Many of you have been asking how you can upgrade your existing Exchange environment to Exchange 2010 from a client access perspective. For most of you, this will also mean coexisting with legacy Exchange and Exchange 2010 for a period of time.  My first blog article in this series discussed the overall steps in how to upgrade your environment from a client access perspective.  This article, the third in the series, discusses how Exchange ActiveSync will function in an Exchange 2003 or 2007 environment that has Exchange 2010 deployed.

Upgrading EAS in an Exchange 2003 Environment to Exchange 2010

Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites.  As part of our upgrade process, you will be following a model where:

  1. Ensure all Exchange 2003 servers are at Service Pack 2.
  2. Deploy Exchange 2010 CAS, Hub Transport, and Mailbox in the "Internet Facing AD Site".
  3. Have legacy Exchange servers in the "Non-Internet facing AD site" (if they exist).

In other words, it would look something like this for an Exchange 2003 upgrade/co-existence:

With this configuration there are typically a few questions that are asked:

  1. What are the configuration changes I must make on the Exchange 2003 Front-End servers to support ActiveSync?
  2. What are the configuration changes I must make on the Exchange 2003 mailbox servers?
  3. What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?

What are the configuration changes I must make on the Exchange 2003 Front-End servers to support ActiveSync?

In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2003 mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2003 Front-End servers and associate it with the Exchange 2010 CAS array.  For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.

What are the configuration changes I must make on the Exchange 2003 mailbox servers?

Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

  1. Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory.
  2. Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?

Hopefully the Exchange 2003 coexistence diagram is self-explanatory, but if it is not, the key thing here is that regardless of the location of the Exchange 2003 mailbox (remember Exchange 2003 is not site aware), CAS2010 will always proxy the request to the Exchange 2003 mailbox server.  Also, since Exchange 2003 does not support Autodiscover, the device version does not matter.

  1. User's device is already configured to use the namespace mail.contoso.com.
  2. User's device attempts to synchronize.
  3. CAS2010 will authenticate the user, determine the mailbox version is Exchange 2003 by performing a service discovery lookup in Active Directory, and retrieve the Exchange 2003 mailbox server FQDN.
  4. CAS2010 will proxy the connection to the Exchange 2003 mailbox server's Microsoft-Server-ActiveSync virtual directory.  In the IIS logs, you will see a response similar to:

    POST /Microsoft-Server-ActiveSync/default.eas User=user5&DeviceId=foo&DeviceType=PocketPC&Cmd=FolderSync&Log=PrxTo:mail.contoso.com_LdapC2_ 443 contoso\user5 10.20.100.117 MSFT-PPC/5.1.2301 200 0 0 189

  5. The mailbox server will authenticate the user and retrieve and render the mailbox data and will provide the rendered data back to the CAS2010 server.
  6. CAS2010 will expose the data to the end user.

Upgrading EAS in an Exchange 2007 Environment to Exchange 2010

Some of you may have environments that have Internet facing AD sites and non-Internet facing AD sites.  As part of our upgrade process, you will be following a model where:

  1. You upgrade all CAS servers in the organization to Exchange 2007 SP2.
  2. Upgrade all Exchange 2007 servers in "Internet Facing AD Site" to Exchange 2007 SP2.
  3. Deploy Exchange 2010 CAS, Hub Transport, and Mailbox in the "Internet Facing AD Site".
  4. Have legacy Exchange servers in the "Non-Internet facing AD site" (if they exist).

In other words, it would look something like this for an Exchange 2007 upgrade/co-existence:

With this configuration there are typically a few questions that are asked:

  1. Are there any configuration changes I must make on my Exchange 2007 Client Access servers?
  2. What are the configuration changes I must make on the Exchange 2003 mailbox servers, if they exist in the environment?
  3. What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2007)?
  4. What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?

Are there any configuration changes I must make on my Exchange 2007 Client Access servers?

In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2007 (and possibly 2003) mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2007 CAS array and associate it with the Exchange 2010 CAS array. In addition, you will create a new namespace for legacy access, legacy.contoso.com (note that the name can be anything you want) and associate it with your Exchange 2007 CAS array.

