Many of you have been asking how you can transition your existing Exchange environment to Exchange 2010 from a client access perspective. For most of you, this will also mean coexisting with legacy Exchange and Exchange 2010 for a period of time.  My previous blog article discussed the overall steps in how to  upgrade your environment from a client access perspective.   This article will discuss how Outlook Web App will function in an Exchange 2003 or 2007 environment that has Exchange 2010 deployed.

What are the configuration changes I must make in order to introduce Exchange 2010?

In order to introduce Exchange 2010 into your environment and support your Exchange 2003/2007 mailboxes, you will move the primary OWA namespace that is associated with the legacy Exchange server environment and associate it with the Exchange 2010 CAS array. In addition, if you have Exchange 2003 mailboxes you will set the Exchange2003URL property on the CAS2010 OWA Virtual directory. For more information on the detailed steps required to support coexistence process see my previous blog articleTechNet, or within the Deployment Assistant.

Essentially, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox's version and/or location:

  1. If the Exchange 2007 mailbox is in the same AD Site as CAS2010, CAS2010 will silently redirect the session to the Exchange 2007 CAS.
  2. If the Exchange 2007 mailbox is in another Internet facing AD Site, CAS2010 will manually redirect the user to the Exchange 2007 CAS.
  3. If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
  4. If the mailbox is Exchange 2003, CAS2010 will silently redirect the session to a pre-defined URL.

Note: For the purposes of this discussion it is assumed you are utilizing Forms Based Authentication for Outlook Web App authentication.

OWA Redirection and Proxy Scenarios (Exchange 2003/Exchange 2010)

Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites and currently only have Exchange 2003 deployed.  As part of our transition process, you will be following a model where you:

  1. Deploy Exchange 2010 CAS, Hub Transport, and Mailbox in the "Internet Facing AD Site" and co-exist for a period of time with Exchange 2003.
  2. Have Exchange 2003 mailbox servers in the "Non-Internet facing AD site" (if they exist).
  3. Have Exchange 2003 front-end and mailbox servers in the "Regional Internet Facing AD Site" (if they exist).

In other words, it would look something like this:

With this configuration there are typically a few questions that are asked:

  1. How do I plan for Exchange 2010 in my "Internet Facing AD Site"?
  2. What is this Exchange2003URL parameter?
  3. Once I implement CAS2010 do I have to retrain my users to use the new URL?
  4. How do my Exchange 2010 users in the "Internet Facing AD Site" access their mailboxes?
  5. How do my Exchange 2003 users in the "Internet Facing AD Site" access their mailboxes?
  6. How do my Exchange 2003 users in the "Regional Internet Facing AD Site" access their mailboxes?
  7. How do my Exchange 2003 users in the "Non-Internet Facing AD Site" access their mailboxes?

What is this Exchange2003URL parameter?

The Exchange2003URL parameter is a new property that is exposed on the Exchange 2010 CAS OWA virtual directory.  In other words, this is not a global property, but a property assigned on a per-OWA virtual directory basis.  As to why we need to set this property when interacting with Exchange 2003 is that Exchange 2003 is not AD site aware, nor does it have settings published in Active Directory (like ExternalURL) that allow CAS2010 to determine the best front-end server for which a client should be redirected.  That is why we leverage the Exchange2003URL property on the CAS2010 OWA virtual directory - it tells CAS2010 where Exchange 2003 OWA users should be redirected.

Once I implement CAS2010 do I have to retrain my users to use the new URL?

No, during the installation of CAS2010 setup will create an /exchange and /public virtual directories and they will be configured to redirect users to /owa.  Note that those /exchange and /public virtual directories are only created in IIS. They aren't created as "Exchange OWA" virtual directories and won't show up when using the Get-OWAVirtualDirectory task.   These virtual directories do nothing but simple IIS 302 redirection.  Currently, if you open IIS Manager, the /exchange and /public virtual directories are not visible (the reason is because they are web directories); we are evaluating whether to change this behavior (by making them into virtual directories).

