Legacy Host Names Continued
Similar to a lots of posts I have read I am moving from Exchange 2007 to Exchange 2010. Simple single server network with ~100 mailboxes. Unlike most, our mail.domain.com entry points to an external SPAM server that filters and then sends mail to a designated
IP address. That IP address is configured on the external firewall to only receive from the external SPAM filtering company and then to forward to our internal firewall. The internal firewall routes mail to our Exchange 2007 server. Our OWA clients connect
using the external IP address and are routed to the internal Exchange server. The certificate was issued using the IP address as the friendly name and all is well. From everything I have read, much of that will end. We have also started migrating to Office
2010 w/Outlook 2010 and are getting errors about the certificate being bad because it lists the IP address of the external firewall as the friendly name not the FQDN of the mail server. The migration to Exchange 2010 should not take long but I am sure we will
be in coexistence for a few weeks. What is the best way to handle the migration? Finally, I still have an old routing group left over from the Exchange 2003 migration that my notes indicated I wasn't supposed to remove - what happens to it? Thx in advanceeburch@lasertel.com
August 24th, 2012 6:20pm
Do you have more than one external IP address?
If not, then you are not going to be able to have a coexistance period for both versions of Exchange. It will be one or the other.
The fact that your MX record points elsewhere is of no consequence. Decide on a host name for remote access (owa.example.com) and get a commercial certificate with that name and autodiscover.example.com listed on it and then deploy that
on to the Exchange 2010 server.
SSL certificates should not be issued to IP addresses, so you will have to change that. Self signed certificates are not supported for use with Outlook Anywhere or ActiveSync.
If you have multiple exxternal IP addresses then you can have a co-existance period, using owa.example.com for remote access and legacy.example.com for the Exchange 2007 server.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 7:03pm
When you say "self-signed" do you mean signed by the server? We have an internal certificate infrastructure that has a standalone root and a enterprise subordinate that issues certs for the domain. Users that connect with non-domain computers get an error
about trusts but our machines have no issue. Will that work or is a commercial certificate required? I have plenty ~10 or so external IP addresses available.
Thx
Ericeburch@lasertel.com
August 24th, 2012 7:23pm
Self signed being the one Exhcange generates during install.
If you control all of the machines that are using Exchange for all services, so OWA as well, then you can use an internal CA. If you allow users to connect to OWA with any machien (from a home PC for example) then you shoudl use a commercial certificate.
Telling users to ignore SSL warnigns is not really good security practise, as users will only remember you said to ignroe warnings, not that it was only on your site.
As you have multiple addresses, setup autodiscover and your preferred public name to the Exchange 2010 server, legacy to the Exchange 2007 server. Deploy certificates to cover those names and configure the legacy URL on Exchange 2010 as per the coxistance
documentation on Technet. Tell all users to use the Exchange 2010 URL and Exchange will sort the rest out.
You can do it with a single UC certificate, just include the multiple names on teh certificate request then export it and import it in to Exchange 2007.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 7:36pm
Self signed being the one Exhcange generates during install.
If you control all of the machines that are using Exchange for all services, so OWA as well, then you can use an internal CA. If you allow users to connect to OWA with any machien (from a home PC for example) then you shoudl use a commercial certificate.
Telling users to ignore SSL warnigns is not really good security practise, as users will only remember you said to ignroe warnings, not that it was only on your site.
As you have multiple addresses, setup autodiscover and your preferred public name to the Exchange 2010 server, legacy to the Exchange 2007 server. Deploy certificates to cover those names and configure the legacy URL on Exchange 2010 as per the coxistance
documentation on Technet. Tell all users to use the Exchange 2010 URL and Exchange will sort the rest out.
You can do it with a single UC certificate, just include the multiple names on teh certificate request then export it and import it in to Exchange 2007.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
August 24th, 2012 7:43pm
Sounds like a plan. Do you know if that is the same certificate that Outlook 2010 is complaining about? Seems like they shouldn't be as one is internal and the other external.
Thx
Ericeburch@lasertel.com
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 7:55pm
You would have to look at the certificate.
Exchange 2010 is built on web services, and things like autodiscover internally use web services. If you have two servers you might have two URLs being published causing confusion.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
August 24th, 2012 7:59pm
So if it is all based on web services then the actual host name of the system isn't critical because a cname can point to the server and I can configure clients to connect using the cname? External DNS needs to match internal DNS? I.E. webmail.domain.com
and autodiscover.domain.com point to the internal IP address on the internal DNS server and to the external IP address on the external DNS server? What confuses me is that on Exchange 2007 there is only 1 certificate for web services but only owa uses
it, Outlook 2003 uses MAPI. That appears to have changed with Outlook 2010 and Exchange 2010.