For CAS2007 within the "Internet Facing AD Site" you will want to configure the EAS ExternalURL to utilize the legacy.contoso.com namespace to allow for redirection of devices that support Autodiscover by using the following cmdlet:

Set-ActiveSyncVirtualDirectory <CAS2007>\Microsoft-Server-ActiveSync* -ExternalURL https://legacy.contoso.com/Microsoft-Server-ActiveSync

On the CAS2010, you will set the ExternalURL to be https://mail.contoso.com using the following cmdlet:

Set-ActiveSyncVirtualDirectory <CAS2010>\Microsoft-Server-ActiveSync* -ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync

Unlike Exchange 2003, Exchange 2007 does not require any authentication changes, but let's understand why.

In Exchange 2007, for EAS proxy communication to work between CAS2007 in the "Internet Facing AD Site" and CAS2007 in the "Non-Internet Facing Site", you had to enable Windows Integrated Authentication on the CAS2007 ActiveSync virtual directories in the "Non-Internet Facing Site". If you didn't, you could not proxy EAS traffic.

With Exchange 2007 SP2 (and Exchange 2010), setup creates a new sub-virtual directory under \Microsoft-Server-ActiveSync, called proxy. This proxy virtual directory has Windows Integrated Authentication enabled. When CAS2010 has to proxy EAS traffic to CAS2007 (or to another CAS2010), the \Microsoft-Server-ActiveSync\proxy virtual directory will be used for the proxy traffic.

Note: This behavior is only for CAS2010 to CAS2007/CAS2010 EAS proxy. CAS2007 to CAS2007 EAS proxy still requires Windows Integrated Authentication to be set on the ActiveSync virtual directory.

For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.

What are the configuration changes I must make on the Exchange 2003 mailbox servers, if they exist in the environment?

If your Exchange 2007 environment contains Exchange 2003 mailbox servers, then users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

  1. Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory.
  2. Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2007)?

Note: It is assumed that Autodiscover is associated with CAS2010 in the "Internet Facing AD site".

Hopefully the Exchange 2007 coexistence diagram is self-explanatory, but if it is not:

For the first scenario, let's consider the behavior for User1.  Since User1 is located in the same AD site as the Internet facing CAS2010 and CAS2007 is also Internet-facing (ExternalURL is populated) User1's experience will depend on whether the device supports Autodiscover.

For the legacy device scenario (i.e., the device does not support Autodiscover or protocol version 12.1 or later):

  1. User1's device is already configured to use the namespace mail.contoso.com.
  2. User1's device attempts to synchronize.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directory located within the mailbox's AD site (if it exists)
    4. The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directory located within the mailbox's AD site (if it exists)
  4. While the user's mailbox does reside in the "Internet Facing AD Site" and the ExternalURL is populated on CAS2007 in that site, because the device does not support redirection via Autodiscover, CAS2010 will proxy the connection to the Exchange 2007 CAS infrastructure in the "Internet Facing AD Site". Specifically the request is proxied to CAS2007 (InternalURL value) \Microsoft-Server-ActiveSync\Proxy virtual directory.
  5. CAS2007 will authenticate the user and retrieve and render the mailbox data from the Exchange 2007 mailbox server and will provide the rendered data back to the CAS2010 server.
  6. CAS2010 will expose the data to the end user.

For the Autodiscover-supported device scenario (e.g., Windows Mobile 6.1 or later):

  1. User3's device is already configured to use the namespace mail.contoso.com.
  2. User3's device attempts to synchronize.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directory located within the mailbox's AD site (if it exists)
    4. The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directory located within the mailbox's AD site (if it exists)
  4. Since the user's mailbox does reside in the "Internet Facing AD Site", the ExternalURL is populated on CAS2007 in that site, and the device does support redirection via Autodiscover (this is determined by the protocol version of ActiveSync when establishing a synchronization; it must be version 12.1 or later), CAS2010 will return a response (HTTP error code 451) indicating that the device should use legacy.contoso.com namespace for all synchronization events.  You can see the response in the IIS logs:

    POST /Microsoft-Server-ActiveSync/default.eas User=user3&DeviceId=foo&DeviceType=PocketPC&Cmd=Settings&Log=RdirTo:https%3a%2f%2flegacy.contoso.com%2fMicrosoft-Server-ActiveSync_Error:MisconfiguredDevice_ 443 contoso\user3 10.20.100.117 MSFT-PPC/5.2.5082 451 0 0 17

  5. The device updates its profile to use legacy.contoso.com and attempts to synchronize with legacy.contoso.com.
  6. CAS2007 will authenticate the user and retrieve and render the mailbox data from the Exchange 2007 mailbox server and will provide the rendered data back to the device.

