • requests to /exchange or /public on the BE server will yield the OWA 2003 experience
  • requests to /exchweb will be directed to the BE server or return nothing
Example #4 1 Exchange 2007 CAS+Mailbox server
  • requests for /owa yield the OWA 2007 experience
  • requests for /exchange will be redirected by davex to /owa
  • requests for /public will return an error since there are no E2003 PF servers
Example #5 1 Exchange 2007 CAS+Mailbox server 1 Exchange 2003 BE server If your mailbox is on the E2007 server
  • Requests to /owa will yield the OWA 2007 experience
  • Requests to /exchange will redirect to /owa
  • Requests to /public will likely yield an error because DAV will not redirect OWA requests to the E2003 PF server correctly.
If your mailbox is on the E2003 server
  • Requests to /owa will yield the Example 2 error message
  • Requests to /exchange redirect to the E2003 server and yield the OWA 2003 experience
    • If accessing /exchange on the E2007 server, you will need to reauthenticate after being redirected to the E2003 server
  • Requests to /public will likely yield an error because DAV will not redirect OWA requests to the E2003 PF server correctly.
Accessing OWA With all the virtual directories floating around on different servers, it can be a little confusing for users to understand which one to access. Here's the summary: Users with Exchange 2007 users should access /owa or /exchange on the CAS. /owa will take the user directly to OWA. /exchange will use DAV to redirect the user to /owa. Users with Exchange 2003 or 2000 mailboxes should access /exchange on the CAS to get the OWA2003/2000 experience. Again, DAV will redirect the user to the right server, if necessary. Authentication Between exprox and davex, requests can be bounced all over the place. To make things easier for the user, we've done a lot of work so that users only need to authenticate once in most cases. The only places where you need to reauthenticate are when you are directed from /exchange on an E2007 mailbox server to /exchange on an E2003 BE, and when you're directed from /exchange on an E2003 BE to /owa on a CAS. Another authentication issue to be aware of is that legacy virtual directories on a CAS (i.e., the ones that use exprox) really are the same as the virtual directories on an E2003 FE server. This means that you can only use forms-based authentication (FBA) or basic authentication. The reason for this is that we need your credentials to authenticate to the virtual directories on the E2007 mailbox or E2003 BE server. On those servers, you can use all supported authentication types (FBA, basic, digest, and Windows Integrated). Mixing and Matching Virtual Directories In the past, we supported creating multiple OWA virtual directories within a single website (virtual server). This isn't exactly the case anymore. There can be at most one OWA 2007 virtual directory (i.e, /owa) per website (i.e., at most one /owa per website). You can continue to create as many legacy virtual directories per website as you need, with whatever names you want. There is a caveat, though: for FBA to work properly, all virtual directories that use it must be in the same website and in the same app pool. If you're not using FBA, you can put legacy virtual directories anywhere you want. The OWA 2007 virtual directory must be called "/owa". The legacy virtual directories can be called anything, as long as there is a one-to-one mapping between legacy virtual directories on a CAS and on a Mailbox/BE server. Public Folders Exchange 2007 OWA doesn't support Exchange 2007 PF yet. We're planning on adding it in a service pack, though. Until then, E2007 mailbox users who need to access to PF through OWA must have an Exchange 2003/2000 home PF server. This is because /public will automatically load the user's home PF server. If that server is running Exchange 2007, the user will get an error. Also make sure that all content is replicated on E2003/2000 PF servers so that referrals work properly. If your OWA users don't need PF access, it doesn't matter if you use E2007 or E2003/2000 PF servers. DAV requests will be redirected to the correct PF server. - Rahul Dhar
45 Comments
Not applicable
I guess I am confused here.  Right now with OWA 2007 you can't access Exchange 2003 public folders unless you use /public.  There isn't a link from the OWA 2007 interface to public folders.

Also, I had thought that there wasn't ever going to be the option of accessing Exchange 2007 public folders through OWA 2007.  You are saying that this will be available with SP1?
Not applicable
Hi Ryan,


You're right that OWA 2007 doesn't have UI for public folders, although we plan to add it back in a future release.  Until then, you need to access it directly via a URL (e.g.,

https://contoso.com/public).


