Hi,

We are currently running Exchange 2007 and have recently installed Exchange 2013. Up until this point we have had no Exchange services published externally via ISA/TMG.

The 2013 server is now installed and we have pointed our internal autodiscover.contoso.com record to the 2013 CAS so far so good. We have also created a legacy.contoso.com internal A record to point to the Exchange 2007 CAS.

Our ultimate goal will be to enable Exchange hybrid /365 and with that in mind we have bought a public certificate with mail.contoso.com and legacy.contoso.com as SAN.

I've also Set-WebServicesVirtualDirectory internal and external urls to legacy.contoso.com

My question now is what to do with the new cert that we've installed on the 2013 CAS. Does this also need installing on the 2007 CAS for legacy to work ? If so do I just import-exchangecertificate on the 2007 CAS and if so to what services ?

Thanks

For users with mailboxes still on Exchange 2007, yes, you will need them to access Exchange 2007 CAS, so you need to import the SAN certificate to CAS2007 also. It is enough to assign it to IIS service on CAS 2007. Also, if you are publishing Exchange 2013 via TMG, make sure that you read this article: http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx , as there are some manual steps to be performed for TMG to support Exchange 2013 publishing.

Hi,

We are currently running Exchange 2007 and have recently installed Exchange 2013. Up until this point we have had no Exchange services published externally via ISA/TMG.

The 2013 server is now installed and we have pointed our internal autodiscover.contoso.com record to the 2013 CAS so far so good. We have also created a legacy.contoso.com internal A record to point to the Exchange 2007 CAS. I have created users on 2013 and mail flow between the two is fine. 

Our ultimate goal will be to enable Exchange hybrid / 365 and with that in mind we have bought a public certificate with mail.contoso.com and legacy.contoso.com as SAN.

I've Set-WebServicesVirtualDirectory internal and external urls on the 2007 CAS servers to legacy.contoso.com

My question now is what to do with the new cert that we've installed on the 2013 CAS. Does this also need installing on the 2007 CAS for legacy to work ? If so do I just import-exchangecertificate on the 2007 CAS and if so for what services. 

Thanks

Many thanks Damir,

So once I've exported the new Cert on the 2013 CAS I can run the following on the 2007 CAS ?

Import-ExchangeCertificate -Path c:\certificates\2013_san_cert.pfx

Enable-ExchangeCertificate -Thumbprint {thumbprint} -Services "IIS"

I currently have a certificate issued by my internal CA assigned to IIS on the 2007 CAS, I assume the change to the new Cert wont affect end users in any way ?

In regard to a 365 hybrid setup, am I right in thinking that free/busy between on prem 2007/2013 and 365 users wont work until we have published legacy externally through TMG ?

Yes, you're right, users will not be affected with certificate change, as long as they trust the new certificate issuer. And yes, you should publish both of your namespaces, however, it's always good to try step by step.

Thanks Damir,

Is it a requirement to publish the legacy.contoso.com externally on a different IP and rule set to the autodiscover.contoso.com ?

Hi,

You can import certificate and assign the certificate to any service (POP,IMAP,SMTP,IIS) which you want to encrypt, whether the new server or the legacy.

Sorry Wendy,

Can you close this thread please, I seem to have two open, the main one is here

http://social.technet.microsoft.com/Forums/exchange/en-US/4a207895-1a31-410f-8b35-f6e375d64ac6/exchange-20072013-coexistence-legacy-question

Thanks Damir,

I have imported the certificate on 2007 CAS. I enabled it for IIS and then

Set-WebServicesVirtualDirectory -Identity Contoso\EWS(default web site)-InternalURL https://legacy.contoso.com/EWS/exchange.asmx

but following a reset of IIS, clients on Outlook 2007 onwards were receiving

The name on the security certificate is invalid or does not match the name of the site

the error referencing the NetBIOS name of the 2007 CAS. Obviously the NetBIOS name isn't a part of the certificate.

Should I also be changing the SCP on both Exchange 2007 CAS servers so that they are legacy.contoso.com or the new mail.contoso.com that we are using for Autodiscover on the 2013 CAS and internal dns ? At the moment both SCP for the 2007 CAS reference the computer name for 2007 CAS.

This kb seems to suggest that's the case http://support.microsoft.com/kb/940726

Hi

OK, I'll merge this one into the main one.