Solved

Simply question about exchange migration from 2003 to 2007.

Posted on 2008-10-22
25
608 Views
Last Modified: 2012-05-05
Hi very good afternoon, I have a query.

We are doing a migration from Exchange 2003 to Exchange 2007

Our architecture of Exchange 2003 is as follows, is an Exchange Front End server and other back end

The front end server has no mailbox, only make traffic E-mail and authenticate users accessing outside the organization to OWA for example

We add an Exchange 2007 server back end with the 3 roles required. (HUB, CLIENT & Mailbox)
Moving a mailbox Back end of 2003 to 2007 and no problem,

Now I have a problem with owa

1) From outside the organization can not access the owa of the user who resides in the new exchange 2007.

I think it may be because the server front end Exchange 2003 does not know where to go for the mailbox for that user

can anyone help me?
Thanks
0
Comment
Question by:thor_08
  • 11
  • 7
  • 7
25 Comments
 
LVL 3

Accepted Solution

by:
dsolaris earned 275 total points
Comment Utility
U are correct.
All Exchange 2007 users have to hit an Exchange 2007 OWA server.  Exchange 2007 no longer uses WebDav for Exchange 2007 mailboxes so the Exchange 2003 server has no clue how to handle the request.

However, an Exchange 2003 use can hit an Exchange 2007 server and it will prxy them to the Exchange 2003 mailbox server and they will have the Exchange 2003 experience.

You should publish your Exchange 2007 server as your OWA server now and use it for 2003 and 2007 users as well as mail traffic, then decommision your Exchange 2003 Front-End.
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Hey, now thank you for your quick response.

understanding what you told me, there are now an item.

The Exchange 2007 backend is inside the lan and can not by issues of security go to the DMZ and authenticate users from outside.

The question is, there is no possibility for me to stay the exchange's 2003 border and the Exchange 2007 back end?

Our idea in principle and for a time was only replace the back end Exchange 2003 server
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
If you require Exchange 2007 users to access OWA, then no.  The process is to replace the front-end first with a CAS and HT server then the back-end.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 225 total points
Comment Utility

In any Exchange toplogy, the front-end server (or CAS, in Exchange 2007 terms) cannot run an older version of Exchange than the other Exchange Server(s). In this case, you are trying to tell an Exchange 2003 Front-end to locate and connect to an Exchange 2007 server, something it does not know how to do, nor does it have the feature-set to do so.

You must either upgrade your current Front-end to an Exchange 2007 CAS, or have users connect to the Exchange 2007 directly.

I would also suggest you get the Front-End out of the DMZ as soon as possible. Place it on the internal LAN and then just open ports 25 and 443 through to that server. Placing it in the DMZ is more of a security risk than having it on the internal LAN.

-tigermatt
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Hey, thanks again

So the idea would be

unnistall the client access server role of our Exchange 2007 back end and install a new server in the DMZ with the role of client access server

If so, can I post the new server with another ip? and that they are living for a time the front end Exchange 2003 and Exchange 2007 front end (client access server)

The idea of thiss that I say:
That users have mailbox in Exchange 2003 point to exchange 2003 front end , users who are migrating point owa to the new Exchange Server 2007 client access server

is possible?

Thank you
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Yes, theoretically you can do that, but there is no need to keep the 2003 one running - all users can connect to the 2007 CAS. Install a new Exchange 2007 Server as a 'front-end' by installing it with the CAS role.

If you have the 2003 FE and 2007 CAS running, you will need two external IP addresses to forward the ports on, and users accessing Exchange 2007 would have to access a different one, thus the recommendation to simply replace the 2003 FE with a 2007 CAS. I would place the Hub Transport role on a 2007 CAS, too.

-tigermatt
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Hey guys, thanks again for the quick answers

The Hub Transport role  is necessary to install  on the same physycal server that  the Client Access server?

The current transport hub I got it installed on the mailbox server (and now also access the client server)

And are all in the same Active Directory site.

The idea is that a server with the transport hub + mailbox server and one with the client access server

Thx
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Sorry, I should have made that more clear. If you were going to remove the Exchange 2003 Front End completely from the network, it would be my recommendation to have the Hub Transport role on the same server as the CAS. Since the Hub Transport server is where all incoming email is delivered, this would replicate the environment previously where mail is delivered to a 2003 FE.

You certainly can install the Hub Transport role on the Mailbox Server if you wished; just remember that port 25 for incoming mail, if you decommission the 2003 FE, must be forwarded to the Hub Transport server, while 443 goes to the CAS for OWA and RPC/HTTPS access.