Not applicable
Hi,

we have the situation in exmaple #5 (we are currently in transition), however, co-existence is difficult for users. We have to inform users that their mailbox has been moved to Exchange 2007 and they should use the /owa url instead of /exchange when accessing their mailbox from the internet. Because it performs a redirect to the exchange 2007 server based on its internal name, which can't be resolved on the internet.

Franc.
Not applicable
In addition to my previous post. We communicate the following url to our users: webmail.domain.com, our server performs a redirect to webmail.domain.com/exchange, however, during transition this will not work anymore for mailboxes migrated to exchange 2007.

Franc.
Not applicable
Rahul, thanks for the response concerning public folders but I am still confused here.  Are you stating that with SP1 for Exchange 2007 OWA 2007 users will be able to access Exchange 2007 Public Folders?  Terry Myerson stated below in a blog on this site:

E12’s client access server has some limitations in public folder support: no IMAP, NNTP, nor OWA access to E12 public folders (OWA access to E2K and E2K3 public folders will be possible for E12 mailbox users).
Not applicable
Ryan, sorry for the confusion.  I am *not* saying that there will be PF access through OWA 2007 SP1.  I am saying that we will add PF access to OWA in the future.  I don't know if that will be in Exchange 2007 SP1, the next version of Exchange, or some other release.
Not applicable
Hi Franc,

I believe you can make the redirection work this way, assuming webmail.domain.com is the Exchange 2003 front-end (FE) server.

1. replace the Exchange 2003 FE server with an Exchange 2007 CAS
2. Redirect webmail.domain.com to webmail.domain.com/exchange
3. All users log into webmail.domain.com/exchange
4. Exchange 2007 users will be automatically redirected to webmail.domain.com/owa and get OWA2007.
5. Exchange 2003 users will be *proxied* to the Exchange 2003 back-end server and get the OWA2003 UI.
Not applicable
Hi,

Maybe I am a little confused, but we will have a case that doesn't seem to be covered:
1 Exchange 2003 that does OWA and mailboxes
1 Exchange 2007 server that will handle everything (i.e. CAS, mailbox, & hub).

I would think that this would be the most common scenario.  In this situation can I just point everyone at the 2007 box (i.e. exchange2007.domain.com/exchange) and it will automatically redirect or proxy where appropriate?  

I imagine that as I migrate mailboxes from 2003 to 2007, it will handle the redirect correctly.  That is, user A lives on 2003 and when s/he logins in to exchange2007.domain.com/exchange s/he is proxied to OWA2003 UI.  After migration, AD knows where the user’s mailbox is and upon logging into exchange2007.domain.com/exchange they are redirected to exchange2007.domain.com/owa.

Thanks,
Brad
Not applicable
Hi Brad,

This is the same scenario as example #5.  Because you have both CAS and Mailbox roles on the same server, you may run into an issue where an Exchange 2003 user connecting to exchange2007.domain.com/exchange from the internet will be redirected to the Exchange 2003 server.  Unless the redirection URL that DAV uses to perform the redirect can be accessed from the internet, the user will get an error, probably related to DNS.  If the redirection fails, you may need to maintain two different URLs until the migration is complete.

An alternative is to put CAS and Mailbox on different servers, as I described in a respone to Franc's question.  This, unfortunately, requires additional hardware.
Not applicable
Hi Rahul,

the problem is, that we don't have additional hardware and a license for using a separate front end server. I personally think that MS left single server installations in the dark on this end. Activesync works fine. All users connect to the Activesync virtual directory on our Exchange 2007 and can sync their phones fine. It doesn't matter if the mailbox resides on Ex 2003 or Ex 2007. Furthermore, I don't understand why there is such a huge difference between a CAS only server and a CAS+Mailbox server which causes the problem of redirection instead of being proxied when accessing a 2003 mailbox.

Franc.
Not applicable
There is an interesting posting on the MS Exchange team blog ( http://msexchangeteam.com/archive/2007/02/07/434523.aspx
Not applicable
How to: Install Exchange 2007 Management Tools for Windows Vista Look out BlackBerry, Palm is back Moving
Not applicable
I am playing around with exchange 2007 in testing and I am seeing that whenever a client visits

Https://webmail.domain.com/exchange they are getting redirected to

Https://fqdnofserver.local/exchange, which is obiously not a valid domain on the internet. Anyone know how to tell this virtual directory to hand out a domain of my choosing so things

can work? Thanks


Qapf

Not applicable
Hi Rahul,

Will we also have to wait until SP1 to get the Rules option back into OWA? In Exchange 2003 users where able to create/change these in OWA 2003, in OWA 2007 this option is also disappeared.

