Designing Client Access During Coexistence with Exchange Server 2007

The Client Access server role in Exchange Server 2010 has changed significantly from the Client Access server in Exchange Server 2007. The most important change is that all client connectivity—including Outlook MAPI connectivity—now goes through the Client Access server role.

Client Access during coexistence

To implement coexistence, you must configure all clients to connect to the Exchange Server 2010 Client Access server. If you have been using an external URL—such as https://mail.domain.com—to connect to an Exchange Server 2007 Client Access server, you should modify the DNS or firewall configuration to forward connections to the Exchange Server 2010 Client Access server’s URL.

When an Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange 2007 Mailbox server, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to the external URL that you configure on the Exchange Server 2007 Client Access server. For example, if the client connects to the Exchange Server 2010 Client Access server using the URL https:// mail.domain.com, the Autodiscover service redirects it to https://legacy.domain.com. The client then communicates with the Exchange 2007 Client Access server to access the user mailbox.

When an Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange Server 2010 Mailbox server, the Client Access server communicates with the Mailbox server to provide access to the user mailbox.

When an Exchange ActiveSync client connects to the Client Access server and the user mailbox is located on an Exchange 2007 Mailbox server, the process will depend on whether the mobile device supports Autodiscover.

If the device does not support Autodiscover, the Exchange Server 2010 Client Access server proxies the client request to the Exchange Server 2007 Client Access server using HTTPS. Then the Exchange Server 2007 Client Access server connects to the Exchange Server 2007 Mailbox server and provides access to the user mailbox.

If the Mobile client does support Autodiscover, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to use the external URL configured on the Exchange Server 2007 Client Access server.

When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the Client Access server connects to the Mailbox server using RPC and provides access to the user mailbox.

When an Outlook Anywhere client connects to the Client Access server and the user mailbox is located on an Exchange Server 2007 Mailbox server, the RPC proxy service on the Client Access server connects to the Mailbox server using RPC.

When an Outlook Anywhere client connects to the Client Access server and the user mailbox is located on an Exchange 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the Mailbox server using RPC.

If the user mailbox is on an Exchange Server 2007 Mailbox server in a different Active Directory site, the Exchange Server 2010 Client Access server always proxies the client requests. For Outlook Web App and Exchange ActiveSync clients, the Client Access server proxies the requests using HTTP to an Exchange Server 2007 Client Access server. For Outlook Anywhere clients, the Client Access server proxies the request using RPC to an Exchange Server 2007 Mailbox server.

When a MAPI client connects to the user mailbox and the user mailbox is on an Exchange Server 2007 server, the MAPI client connects directly to the Mailbox server. If the user mailbox is on an Exchange Server 2010 server, the MAPI client connects to an Exchange 2010 Client Access server.

When you move a user mailbox from an Exchange Server 2007 Mailbox server to an Exchange Server 2010 Mailbox server, the client profile is configured automatically to use the Exchange Server 2010 Client Access server for MAPI connectivity; you do not need to modify the client profile manually.

Considerations for Client Access During Coexistence

When implementing client access during coexistence, consider the following:

Whether a user sees the Outlook Web Access client of Exchange Server 2007 or Exchange Server 2010 depends on the location of the user’s mailbox. For example, if the user’s mailbox is located on an Exchange Server 2007 Mailbox server and the Client Access server is running Exchange Server 2010, the user sees the Exchange Server 2007 version of Outlook Web Access.

You cannot use an Exchange Server 2007 Client Access server to access mailboxes on an Exchange Server 2010 Mailbox server.

During coexistence, you need to ensure that users with mailboxes on both Exchange Server 2007 Mailbox servers and Exchange Server 2010 Mailbox servers can access their mailboxes. The following steps describe how to enable this:

Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange servers, you may need to acquire a new certificate. You should request a certificate that supports at least the following Subject Alternative Names.

The primary URL to use to access the Exchange 2010 Client Access server. For example, you might use a name such as mail.domain.com.

The Autodiscover server name. Normally, you would us a name such as autodiscover.domain.com.

An alternate name for the URL to use to connect to the Exchange 2007 Client Access server. For example, you might use a name such as legacy.domain.com.

The Exchange Server 2010 Client Access server requires this certificate. However, you also might install the same certificate on the Exchange 2007 Client Access server because the Exchange Server 2007 Client Access server requires a certificate with subject alternative names that include the alternate name—such as legacy.domain.com—and the Autodiscover server name.

Install and configure the Exchange Server 2010 Client Access server. You should configure external namespace during or after setup by using the Exchange Management Console or Exchange Management Shell.

Modify the external URLs on the Exchange Server 2007 Client Access server to use the alternate name. If you are using legacy.domain.com as the alternate name, configure this as the external URL for the Outlook Web App, Offline Address Book, Unified Messaging, Web Services and Exchange ActiveSync virtual directories.

Configure external DNS and firewall/reverse proxy. Reconfigure your external DNS settings and the publishing rules for your reverse proxy infrastructure to have your legacy namespace point to your Exchange 2010 Client Access server or Client Access server array. To configure DNS, you should:

Create the legacy host record, for instance legacy.domain.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2007 Client Access server.

Create or modify the host record for Autodiscover, for instance Autodiscover.domain.com, and configure it to reference the Exchange 2010 Client Access server.

Create or modify the host record for the primary URL, for instance mail.domain.com, and configure it to reference the Exchange Server 2010 Client Access server.

Disable Outlook Anywhere on the Exchange Server 2007 Client Access server. If you use Outlook Anywhere on the Exchange Server 2007 servers, disable it on the Exchange Server 2007 Client Access servers. When you implement Outlook Anywhere on the Exchange Server 2010 Client Access server, it proxies the Outlook Anywhere client requests directly to the Exchange Server 2007 Mailbox server.

Advertisements
This entry was posted in Exchange Servers. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s