How do my Exchange 2010 users access their mailboxes?

Regardless of the user's mailbox version, users will utilize a single URL for accessing OWA, https://mail.contoso.com/owa.  For Exchange 2010 mailboxes the process is:

  1. 1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. 2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information depending on the user:
    1. User's mailbox version
    2. User's mailbox location (AD Site), if known
      1. If the user's mailbox is local (i.e. in the same AD site as the CAS2010 with which the user is authenticating against) and the mailbox resides on Exchange 2007, then the ExternalURL of Exchange 2007 Client Access Server(s) OWA virtual directory (also ensuring that the authentication settings match the CAS2010 server's).
      2. If the user's mailbox is not local (i.e. does not reside in the same AD site as the CAS2010 with which the user is authenticating against) and the mailbox resides on Exchange 2007 or Exchange 2010, then the ExternalURL of Exchange 2007/2010 Client Access Server(s) OWA virtual directory, if defined.
      3. The Exchange2003URL property defined on the CAS2010 OWA virtual directory if the user's mailbox is located on Exchange 2003.
  4. One of three scenarios will happen for a mailbox that is located on an Exchange 2010 mailbox server:
    1. If the mailbox is local (i.e. in the same AD site as the CAS2010 with which the user is authenticating against), CAS2010 will retrieve and render the user's mailbox data from the Exchange 2010 mailbox server and provide the data view back to the user. 
    2. If the mailbox is not local (i.e. does not reside in the same AD site as the CAS2010 with which the user is authenticating against) and an ExternalURL is specified on the Client Access server(s) in the target AD site, CAS2010 will then prompt the user with a redirection page identifying the correct URL the user should be using.  The user will then click on that link and enter his credentials into the forms based authentication dialog on the target (redirected) CAS. This CAS will authenticate the user, retrieve and render the user's mailbox data from the mailbox server and provide the data view back to the user.
    3. If the mailbox is not local (i.e. does not reside in the same AD site as the CAS2010 with which the user is authenticating against) and an ExternalURL is NOT specified on the  Client Access server(s) in the target AD site, CAS2010 will then proxy the session to a Client Access server in the appropriate Active Directory site.

How do my Exchange 2003 users that are located in the "Internet Facing AD Site" access their mailboxes?

Again, regardless of the user's mailbox version, users will utilize a single URL for accessing OWA: https://mail.contoso.com/owa.  For those Exchange 2003 mailboxes in the "Internet Facing AD Site" the following process will happen:

  1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site), if known
      1. If the user's mailbox is local (i.e. in the same AD site as the CAS2010 with which the user is authenticating against) and the mailbox resides on Exchange 2007, then the ExternalURL of Exchange 2007 Client Access Server(s) OWA virtual directory (also ensuring that the authentication settings match the CAS2010 server's).
      2. If the user's mailbox is not local (i.e. does not reside in the same AD site as the CAS2010 with which the user is authenticating against) and the mailbox resides on Exchange 2007 or Exchange 2010, then the ExternalURL of Exchange 2007/2010 Client Access Server(s) OWA virtual directory, if defined.
      3. The Exchange2003URL property defined on the CAS2010 OWA virtual directory if the user's mailbox is located on Exchange 2003.
  4. Since the user's mailbox is located on Exchange 2003, CAS2010 will then silently redirect the user's browser session to https://legacy.contoso.com/exchange using a hidden FBA form with the fields populated.  OWA will return a small web page containing a hidden form with the same information as what the user had originally submitted to CAS2010 FBA page (username, password, public/private selector, URL to redirect to after logon) and a submit URL synthesized from URL obtained in step 3, and target Exchange -specific path and query string. The web page will also contain script to automatically submit the form as soon as it is loaded.  This is the last part of the logon process that CAS2010 will have a role in. Afterwards, no remnant of the user session should stick around.
  5. FE2003 will consume that hidden form's data, authenticate the user and proxy the request to the Exchange 2003 mailbox server and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to the legacy FE only.

How do my Exchange 2003 users in the "Regional Internet Facing AD Site" access their mailboxes?