Important: Some third-party ActiveSync devices advertise support for protocol version 12.1 or later; however, they do not correctly process the 451 error response by updating the device profile.  For these devices you will have to manually update the namespace in the device ActiveSync profile once CAS2010 has been deployed with the mail.contoso.com namespace.  Please contact your device manufacturer to determine when they will provide support for redirection.

Now let's consider User2 from the Exchange 2007 coexistence diagram.  User2 could be utilizing a third-party ActiveSync device or a Windows Mobile device.  For Windows Mobile support, the device is either 5.0, 6.0, or 6.1+ or later.  Note that 6.1+ supports Autodiscover, but since User2 is located in the "Non-Internet Facing AD Site", the redirect functionality does not come into play here.

  1. User2's device is already configured to use the namespace mail.contoso.com.
  2. User2's device attempts to synchronize.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directory located within the mailbox's AD site (if it exists)
    4. The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directory located within the mailbox's AD site (if it exists)
  4. Since the user's mailbox resides in the "Non-Internet Facing AD Site" and the ExternalURL is not populated on any  Client Access server(s) in that site, CAS2010 will proxy the connection to the Exchange 2007 CAS infrastructure in the "Non-Internet Facing AD Site". Specifically the request is proxied to CAS2007 (InternalURL value) \Microsoft-Server-ActiveSync\Proxy virtual directory
  5. CAS2007 will authenticate the user and retrieve and render the mailbox data from the Exchange 2007 mailbox server and will provide the rendered data back to the CAS2010 server.
  6. CAS2010 will expose the data to the end user.

What happens when the user's mailbox is moved to Exchange 2010?

For this scenario, the important thing to understand is how is the device currently configured? Either the device is utilizing the legacy.contoso.com namespace (due to Autodiscover during device setup or due to the redirect), or the device is utilizing the mail.contoso.com namespace (and thus CAS2010 is proxying to the legacy CAS or Exchange 2003 mailbox server).

For the Autodiscover-supported device scenario case:

  1. User3's device is already configured to use the namespace legacy.contoso.com.
  2. User3's device attempts to synchronize.
  3. CAS2007 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The EAS virtual directory ExternalURL of the Client Access Server(s) that matches the mailbox version, located within the mailbox's AD site
  4. Since the user's mailbox version is now greater than the CAS2007 version, CAS2007 must either respond with a 403 or 451 response code. Since the ActiveSync protocol version of User3's device is 12.1 or later, the device supports Autodiscover. Therefore, CAS2007 will return a response (HTTP error code 451) indicating that the device should use mail.contoso.com namespace for all synchronization events.
  5. The device updates its profile to use mail.contoso.com and attempts to synchronize with mail.contoso.com.
  6. CAS2010 will authenticate the user and retrieve and render the mailbox data from the Exchange 2010 mailbox server and will provide the rendered data back to the device.

For the legacy device case:

  1. User1's device is already configured to use the namespace mail.contoso.com.
  2. User1's device attempts to synchronize.
  3. CAS2010 will authenticate the user and access Active Directory and retrieve the following information:
    1. User's mailbox version
    2. User's mailbox location (AD Site)
    3. The EAS virtual directory ExternalURL of the Client Access Server(s) that matches the mailbox version, located within the mailbox's AD site
    4. The EAS virtual directory InternalURL of the Client Access Server(s) that matches the mailbox version, located within the mailbox's AD site
  4. Because the device does not support Autodiscover (protocol version is less than 12.1), prior to the mailbox move, CAS2010 simply proxied the ActiveSync traffic to CAS2007. Now that the mailbox is moved, CAS2010 simply retrieves and renders the mailbox data from the Exchange 2010 mailbox server.
  5. CAS2010 will expose the data to the end user.

Conclusion

Hopefully this information dispels some of the myths around proxying and redirection logic for Exchange ActiveSync in Exchange Server 2010 when upgrading either from Exchange 2007 or Exchange 2003.  Please let us know if you have any questions.

Credits kept :

http://msexchangeteam.com/archive/2009/12/08/453472.aspx