Thx
Ericeburch@lasertel.com
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2012 11:20am
It changed with Outlook 2007 and Exchange 2007. If you were only using Outlook 2003 then the SSL certificate wasn't so critical, but nothing has changed since those two earlier versions.
Internally you can use a CNAME or an A record. Personally I would use an A record that has the IP address of the CAS server in it. Just ensure the internal DNS resolves correctly.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
August 28th, 2012 12:51pm
I guess I am confused on what certificate is being used. In 2003 Outlook didn't care about the SSL certificate. Now it appears to matter. The name and certificate used in Outlook and Owa need to be the same(?) and I am not too excited about using a real
internal server's host name on the Internet. Additionally, we will be using the same server for Exchange and Sql due to our mail archiving solution so we wanted a more generic name for the server.
Thx
Ericeburch@lasertel.com
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2012 1:01pm
Web Services are used for a lot of Exchange functionality, but not exclusively.
The name on the certificate does not have to match the name of the Exchange server, and Outlook Anywhere actually depends on the name of the Exchange server not resolving on the internet for it to work correctly.
For the server name, the best practise is to configure an RPC CAS Array. This would be a host name that resolves exclusively internally. You do need to have hsots that resolve to the internal IP address of the Exchange server internally, as well as externally,
but that is easily achieved.
Simon.
Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
August 28th, 2012 1:10pm
Web Services are used for a lot of Exchange functionality, but not exclusively.
The name on the certificate does not have to match the name of the Exchange server, and Outlook Anywhere actually depends on the name of the Exchange server not resolving on the internet for it to work correctly.
For the server name, the best practise is to configure an RPC CAS Array. This would be a host name that resolves exclusively internally. You do need to have hsots that resolve to the internal IP address of the Exchange server internally, as well as externally,
but that is easily achieved.
Simon.
Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2012 1:13pm
Internal resolution for a RPC CAS array is like a round-robin DNS entry? Is the CAS server InternalURL entry the CAS array DNS entry? I read through some technet articles and they indicate that the InternalURL for the CAS server is the actual
FQDN of the physical CAS server. When Outlook is configured would you list the CAS array as the mailbox server? Can you have a RPC CAS array with only one member?eburch@lasertel.com
September 7th, 2012 5:35pm
The RPC CAS array is just a NDS entry and points to either one of your CAS role holders, or a hardware network load balancer. You can have a CAS array with a single machine and I encourage everyone to have an RPC CAS array no matter the size of their environment
becasue it does make things a lot easier to manage, particularly when it comes to mgirate off that Exchange server in the future.
You could use round robin DNS if you want, but that does not give you load balancing or any kind of redundancy because it is not service aware.
The internalURL on autodiscover is set by default to be the server's real name, but can be easily changed. The CAS array though is ONLY used for MAPI traffic, nothing to do with SSL certificates, if you wanted a single URL internally then you would have
a different URL.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2012 4:52am
Do I set a different InternalURL during install or afterwards? I referenced round robin mainly as setup similar not functionally similar but from reading the CAS Array technet it sounds like the CAS array gets a unique IP address whereas in round
robin the entries would have the same host name but multiple IP addresses. Do you set up the CAS Array before install or do you need the Exchange 2010 server to run the command?
Thx
Ericeburch@lasertel.com
September 10th, 2012 11:05am
I am not really sure what you are you reading.
You cannot make changes to the configuration until the Exchange installation is complete. You have to allow the default configuration to take effect.
I am not aware of anything on Technet that says about the CAS Array having a different IP address. An RPC CAS Array is just a DNS entry, nothing more. Where it points is up to you - as long as it ends at a CAS role holder, either directory or via a load
balancer.
I have never used round robin DNS for the RPC CAS array as it has no concept of service availability or load. Close to useless in my opinion.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2012 12:08pm
What I was asking was whether the New-ClientAccessArray command is only available in the utility once Exchange 2010 is installed. From what I was reading I thought the InternalURL defaults to the system host name; wasn't sure if I can change it during
install or have to wait until after install.
Thx for the answer
Ericeburch@lasertel.com
September 10th, 2012 1:59pm