Typically the users in the "Regional Internet Facing AD Site" will continue to access their mailboxes using their regional OWA namespace, https://mail.regional.contoso.com/exchange

However, for the sake of argument, let's assume that the user whose Exchange 2003 mailbox is located in the "Regional Internet Facing AD Site" uses the https://mail.contoso.com/owa URL.  In this case, the steps are exactly the same as in the "How do my Exchange 2003 users that are located in the "Internet Facing AD Site" access their mailboxes?" question's answer, with the distinction that in step 5, the FE2003 server that is located in the "Internet Facing AD Site" is proxying the request to the 2003 mailbox server that is located in the "Regional Internet Facing AD Site" utilizing the HTTP protocol.

How do my Exchange 2003 users in the "Non-Internet Facing AD Site" access their mailboxes?

In this case, the steps are exactly the same as in the "How do my Exchange 2003 users that are located in the "Internet Facing AD Site" access their mailboxes?" question's answer, with the distinction that in step 5, the FE2003 server that is located in the "Internet Facing AD Site" is proxying the request to the 2003 mailbox server that is located in the "Non-Internet Facing AD Site" utilizing the HTTP protocol.

OWA Redirection and Proxy Scenarios (Exchange 2007/Exchange 2010)

Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites.  As part of our transition process, you will be following a model where:

You upgrade all CAS servers in the organization to Exchange 2007 SP2.

  1. Upgrade all Exchange 2007 servers in "Internet Facing AD Site" to Exchange 2007 SP2.
  2. Deploy Exchange 2010 CAS, Hub Transport, and Mailbox in the "Internet Facing AD Site".
  3. Have Exchange 2007 (and possibly Exchange 2003 mailbox servers) in the "Non-Internet facing AD site" (if they exist).
  4. Have Exchange 2007 in the "Regional Internet Facing AD Site" (if they exist).

In other words, it would look something like this:

With this configuration there are typically a few questions that are asked:

  1. How do my Exchange 2010 users in the "Internet Facing AD Site" access their mailboxes?
  2. How do my Exchange 2007/Exchange 2003 users in the "Internet Facing AD Site" access their mailboxes?
  3. How do my Exchange 2007/Exchange 2003 users in the "Regional Internet Facing AD Site" access their mailboxes?
  4. How do my Exchange 2007 users in the "Non-Internet Facing AD Site" access their mailboxes?

How do my Exchange 2010 users access their mailboxes?

Regardless of the user's mailbox version, users will utilize a single URL for accessing OWA: https://mail.contoso.com/owa.  For Exchange 2010 mailboxes the process is:

  1. 1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. 2. The user will enter his credentials in the forms based authentication dialog.
  3. 3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) OWA virtual directory located within the mailbox's AD site (if it exists)
  4. One of three scenarios will happen:
    1. If the mailbox is local, CAS2010 will retrieve and render the user's mailbox data from the Exchange 2010 mailbox server and provide the data view back to the user. 
    2. If the mailbox is not local and an ExternalURL is specified on the Client Access server(s) in the target AD site, CAS2010 will then redirect the user's browser session to the specified ExternalURL.  The user will then enter his credentials into the forms based authentication dialog on the target (redirected) CAS. This CAS will authenticate the user, retrieve and render the user's mailbox data from the mailbox server and provide the data view back to the user.
    3. If the mailbox is not local and an ExternalURL is NOT specified on the Client Access server(s) in the target AD site, CAS2010 will then proxy the session to a CAS2010 server in the appropriate Active Directory site.

How do my Exchange 2007/2003 users that are located in the "Internet Facing AD Site" access their mailboxes?