Niels
Not applicable
Any word on when S/MIME support will be available for OWA2007?
Not applicable
Hi Niels and Stephen,

We plan to add Rules and S/MIME back to OWA in a future release.  I can't say exactly when, but we know customers want it.  We're doing our best to address this.  I can't guarantee it'll be in SP1 vs. the next version, though.
Not applicable
Hi Qapf,

I updated the blog post to make this point more clear.  If you're running E2003/2000 mailboxes or PF alongside an E2007 mailbox, you *must* keep E2007 CAS on a separate server from the E2007 mailbox.  DAV on the E2007 mailbox will redirect users to the E2003/2000 server using the *internal* name of the E2003/2000 server (e.g., fqdnofserver.local).  Unless that name is exposed on the internet, internet users will get an error.  Our recommendation is to keep CAS on a separate server, and expose the CAS URL to the internet.  That way, exprox and DAV will work together to make the redirection work properly.
Not applicable
Can the CAS role server sit in the DMZ or do I need to use ISA.
Not applicable
Hi Andrew,

You should NOT put CAS in the DMZ.  It's not a scenario we test, support, or recommend.  CAS isn't designed to live there.  ISA is designed to work in the DMZ.  You can put ISA there, and have it connect to the CAS in your internal network.
Not applicable
Thanks.  Rahul.  
Not applicable
We have multiple AD sites and want to use one publicly exposed CAS server for OWA access to the mailbox servers in each AD site.  I can't for the life of me figure out how to enable some sort of proxying of the "front-end" CAS server to the backend CAS+mailbox server in a remote AD site.  According to the Exchange 2007 FAQ, its possible.  Any tips?
Not applicable
I think I've got it:  On the CAS in the remote AD site, enable Integrated authentication on the authentication tab.  Works like a champ now.
Not applicable
Slowly, but surely, I am getting caught up. Here's the log from Part 6 of the 24 Part Exchange 2007 Webcast
Not applicable
Hi,

regarding example 5. We have a single CAS+Mailbox 2007 server and a backend 2003 server. Now, I understand that users are redirected in this case instead of proxied. However, when I access it using https users a redirected to a http url. How do I fix this ? With redirection I can live (I've adjusted DNS so that our internal server name is resolvable from the internet, but I don't want it to be http).

Franc.
Not applicable
Greets.  I have single box Exch 2007 setup.  Now the following items don't work:  anything that used to access Exch server via OWA, i.e. blackberry internet service (t-mobile BB's), Chattermail, Treo's etc.  I believe it's because these services all accessed mailboxes with  https:\mail.server.comexchangeusername  which doesn't seem to work now.  Is there some way to make this work on single Exch server box?  I tried IMAP, but then I need to setup SMTP (i.e. on Chattermail and Treo Versamail, choosing IMAP requires IMAP as incoming server, and SMTP for outgoing mail too-- not sure how yet to get that working on Exch 2007... open SMTP relay???)
Any help?  Thanks.
Not applicable
I found this very helpful blog after running into some of these same problems with 2003->2007 coexistance/migration.

I know negative comments do not fix problems, and no disrespect to the Exchange programmers, but I have realized 2007 is an utterly unfinished product.  And I am looking at a migration that cannot support the needs of my users within their budget.  Unfortunately we already have 2007 running (with test mailboxes only) on the brand new server in the Exchange 2000 organization.  So now the question is how to kick this thing to the trash without wrecking the current organization/AD.  I am not seeing many articles on going back to 2003 after 2007 is installed...

If I wanted coexistence problems and clients lacking features, I would have just used SendMail and saved $12,000 in licensing.

Sorry to be so mean, but I am really disappointed in Exchange 2007.

