Sunday, August 17, 2014

Exchange 2010 (SP3) - Migration - Part 5 - CAS Urls

Web-based access to the client's mailbox is provided by methods such as OWA (Outlook Web Access/App), ActiveSync, EWS (Exchange Web Services - for calendar and out-of-office functionality) as well as OAB (Offline Address Book). Exchange 2010 also introduces a new web-based management interface in addition to the EMC and EMS: the ECP or "Exchange Control Panel".

All these methods require a pair of URLs: internal and external.

Moreover, access is validated by a certificate (preferably issued by a third party like Comodo or Digicert) and the "subject names" on the certificate must match the URLs used for client access (and management) mentioned above.

We'll see some examples below but in general, the URLs are composed of three parts:

  1. https://
  2. The FQDN of the server: EX13-1.mylan.net for example
  3. Some reference to the IIS virtual folder, for example: /owa, /ecp or /oab (other variations are possible here).
In fact, this holds true for the internal URL. Depending on choices made at installation time, there will either be no external URL or a URL like "mail.contoso.com".


One common practice is to change the internal URL (with the server FQDN) so it is the same as the external URL (if present). Why? Some prefer that the names of internal servers are not exposed to the outside world (although these names appear elsewhere - in message headers for example). Another reason is to simplify the use of certificates. In organizations with multiple servers, the list of names on the certificate could be quite long. Since cost increases with the number of names (sometimes priced in increments of five), that is also a consideration.

It is possible to have as few as two names on the certificate. For example:

mail.contoso.com
autodiscover.contoso.com

The first name can be used for all client access related services (OWA, ActiveSync, OAB) but autodiscover requires a name of its own.

In the context of an Exchange 2007 to 2010 migration, there is one more aspect to consider... and one more name to add to the certificate.

Here is the status quo of my test lab...

All URLs are configured with...

mail.mitserv.net (or autodiscover.mitserv.net)

In DNS, there is an "A" record in the mitserv.net zone that links "mail" to the IP address 10.0.0.20 which happens to be the IP address of the Exchange 2007 multirole (CA,HT,MB) server.

Note: all my servers are multirole servers with each server holding the CA, HT and MB roles.

Everything works fine at present.

But what happens when we start to migrate mailboxes from Exchange 2007 to 2010?

This is what we have to do...

  1. We create a entry in DNS for "legacy". This record points to the Exchange 2007 server (to the 2007 CAS to be exact).
  2. Just before we start mailbox migration, we point the DNS records for "mail" and "autodiscover" to the Exchange 2010 server (or a load balancer).
  3. We change the Exchange 2007 URLs from mail.mitserv.net to legacy.mitserv.net.

After these changes, clients will first be directed to the Exchange 2010 CAS (or load balancer distributing access requests between a group of 2010 servers). If the mailbox in question is located on the Exchange 2010 server, the 2010 server provides access to that mailbox.

If the mailbox is still on the Exchange 2007 server, the 2010 CAS redirects the request to the 2007 CAS.

The "legacy" entry in DNS allows this redirection.

Note: if the Exchange 2007 server is not "Internet facing", the Exchange 2010 server "proxies" client access requests to the 2007 server (CAS role).

The fundamental point here is that the Exchange 2007 CAS cannot provide access to mailboxes on a Exchange 2010 MBX server and vice versa.


***

At this point, I am not quite ready to migrate any mailboxes - or change DNS entries, and URLs on the Exchange 2007 server. What I do want to accomplish at this time is the configuration of URLs on the Exchange 2010 server.

I write "Exchange 2010 server" and describe the scenario above with only one Exchange 2010 server present, making only some vague references to "load balancers". That was to simplify the explanation as much as possible. In fact, there will be two Exchange 2010 servers in my test network and that will be reflected in the lines that follow.


***


ECP

I'll begin with the "ECP", the Exchange Control Panel.