Again, regardless of the user's mailbox version, users will utilize a single URL for accessing OWA: https://mail.contoso.com/owa.  For those Exchange 2007 mailboxes in the "Internet Facing AD Site" the following process will happen:

  1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) OWA virtual directory located within the mailbox's AD site (also ensuring that the authentication settings match the CAS2010 server's); which in our above example is https://legacy.contoso.com/owa
  4. If the mailbox is located on Exchange 2003, the Exchange2003URL property of the OWA virtual directory of CAS2010 is also returned (https://legacy.contoso.com/exchange).
  5. CAS2010 will then silently redirect the user's browser session to https://legacy.contoso.com/owa (or https://legacy.contoso.com/exchange if the mailbox is Exchange 2003) using a hidden FBA form with the fields populated.  OWA will return a small web page containing a hidden form with the same information as what the user had originally submitted to CAS2010 FBA page (username, password, public/private selector, URL to redirect to after logon) and a submit URL synthesized from URL obtained in step 3, and target Exchange -specific path and query string. The web page will also contain script to automatically submit the form as soon as it is loaded.  This is the last part of the logon process that E2010 CAS will have a role in. Afterwards, no remnant of the user session should stick around.
  6. CAS2007 will consume that hidden form's data, authenticate the user and:
    1. Retrieve and render the user's mailbox data from the Exchange 2007 mailbox server and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to legacy CAS only.
    2. Or proxy the request to the Exchange 2003 mailbox server and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to legacy CAS only.

How do my Exchange 2007/2003 users in the "Regional Internet Facing AD Site" access their mailboxes?

Typically the users in the "Regional Internet Facing AD Site" will access their mailboxes using their regional OWA namespace, https://mail.regional.contoso.com/owa

However, for the sake of argument, let's assume that the user whose Exchange 2007 mailbox is located in the "Regional Internet Facing AD Site" uses the https://mail.contoso.com/owa URL:

  1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of the Client Access Server(s) OWA virtual directory located within the mailbox's AD site (if it exists)
  4. Since the user's mailbox resides in the "Regional Internet Facing AD Site" and the ExternalURL is populated on Client Access server(s) in that site, the user gets redirected to the CAS infrastructure in the "Regional Internet Facing AD Site" through a "manual redirection page" explaining that the wrong URL was used and that correct URL is https://mail.regional.contoso.com/owa.
  5. The user then clicks the link (https://mail.regional.contoso.com/owa) in the manual redirection page, enters his credentials in the forms based authentication dialog, and authenticates against CAS2007 (hopefully the user also updates his favorites or remembers the correct URL for future access attempts).
  6. CAS2007 will authenticate the user and retrieve and render the mailbox data from the Exchange 2007 mailbox server.
  7. CAS2007 will expose the data to the end user.

Now what if my Exchange 2003 mailbox that is located in the "Regional Internet Facing AD Site" and the user uses the https://mail.contoso.com/owa URL?

  1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. The Exchange2003URL property of the OWA virtual directory of CAS2010 (https://legacy.contoso.com/exchange)
  4. CAS2010 detects the user is legacy mailbox (2003) and redirects to the specified to the URL specified in the Exchange2003URL using SSO redirect (which would be CAS2007 in the "Internet Facing AD Site" https://legacy.contoso.com/exchange).
  5. CAS2010 will then silently redirect the user's browser session to https://legacy.contoso.com/exchange using a hidden FBA form with the fields populated.  OWA will return a small web page containing a hidden form with the same information as what the user had originally submitted to CAS2010 FBA page (username, password, public/private selector, URL to redirect to after logon) and a submit URL synthesized from URL obtained in step 3, and target Exchange -specific path and query string. The web page will also contain script to automatically submit the form as soon as it is loaded.  This is the last part of the logon process that E2010 CAS will have a role in.  Afterwards, no remnant of the user session should stick around.
  6. CAS2007 will consume that hidden form's data, authenticate the user and proxies the request to the Exchange 2003 mailbox server (that is located in the "Regional Internet Facing AD Site" and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to legacy CAS only.

Note: If you replace the Exchange 2007/2003 infrastructure in the "Regional Internet Facing AD Site" with Exchange 2010, this same behavior would apply.

How do my Exchange 2007 users in the "Non-Internet Facing AD Site" access their mailboxes?