Evan
Not applicable
I am setting up Exchange 2007, having trouble with OWA with active directroy sites, have two Client access servers NLB'd in one site, and one CAS in the other site, when a user connects to OWA in the opposed site where the mailbox resides, the following message displays: There's no Microsoft Exchange Client Access server that has the necessary configuration in the Active Directory site where the mailbox is stored. Tried the authentication change posted by Ryan, what causes this?
Not applicable
We are running one multi-role E2K7 server (Hubt, CAS and Mailbox) in our organization. We have mix of Mac OS X and PC clients. The Mac OS X clients uses Entourage 2004 sp2 to connect to the E2K7 server. Our entourage clients have problem accessing the users mailbox (doesn't get listed in entourage) using webDav, public folders and GAL access works all fine. When using IMAP it also rocks but with fewer features of course. I think it has something to do with the owa redirects for the webdav connection attempts from the entourage clients. I'm right? Anyone have any idea how to correct this, we have tried differents solutions such as, http://support.microsoft.com/kb/931350/en-us, but with no success.. I'm surprised that there are so little posted information about the entourage client connectivity to e2k7 available.
Not applicable
Richard,
Entourage uses the legacy virtual directory structure under Exchange 2007, i.e. in Exchange 2003 the 4 directories used by OWA were Exchange, public, exchweb and exadmin, Entourage was coded to work with them, it does not know about the new owa Vdir in Exchange 2007, Exchange product group has put in an exception for Entourage in terms of redirection, when davex or exprox dlls see a request from Entourage for exchange and public Vdirs, they don't redirect, they let it go. If you have used Entourage with Exchange 2003, then you don't need to change anything, just change the server name and point it to your exchange 2007 server. Let's assume you are tryign to make this work for an internal user, who can ping the exchange 2007 server from his Mac using its NetBIOS name, now use the same NetBIOS name in Exchange and public folder server names fields in account settings in Entourage. On Exchange side, go to Exchange management console : server config : client access, set all 4 exchage legacy vdirs with basic and ntlm (integrated) authentication, now go to IIS > Defautl Website, make sure all those Vdirs are not requiring SSL for connection. You are all set then. If you want your users to use SSL for this connection, then you will have to work further, I recommend not using the self-signed Exchange 2007 certificate, rather a certificate from a known Root CA out there, if not possible, then install and use your own private root CA on your Windows global catalog server, you will need to make sure that its then trusted by your Mac clients. Let us know if this does not work.
Not applicable
Hi everyone.  I'm back from vacation, and I'll try to answer some of your questions.

FrancWest, I'll ask the DAV developers if this is possible.  If possible, I strongly suggest that you separate the CAS role from the MBX role.

Evan, I'm sorry you've had a rought time with Exchange 2007.  Can you detail some of the problems you're encountering?  They may be scenarios we haven't thought about, or ones that we're addressing in an SP or in E14.

Toshio, for performance reasons, OWA always tries to direct you to a CAS in the same AD site as the mailbox you are accessing.  In your case, it seems you want to use proxy instead of HTTP redirection.  proxy requires that the OWA vdir has both InternalUrl set and Windows Authentication turned on.  If both sites are exposed to the internet, redirection may be a better option.

Not applicable
Hi Rahul,

you say to separate CAS role from MBX, but we only need this feature when the roles are on the same box, since the request are then being redirected instead of proxied. Proxying works fine on separate boxes, but we don't have 2 separate boxes.

Also a question about licensing, do you need an Exchange 2007 server extra license when you use a separate server for the CAS role, or is the license based on a per mailbox basis ?

Franc.
Not applicable
Hi Amir,

Thanks for your answer. Now i understand a little more how Entourage connect and authenticate itself. We use an external certificate and have changed settings for CAS/Webvirtual directories to correspond to the new external fqdn (we have also created a zone in our internal dns to answer for this fqdn). It works fine for our Outlook clients but the Entourage can't still access the individual mailbox, and why does public folders work? Is there some things to take in consider when we use a certificate from an external CA? We are only running one multi-role E2K7 server with HubT, CAs and mailbox roles running. We do not have any edge or ISA server installed yet in our environment.

We can send you a print of a network trace where we see that the entourage client really authenticates itself and the user logs on but it will not list the contents inside Entourage 2004. We will try your suggestions, and come back to you with the results. We are very thankful if you meanwhile have any more thoughts about our problem when reading this reply. Thanks!
Kr,
Richard

Not applicable
Franc,

I checked with the licensing folks.  You'll need to get another license to create the split roles (see http://www.microsoft.com/exchange/howtobuy/default.mspx).

The DAV folks tell me that there's no way to make the redirection work through https the way you want it to.
Not applicable
Rahul,

thanks for the info. That means that I have to plan the transition asap and let the period of co-existence to be as shot as possible. Since informing each user to use /owa instead of /exchange is not quite an option. I'll do the migration at once this weekend then.