First, we'll see how the URLs are configured:


[PS] C:\>Get-ECPVirtualDirectory | fl Server,ExternalUrl,InternalUrl

Server      : EX13-1
ExternalUrl : https://mail.mitserv.net/ecp
InternalUrl : https://ex13-1.mynet.lan/ecp

Server      : EX13-2
ExternalUrl : https://mail.mitserv.net/ecp
InternalUrl : https://ex13-2.mynet.lan/ecp

So, as mentioned in my introduction, the internal URL uses the FQDN specific to each server. We can adjust that with this cmdlet:

Get-ECPVirtualDirectory | Set-EcpVirtualDirectory -InternalUrl https://mail.mitserv.net/ecp

And verify the changes:

[PS] C:\>Get-ECPVirtualDirectory | fl Server,ExternalUrl,InternalUrl

Server      : EX13-1
ExternalUrl : https://mail.mitserv.net/ecp
InternalUrl : https://mail.mitserv.net/ecp

Server      : EX13-2
ExternalUrl : https://mail.mitserv.net/ecp
InternalUrl : https://mail.mitserv.net/ecp




Autodiscover

Some of you may know that we do not need to configure the autodiscover URL because Exchange does not use it. If not, you can learn more with this Technet article by Rhoderick Milne:


Therefore, I will not waste any time adjusting this parameter (even though I have in the past for a sense of "completeness").

On the other hand, we do need to configure the autodiscover URI which I will do next:

[PS] C:\>Get-ClientAccessServer | select identity,autodiscoverserviceinternaluri | ft -auto

Identity AutoDiscoverServiceInternalUri
-------- ------------------------------
ex1      https://mail.mitserv.net/autodiscover/autodiscover.xml
EX13-1   https://ex13-1.mynet.lan/Autodiscover/Autodiscover.xml
EX13-2   https://ex13-2.mynet.lan/Autodiscover/Autodiscover.xml

We want the value of the parameter to be the same as it is for EX1 (the Exchange 2007 server).

There are several possible methods. We could use the Get-* cmdlet as for the ECP, above, and pipe the result to the Set-* cmdlet. Below, I'll use the Set-* cmdlet directly. Note that we have to identify the server explicitly then.


[PS] C:\>Set-ClientAccessServer EX13-1 -autodiscoverserviceinternaluri https://mail.mitserv.net/autodiscover/autodiscover.xml

[PS] C:\>Set-ClientAccessServer EX13-2 -autodiscoverserviceinternaluri https://mail.mitserv.net/autodiscover/autodiscover.xml


[PS] C:\>Get-ClientAccessServer | select identity,autodiscoverserviceinternaluri | ft -auto

Identity AutoDiscoverServiceInternalUri
-------- ------------------------------
ex1      https://mail.mitserv.net/autodiscover/autodiscover.xml
EX13-1   https://mail.mitserv.net/autodiscover/autodiscover.xml
EX13-2   https://mail.mitserv.net/autodiscover/autodiscover.xml




OWA

Since the name of the server appears in the URL (see below), I''ll just display the URLs themselves in an effort to be as concise as possible.

[PS] C:\>Get-OwaVirtualDirectory | fl ExternalUrl,InternalUrl

ExternalUrl : https://mail.mitserv.net/owa
InternalUrl : https://ex13-1.mynet.lan/owa

ExternalUrl : https://mail.mitserv.net/owa
InternalUrl : https://ex13-2.mynet.lan/owa


[PS] C:\>Get-OwaVirtualDirectory -Server Ex13-1 | Set-OwaVirtualDirectory -InternalUrl https://mail.mitserv.net/owa

[PS] C:\>Get-OwaVirtualDirectory -Server Ex13-2 | Set-OwaVirtualDirectory -InternalUrl https://mail.mitserv.net/owa

Note: you may receive a warning about the ECP, stating you should adjust its URL as well. I've edited that (out) for concision.

We do not see the server name below, but now both URLs for both servers use "mail" instead of the server FQDN.

[PS] C:\>Get-OwaVirtualDirectory | fl ExternalUrl,InternalUrl

ExternalUrl : https://mail.mitserv.net/owa
InternalUrl : https://mail.mitserv.net/owa

ExternalUrl : https://mail.mitserv.net/owa
InternalUrl : https://mail.mitserv.net/owa



ActiveSync (for mobile devices, Smartphones, etc.)


