Transition to Client Access Server 2010 – Part3
Transition to Client Access Server 2010 – Part3
So far we have covered the topic on basic overview of Transition from Exchange Server 2003 to Exchange Server 2010. Installation steps like how to deploy exchange server 2010 in an existing environment. In this article we are purely going to focus on Transition from Exchange 2003 Internet Side Configuration to Exchange Server 2010 CAS.
Now let’s understand the basic access flow if we have only Exchange Server 2003:
The possible way of accessing the email outlook, owa,rpc over https activesync, pop3 and imap4. In general we had deployed the exchange server 2003, we use to have Outlook and owa enabled. For outlook configuration it won’t be big deal because we are just going to give out our exchange server details. For OWA we need to access through port 80 by providing the following url : http://servername.domain.com/exchange or instead of server name we use to ip address. Now we can’t expect users to remember the exchange server name or ip address, so what we will do is we will set one friendly url let say that http://mail.domain.com/exchange basically what we are doing is configuring the url path in IIS to resolve it for OWA and on dns we are adding a host entry for mail.domain.com to resolve the exchange ip address. And inorder to make it much more user friendly environment let say instead of typing http://mail.domain.com/exchange all they need to type is mail.domain.com then we are adding redirecting.html in the IIS. And as far as security access concern then we are importing SSL Certificate for access the mails.
Now the concept of accessing the owa in Exchange 2003 is pretty straight forward. Now lets assume that you are going to bring Exchange Server 2010 into the existing organization as you all know that we need to configure the exchange server 2010 on the internet front side after that only we need to configure internal AD.
Challenging part here is Exchange Server 2010 has it’s own certificate. Client Access Server Role will help us to redirect the owa access for the legacy mailbox that’s fine. But here we are going to bring a new server which is going to have different identity compare to exchange server 2003. I can configure the exchange server 2010 with new certificate and new friendly url. The reason why I need to go with new friendly url is my existing one is already being used by exchange server 2003. Moreover I can’t expect our existing user to remember the new url. I need a solution where CAS server use the existing friendly url name and it should have that option to redirect the owa request to my legacy exchange server.
Now inorder resolve the above challenge and also to support the new exchange organization features we need to acquire 3 SAN (Subjective Alternate Name) Certificates.
1) Mail.domain.com – This will be your existing webmail url information which needs to be created.
2) Autodiscover.domain.com – You know the feature of autodiscover service since our exchange server 2010 is coming with SSL certificate recommendation we need to have SSL Certificate created for this.
3) Legacy.domain.com – Now this certificate information will be feeded on Exchange Server 2010 box so that it will understand, it very if anybody access mail.domain.com and the users is on legacy mailbox server, it should redirect it to legacy.domain.com server.
Inorder to make you understand very well this legacy.domain.com is going to one sort of place holder. Let say you have exchange server 2003 and SSL certificate mail.domain.com, what we will do here is we will create another certificate called as legacy.domain.com which will replaced on the existing exchange server 2003 box and will create a SAN certificate for CAS server .
Other point where we will configure the friendly url name for accessing is like Offline Address Book, Web Services and ActiveSync and ECP.
Inorder to get the certificate, we recommend to get from third party vendor like godaddy.com, digicert, verisign etc.
In Exchange Server 2010 we have GUI for creating and importing the certificates. In Exchange Server 2007 you can create SAN Cert via powershell.
Note : Self Sign Certificate is recommended to use in lab environment or small unit of organization.
Lab Environment:
1) SmileE2K3.smile.com: This server is my Domain Controller, Global Catalog Server, DNS server. Certificate Server and even my exchange Server 2003 with Sp2.
2) SmileE2K10.smile.com: This server is a member of smile.com where I am going to install exchange server 2010.
Note: My existing environment is already having a SSL Certificate for Exchange Server 2003. My users simply type mail.smile.com for accessing their owa.
Goal: I need to ensure that mail.smile.com should be existing in my organization forever.
Install Exchange Server 2010 in our existing environment. For Installation click here
Note: In my lab environment I have not chosen internet side configuration at the time of installation.
Creating and Importing Certificate:
Note : Recommended to go with third-party vendor certificate.
Now I got my exchange server 2010 in-place, as per my earlier note we need to have 3 San Certificate. In Exchange Server 2010 we have a very nice feature of creating our own certificate by mode of GUI. (This is very much specific to your lab environment)
Creating the Certificate:
1) Open Exchange Management Console
2) Expand Server Configuration
3) Select the Client Access Server Role and from the Action Pane click on “New Exchange Certificate”
Figure 1:
Then give a friendly name for your certificate : Let say Mail Certificate.
Figure 2:
Domain Scope: Leave this blank and click on NEXT
Exchange Configuration:
In this place you will configure the actual friendly url information..