Franc.
Not applicable
Hey JoeCheez,

I am having the exact same problem as you in Exchange 2007 OWA. BlackBerry internet service 2.0 will not connect to the 2007 OWA.


It gets an error saying it cannot find

https://my.exchange.server/owa/username

I have also tried the redirect with

https://my.exchange.server/exchange/username which works with a web browser but not with the BlackBerry Internet Service (Rogers in Canada).


Any luck finding an answer?

Not applicable
We do not use ISA.   Our current configuration uses a Juniper DX Application Accelerator and the "SSLOffloaded" registry setting on our 2003 Front-end server to access our 2003 Back-end servers (as described in KB327800).

I am trying to setup something similar now that we have installed Exchange 2007 (only two of us on the 2007 server at this time until I get OWA working).  

Installed are a 2007 CAS-only server and a second server with the CAS, Mailbox, HUB, and UM roles on it.  I've been trying to configure the CAS roles to allow for "SSLOffloaded" and get OWA to work to the 2007 mailboxes.  The CAS-only server does allow access to the 2003 mailboxes.   Having made and reset settings so many times now I am now very confused.  

I would greatly appreciate it if you could provide instructions on how configure our two Exchange 2007 servers to use the SSLOffloaded feature (assuming it still works)?  
Not applicable
Hey Rahul,
I have an E2K7 Server in only MBOX role, I see these 3 VDirs: exadmin, exchange and public, rather than what you have mentioned above, so 'exchweb' is not there, rather 'exadmin' is there under IIS. Why is that?
Not applicable
Two questions:
1. I have a CAS only, MBX only configuration and one Exchange 2003 MBX server. Exchange 2003 clients connect to Outlook Web Access through the CAS successfully. But Exchange 2007 clients get an HTTP 500 error. Any suggestions?
2. Can you have CAS and MBX roles on the same server if the MBX role is only for public folders, no mailboxes?
Not applicable
Jane: The SSLOffloaded key should only affect connections to Exchange 2003 servers.  Exchange 2007 OWA should handle SSL offloading without any problems.  Is there a particular error message you're seeing?

Amir: we updated the article to get rid of "exchweb" on MBX-only servers.  Thanks for pointing it out.  It was a mistake on my part.  I deliberately left out exadmin because it doesn't affect OWA (it's for DAV), but I accidentally put in an extra exchweb.

David:
1. It's hard to say based on your description of the problem :)  My suggestion would be to call PSS (Microsoft's tech support). They can walk you through troubleshooting it.  One thing you might want to checj is whether /owa is configured for ASP.NET 2.0.  Look at the ASP.NET tab for /owa in the IIS GUI manager.
2. Yes, I think this should be possible.  Just make sure that there is a MBX server somewhere in the AD site or else users won't be able to access OWA 2007.
Not applicable
The scenario of having only one Ex2003 server, and replacing it with just one ex2007 server must be very common. I guess most customers would like to run ex2007 as frontend for the 2003 server in a pilot etc., and then move groups of mailboxes to the ex2007 server, and maybe later, when ex2007 is finished (SPx?), phase out the ex2003 server ..
http://support.microsoft.com/kb/932438/en-us

Will you fix these issues in sp1 ?
Not applicable
When accessing OWA from the internet, what proxies the request from the DMZ to the CAS that is on the internal network?  
In Exchange 2003, the FE Server proxied the request to the BE Server.
Not applicable
Not applicable
About two weeks ago we migrated our mail from an external Exchange hosting company named MailStreet to
Not applicable
Not applicable
Apologies if this has already been raised or I do not completely understand the coexistence between 2003 and 2007.
The environment that I administer currently comprises of;

Multiple Exchange 2007 CAS-only servers
Multiple Exchange 2007 Mailbox-only servers
Multiple Exchange 2003 FE Servers
Multiple Exchange 2003 BE servers

If one of my Exchange 07 users opens his mailbox via OWA and then attempts to “Open Other Mailbox” and types the name of a 03 mailbox they are returned the error in example #2;

Obviously if the 07 user enters the correct URL with /exchange into his browser this will work, however I don’t really want to communicate this to 100,000+ users.
Version history
Last update:
‎Jul 01 2019 03:24 PM
Updated by: