I currently have Exchange 2007 installed for a small org of 30 users.

We don't use any external Exchange services.

We are going to upgrade to Exchange 2013 - again, we won't use any external Exchange services.

In 2007 we use the default Exchange cert which uses the internal server name in the cert maile2k7.test.com

If I install Exchange 2013 I know the default URLs will point to the new server name maile2k13.test.com - this is ok.

Again, I will use the default Exchange cert that is installed with 2013 - this is ok.

My concern is that clients will automatically try and connect to the newer 2013 CAS before they are migrated...is this correct? If so...see my concerns below:

1. 2013 CAS will redirect requests to 2007 automatically - true?
2. Will users get an Outlook certificate popup as soon as Exchange 2013 is installed (as they will directed to new CAS?)   

a.) Can I fix this by pointing all Exchange 2013 URLs (autodiscover SCP, EWS etc.) to Exchange 2007 in the meantime?

b.) Can I fix this by just installing the Exchange 2013 certificate on all clients in advance.

c.) I will also have to add the new CAS server into proxy exceptions.

Note: I am not considering a 3rd party SSL (I know it is cheap!) - so no need to suggest it nor legacy namespace etc.

Any other considerations to think about?

• Edited by VinRay70 14 hours 8 minutes ago

Hello

if only 30 user I make migration one friday night, after full backup
if:

1; all client support exchange 2013
2; if not have special application
after finished mailbox:
check certificate and DNS
1; test all client version to connect
2 test special application if have
if all test OK then move PF,and  remove old exchange

Hi, yes that approach would eliminate my worries but unfortunately it isn't feasible.

I will be moving the users over a period of 10 days so 2007 and 2013 will be in coexistence mode until then.

1.  2013 CAS will redirect requests to 2007 automatically - true?

Answer - Yes - client connections to mailboxes still located on your 2007 server.

2.Will users get an Outlook certificate popup as soon as Exchange 2013 is installed (as they will directed to new CAS?)

Answer - Most likely.

a.) Can I fix this by pointing all Exchange 2013 URLs (autodiscover SCP, EWS etc.) to Exchange 2007 in the meantime?

Answer - I wouldn't recommend it.

b.) Can I fix this by just installing the Exchange 2013 certificate on all clients in advance.

Answer - Yes, you can export the cert out of Exchange and then add it to the personal cert stores on the clients.  You can accomplish this manually or by pushing it out via Group Policy.

Thanks.

1. So an Outlook client connecting to a mailbox still located on Exchange 2007 will now only hit the Exchange 2013 CAS (which will redirect the request directly to the Exchange 2007 MBX, or via the Exchange 2007 CAS?) i.e. do I need both certificates on each client, or only Exchange 2013 certificate? (Exchange 2007 is there already anyway)
2. I have a proxy server with an existing bypass exception rule for Exchange 2007 FQDN ...I now must also add the Exchange 2013 FQDN also - in advance of installing Exchange 2013?
3. Is there no way of forcing clients to use the 2007 CAS until migration is complete, or will they automatically always use the newer version of CAS?

• Edited by VinRay70 12 hours 16 minutes ago

#1a. Yes, Outlook will connect to the 2013 CAS server and then be directed from there to the 2007 server.  Here's an article that can explain it better than I can: http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx

#1b. Yes, essentially you'll have 2 certs for both of the Exchange servers; you can always go back after the 2007 server has been retired and remove the old cert.  You mentioned about possibly getting a 3rd party cert; if you purchased a wildcard cert, you could cover both servers with that and only have to import 1 cert.  When the 2007 server is retired, you won't have to do anything because the wildcard cert will still be in use for the 2013 server.

#2. Yes.