As you may know, Exchange 2010 does not include any support for legacy OWA (thus why we have the aforementioned redirection scenarios), but we do support proxying OWA requests between Active Directory sites.  The basic process is as follows:

  1. User will open his favorite web browser and access the URL https://mail.contoso.com/owa.
  2. The user will enter his credentials in the forms based authentication dialog.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) OWA virtual directory located within the mailbox's AD site (if it exists)
  4. Since the user's mailbox resides in the "Non-Internet Facing AD Site" and the ExternalURL is not populated on any  Client Access server(s) in that site, CAS2010 will proxy the connection to the Exchange 2007 CAS infrastructure in the "Non-Internet Facing AD Site".
  5. CAS2007 will authenticate the user and retrieve and render the mailbox data from the Exchange 2007 mailbox server and will provide the rendered data back to the CAS2010 server.
  6. CAS2010 will expose the data to the end user.

But in order to ensure that Step 4 happens, you must make an additional configuration change on your CAS2010 infrastructure in the "Internet Facing AD Site" before you can enable the CAS 2010 infrastructure to be the primary endpoint for https://mail.contoso.com/owa.

Additional configuration you say; what are the steps?

  1. On the CAS2010 server(s), they establish a connection to the CAS2007 server's drive that contains the Exchange binaries and navigate to the \Client Access\OWA directory (e.g. \\cas2007nonIFAD\c$\Program Files\Microsoft\Exchange Server\Client Access\Owa).
  2. They then copy the highest version folder (e.g. today your SP2 build is 8.2.99.0) from the CAS2007 server to the CAS2010 Exchange binaries \Client Access\OWA directory (e.g. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa).
  3. They then execute IISReset on all the CAS2010 machines.

Important: Please keep in mind that every time you deploy a new Exchange 2007 rollup or service pack in the non-Internet Facing AD site, you will have to update the CAS2010 OWA binary directory with the new Exchange 2007 OWA binaries.

What if I don't copy the binaries; what happens then?

Well to answer that let's look at how the environment is configured at this point in time:

  • In the "Internet Facing AD Site" you have CAS2010 being responsible for https://mail.contoso.com/owa and has forms-based authentication enabled.
  • In the "Non-Internet Facing AD Site" you have CAS2007 SP2 (we'll call him cas2007nonifad.contoso.com) with the OWA virtual directories configured only with Windows Integrated Authentication.

Now a user whose mailbox resides in the "Non-Internet Facing AD Site" attempts to access his mailbox via OWA from an Internet kiosk:

  1. User opens the web browser and accesses the URL https://mail.contoso.com/owa.
  2. The user enters his credentials in the forms based authentication dialog.
  3. The user then receives this error:

     

     

  4. User calls help desk.
  5. Help desk escalates to Messaging Operations.
  6. Messaging Operations reviews the event logs on the CAS2010 server and finds the following events which tells them they need to copy the Exchange 2007 binaries to the exchange 2010 Client Access servers:

Log Name:      Application

Source:        MSExchange OWA

Task Category: Proxy

Level:         Error

Keywords:      Classic

Description:

Client Access server "https://mail.contoso.com/owa", running Exchange version "14.0.639.21",  is proxying Outlook Web App traffic to Client Access server "cas2007nonIFAD.contoso.com", which runs Exchange version "8.2.176.2". To ensure reliable interoperability, the proxying Client Access server needs to be running a newer version of Exchange than the Client Access server it is proxying to. If the proxying Client Access server is running a newer version of Exchange than the Client Access server it is proxying to, the proxying Client Access server needs to have an Outlook Web App resource folder (for example, "<Exchange Server installation path>)\ClientAccess\owa\8.0.639.21" that contains all the same versioned resource files as the Client Access server it is proxying to. If you will be running Outlook Web App proxying with mismatched server versions, you can manually copy this resource folder to the proxying Client Access server.

Conclusion

Hopefully this information dispels some of the myths around proxying and redirection logic for Outlook Web App in Exchange Server 2010.  Please let us know if you have any questions.

-- Ross Smith IV