OWA internal access : mail.smile.com
OWA External Access : mail.smile.com
Exchange Activesync : mail.smile.com
Client Access Server (Web Services, Outlook Anywhere and Autodiscover) : mail.smile.com
Autodiscover used on the internet : Select Long URL and type : autodiscover.domain.com
Legacy Exchange Server : legacy.smile.com
Figure 3:
Certificate Domains:
It will list out the certificate details:
Figure 4:
Organization and Location:
Fill the required details and give the path to store the certificate,
Figure 5:
Certificate Configuration:
It will display the certificate summary, click on New
Figure 6:
Finally Completion:
Figure 7:
Then open the certificate authority browser, basically it will your certificate server ip/certsrv, in my case https://40.40.40.1/certsrv and then click on Request a Certificate.
Figure 8:
Then click on Advance Certificate Request
Figure 9:
Then select Submit a Certificate
Figure 10:
Then open the CertReq.txt which we have saved at the time creating the certificate Figure5, then copy and paste that data under Saved Request and under Certificate Template select Web Server. Then click on Submit
Figure 11:
Then click on Download Certificate:
Figure 12:
It will ask you to save that certificate, select the safe location and save it. In my case I have given the certificate name as Exch2010.
Now we got the certificate created in place – C:\CertReq\Exch2010.cert, after this complete the certificate request process by importing the certificate into your Client Access server. Inorder to complete this.
Open the Exchange Management Console
Click on Server Configuration and select the exchange server
Under Exchange Certificate Tab, right click the new certificate and click on “Complete Pending Request”
Figure 13:
Under select a certificate to map to this certificate request, specify the path of Exchange 2010 new certification i.e C:\CertReq\Exch2010.cer
Figure 14:
Then click on Assign Services to Certificate i.e right click the new certificate and select that option.
Under Select Servers choose the CAS Server and click on Next
Under Select Services Choose the service for which we need to assign this certificate.
Figure 15:
Then click on Assign.
Once you assign this certificate you can remove the old one.
Import the legacy Cerfiticate on Exchange Server 2003 :
Remove the existing certificate from the exchange server 2003 box
Go to Directory Security tab under IIS Console; => Create a new certificate call it as legacy.smile.com
Then go to certificate server website url
Import the certificate signature details as like we did from figure 8 to Figure 12.
Then go back to IIS management Console => Directory Security Tab
Select Server Certificate and select existing certificate with pending request option
Select the legacy certificate which you have created.
Then ensure that you are able to access the owa by following url : https://legacy.smile.com/exchange.
Configure your OAB to avail the new cerfiticate:
Server Configuration => Client Access Server
Click on Offline Address Book Configuration Tab
Double-click OAB(Default Web Site)
Then click on URLs Tab and give the following information https://mail.smile.com/OAB
Figure 16:
Configure the WebService Virtual Directory:
Open the powershell and run the following command
Set-WebServicesVirtualDirectory -Identity "SmileExch2K10\EWS (Default Web Site)" -ExternalUrl https://mail.smile.com/ews/exchange.asmx
Configure ECP Virtual Directory
Set-WebServicesVirtualDirectory -Identity "smileExch2K10\EWS (Default Web Site)" -InternalUrl https://mail.smile.com/ews/exchange.asmx
Configure the OWA access:
Open the powershell command and run the following command
Set-OwaVirtualDirectory -identity "exch2010\owa (Default Web Site)" -Exchange2003URL https://legacy.contoso.com/exchange
Update the DNS :
Add the host entry as mail.smile.com for Exchange 2010 CAS server and legacy.smile.com for Exchange 2003. And also properly configure autodiscover.smile.com as well.
Both the changes needs to made on internal and external DNS details.
You can execute the test by accessing the owa like https://mail.smile.com/owa and then try to access the exchange server 2010 mailbox and then exchange 2003 mailbox.
My user name is administrator whose mailbox is located under Exchange server 2003. I did my all major configurations for access the mails through owa. So I am going to simply type https://mail.smile.com/owa
Figure 17:
Once I do the sign in it will redirect to legacy.smile.com which is nothing but exchange server 2003 mailbox access.
Figure 18:
Easy Accessing OWA (Optional)
As you are aware that inorder to access the email through we need to type either https://ip address/owa or https://Serverfqdn/owa or if we have friendly url name then https://friendlyurl/owa in my case i have it as https://mail.smile.com/owa so inorder to make my users access much more easy what I need is instead of providing above url then can either choose https://mail.smile.com or just type mail. It should redirect to https://mail.smile.com/owa
Inorder to achieve this:
Loging to CAS Exchange 2010 server
Open IIS
Go to Default Web Site => Error Pages
Set the Status code as 403 and select “Respond with a 302 redirect and under Absolute Url: https://mail.smile.com/owa
Figure 19:
Then go to HTTP Redirect
Select “Redirect requests to this destination” type /owa
Under Redirect Behavior select both
o Redirect all requests to exact destination
o Only redirect request to content in this destination.
Figure 20:
Now if you type just mail you will get owa access url.
I hope this article is being very informative for you all.
Reference Article:
Transitioning Client Access to Exchange Server 2010
Understanding the new UC SAN Certificate
Related Articles:
Transition from Exchange Server 2003 to Exchange Server 2010 – Part1
Transition from Exchange Server 2003 to Exchange Server 2010 – Part2
Transition from Exchange Server 2003 to Exchange Server 2010 – Part3
Superb, it helped.
Thanks Ismail Mohamed
Reply to this