[PS] C:\>Get-ActiveSyncVirtualDirectory | fl ExternalUrl,InternalURL

InternalUrl      : https://ex13-1.mynet.lan/Microsoft-Server-ActiveSync
ExternalUrl     : https://mail.mitserv.net/Microsoft-Server-ActiveSync

InternalUrl       : https://ex13-2.mynet.lan/Microsoft-Server-ActiveSync
ExternalUrl      : https://mail.mitserv.net/Microsoft-Server-ActiveSync


[PS] C:\>Get-ActiveSyncVirtualDirectory -Server EX13-1 | Set-ActiveSyncVirtualDirectory -InternalUrl https://mail.mitserv.net/Microsoft-Server-ActiveSync

[PS] C:\>Get-ActiveSyncVirtualDirectory -Server EX13-2 | Set-ActiveSyncVirtualDirectory -InternalUrl https://mail.mitserv.net/Microsoft-Server-ActiveSync


[PS] C:\>Get-ActiveSyncVirtualDirectory | fl ExternalUrl,InternalURL

InternalUrl    : https://mail.mitserv.net/Microsoft-Server-ActiveSync
ExternalUrl   : https://mail.mitserv.net/Microsoft-Server-ActiveSync

InternalUrl    : https://mail.mitserv.net/Microsoft-Server-ActiveSync
ExternalUrl   : https://mail.mitserv.net/Microsoft-Server-ActiveSync



EWS (Exchange Web Services)

[PS] C:\>Get-WebServicesVirtualDirectory | fl ExternalUrl,InternalURL

InternalUrl : https://ex13-1.mynet.lan/EWS/Exchange.asmx
ExternalUrl : https://mail.mitserv.net/ews/exchange.asmx

InternalUrl : https://ex13-2.mynet.lan/EWS/Exchange.asmx
ExternalUrl : https://mail.mitserv.net/ews/exchange.asmx


[PS] C:\>Get-WebServicesVirtualDirectory -Server Ex13-1 | Set-WebServicesVirtualDirectory -InternalURL https://mail.mitserv.net/ews/exchange.asmx

[PS] C:\>Get-WebServicesVirtualDirectory -Server Ex13-2 | Set-WebServicesVirtualDirectory -InternalURL https://mail.mitserv.net/ews/exchange.asmx



[PS] C:\>Get-WebServicesVirtualDirectory | fl ExternalUrl,InternalURL

ExternalUrl : https://mail.mitserv.net/ews/exchange.asmx
InternalUrl : https://mail.mitserv.net/ews/exchange.asmx

ExternalUrl : https://mail.mitserv.net/ews/exchange.asmx
InternalUrl : https://mail.mitserv.net/ews/exchange.asmx



OAB (Offline Address Book)

In this case, I configured the servers separately. It's just one more approach - among others.

OAB - EX13-1

[PS] C:\>Get-OabVirtualDirectory -Server EX13-1 | fl *url*

InternalUrl : http://ex13-1.mynet.lan/OAB
ExternalUrl : https://mail.mitserv.net/OAB

C:\>Get-OabVirtualDirectory -Server EX13-1 | Set-OabVirtualDirectory -InternalUrl https://mail.mitserv.net/OAB

[PS] C:\>Get-OabVirtualDirectory -Server EX13-1 | fl *url*

InternalUrl : https://mail.mitserv.net/OAB
ExternalUrl : https://mail.mitserv.net/OAB


OAB - EX13-2


[PS] C:\>Get-OabVirtualDirectory -Server EX13-2 | fl *url*

InternalUrl : http://ex13-2.mynet.lan/OAB
ExternalUrl : https://mail.mitserv.net/OAB


[PS] C:\>Get-OabVirtualDirectory -Server EX13-2 | Set-OabVirtualDirectory -InternalUrl https://mail.mitserv.net/OAB

[PS] C:\>Get-OabVirtualDirectory -Server EX13-2 | fl *url*

InternalUrl : https://mail.mitserv.net/OAB
ExternalUrl : https://mail.mitserv.net/OAB


No comments:

Post a Comment