Introducing Exchange 2013 into an Exchange 2007 environment can be a challenging task. One of the most overlooked, and least documented topics I see is the proper configuration of URLs for Proxy and Redirection.
A good article to start with is Exchange 2013 interoperability with legacy Exchange Versions by Michael Van Horenbeeck. This article points out when Exchange 2013 will proxy connections to 2007 vs. when it will redirect the connection.
- Exchange 2007 SP3 RU10
- Exchange 2013 RU3
In this scenario we have a very simple setup. A single Exchange 2007 server and a single Exchange 2013 server. Both servers are installed in the same Active Directory Site.
Prior to Exchange 2013 being introduced, our 2007 URLs were configured as follows:
|Virtual Directory||Current 2007 Values (Prior to Exchange 2013)|
|OWA||internalURL: https://webmail.domain.com/owaexternalURL: https://webmail.domain.com/owa|
|Outlook Anywhere||externalHostName: webmail.domain.comIISAuthenticationMethods: Basic
|Exchange Web Services||internalURL: https://webmail.domain.com/EWS/Exchange.asmxexternalURL: https://webmail.domain.com/EWS/Exchange.asmx|
…and DNS was configured as follows:
|A Record||IP Address|
The default internalURL and AutoDiscoverServiceInternalURI values are derived from the server FQDN, but as you can see these have been changed. Your configuration may be different depending on how it was setup.
Likewise, when Exchange 2013 is introduced into the environment, the default values are derived from the server FQDN.
For Coexistence and interoperability between Exchange 2013 and 2007, these values all need to be changed. The first step in the migration process is to update these values so that all users connect to OWA, EAS, and OA via Exchange 2013. Again, I won’t go into the details of why, but essentially Exchange 2013 can proxy and redirect back to 2007, but 2007 cannot proxy forward to Exchange 2013.
“Now, Rabbit, a good cop does what… before using his equipment in the field? – Uh, they test it? – They test it. Exactly. How are you shootin’ today, Thorn? – Dead on all morning. – How about that little fella? Oh, that little guy? I wouldn’t worry about that little guy.”
Yes, I personally like to test everything prior to making any change to the existing 2007 environment. So I usually setup some dummy URLs on the 2013 side and test all the connections (OWA, EAS, OA). This way I know all proxying and redirecting is working prior to making any user impacting changes. This also usually takes some host file manipulation to fully test.
After all testing is complete…it’s time to update the Exchange 2012/2007 URLs. The configurations that we will make should look something like this:
…and DNS will look like this:
|A Record||IP Address|
Now, let’s look at some of the configuration.
NOTE: It should go without saying, but the certificate on the Exchange 2007 server should have been replaced by this time with a certificate that contains legacy.domain.com.
OWA – (Redirect) Should be pretty straight forward. When a user whose mailbox still resides on 2007, accesses OWA via the 2013 CAS, they will be redirected back to 2007 via externalURL value: https://legacy.domain.com/owa
ActiveSync – (Proxy) I prefer to force ActiveSync to proxy from 2013 to 2007 as some ActiveSync devices don’t handle the redirect correctly. In order to force a proxy scenario, the externalURL value for 2007 is set to $null. The internalURL on 2007 should be configured with https://legacy.domain.com/Microsoft-Server-ActiveSync
Set-ActiveSyncVirtualDirectory –Identity “Ex2013\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL https://webmail.domain.com/Microsoft-Server-ActiveSync –ExternalURL https://webmail.domain.com/Microsoft-Server-ActiveSync
Set-ActiveSyncVirtualDirectory –Identity “Ex2007\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL https://legacy.domain.com/Microsoft-Server-ActiveSync –ExternalURL $null
Outlook Anywhere – (Proxy) All OA connections, both 2007 mailboxes and 2013 mailboxes will now connect via the 2013 CAS. 2013 will proxy connections back to 2007 for legacy mailboxes. The externalHostName for both 2013 and 2007 should be the same, (webmail.domain.com). Exchange 2007 does not support “Negotiate” authentication (See image below). Therefore the externalClientAuthenticationMethods should be configured to match whatever is configured for 2007, either Basic or NTLM. For OA to proxy from 2013 to 2007, the IISAuthenticationMethods on 2007 must be reconfigured to support both Basic and NTLM. By default, Exchange 2007 IISAuthenticationMethods is set to just Basic. NTLM must be added for the proxy to work.
Set-OutlookAnywhere –Identity “Ex2013\Rpc (Default Web Site)” –InternalHostname webmail.domain.com –ExternalHostName webmail.domain.com –ExternalClientAuthenticationMethod Basic –IISAuthenticationMethods Basic,NTLM
Set-OutlookAnywhere –Identity “Ex2007\Rpc (Default Web Site)” –IISAuthenticationMethods Basic,NTLM
Exchange Web Services – (AutoDiscover) Autodiscover is used to retrieve the EWS configuration for the 2007 users.
AutoDiscover – Both the 2007 and 2013 SCP locator can be configured to point to the Autodiscover URL https://autodiscover.domain.com/Autodiscover/Autodiscover.xml. DNS must be updated however so that the A record for Autodiscover.domain.com resolves to the 2013 CAS.
Set-ClientAccessServer –Identity Ex2013 –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
ECP – Exchange 2007 did not have an ECP virtual directory. Therefore, only the 2013 ECP virtual directory needs to be configured.