-tigermatt
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
you think of this scenario?

Not completely remove the front end Exchange 2003 server, which is for the routing of emails with internet

Open port 443 to join the Exchange 2007 back end is going to have installed the exchange mb, ca and hu server roles

That way, you could access by outsiders to owa mailboxes Exchange 2007 and Exchange 2003 that will be migrating.

what do you think?
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
One thing to note that is important.  The Client Access role is not supported in the DMZ.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Yes, that is definitely possible. However, it will come under the restriction I mentioned above - until the Exchange 2003 is removed, you must have a second public IP address for the Exchange 2007 CAS and Hub Transport server, and users on Exchange 2007 must remember to connect to OWA using that external IP address temporarily.

dsolaris, you would be surprised how many people will still find a way to make the CAS work in the DMZ, because it is 'safer', yet in fact it is actually a large security hole placing any Active Directory domain member in the DMZ, and should never be attempted, not even for an Exchange Server (with the exception of an Edge).

-tigermatt
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
I know how many people try it and want it for the "higher securoty"  lol unfortunatly.  Consultant myself.
Way to make it work and supported.  Hehe, I always liked that.  You can make anything work, but placing it in the DMZ and configuring everything to make it work as desiged.  Not safer at all due to the the plithora of ports that you have to open.  I bet you always like to fight that battle as much as I do.  :-)

Thore, use this for a good starting point:
http://technet.microsoft.com/en-us/library/bb885041(EXCHG.80).aspx
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:thor_08
Comment Utility
thanks again

ok, users accessing OWA are going to have to go through another IP.
Perfect.

when you make an uninstall Exchange 2003 server back end, there will be no problem routing between Exchange 2003 front end and back end 2007 exchange? (Except the  mentioned problems about OWA)

Thank you
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

> when you make an uninstall Exchange 2003 server back end, there will be no problem routing between Exchange 2003 front end and back end 2007 exchange? (Except the  mentioned problems about OWA)

I think so, yes, but I wouldn't risk it myself; I would change the inbound port 25 port over to the IP of the Exchange 2007 Hub Transport as soon as possible.
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
hello
In the link that mentions dsolaris said that not supported  a front end Exchange 2003 server and Exchange 2007 back end.

?


Thanks!
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Of course that is the case with OWA, I am not too sure on the inbound SMTP. It should thoeretically be able to route, but just to be sure I would still change the inbound port configuration in your firewall to the IP of the Exchange 2007 Hub, so mail can be routed without any hiccups.

-tigermatt
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
Yeh, mail routing will be fine from the DMZ, what I was mentioning is that it is not supported to have a CAS server in the DMZ.  Basically, Tigermatt and I are saying the same thing.
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Thanks!!

 the day I uninstall the 2003 back end server, will I have to point the traffic to the hub transport server?

It is assumed that the front end Exchange 2003 server  can route Mails with the exchange 2007 back end server  (for that, we live the Exchange 2003 front end)

Already you have not tried it, but maybe you know:)

Thanks!!
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
Yes.  Exchange 2003 front-end can relay mail to an Exchange 2007 back end.
But before you can install an Exchange 2007 Mailbox server you are required to have a Hub Transport Server, and for the most part a CAS server.
BUt those can all be running on the same system and you can remove them at any point later if you desire to run the CAS and HT role on  different server.

But...  there is a caveat there too.  If you run the CAS role on a Mailbox server, it will modify the \Exchange virtual directory and will not properly proxy Exchange 2003 users.  Have we confused you yet?  lol

There are some temporary steps that you can take.  Here is an example of a method we had to have a client use due to system contraints.

Pruchase one new machine.  Build it out as the temporay Client Acces/Hub Transport Server.
Cut all services over to this temp system.
Decommision the Exchange 2003 Front-ENd server.
Rebuild it as the permanant Exchange 2007 CAS/HT server (if it is 64bit).
Cut all OWA and SMTP services over to the new Perm CAS/HT server.
Add the Mailbox Role to the new system and remove the CAS/HT roles.
Move your mailboxes to the 2007 Mailbox server.
Decommision and reallocate Exchange 2003 Back-End.

Kind of loopy but good way to do it if you desire to reuse existing hardware.
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Hey, no problem.

their response are highly valued

Now I'm going to say the esceneario and you are going to say if what I raise this as well.


- I'm going to uninstall the CAS role of the current Exchange Server 2007 and I'm going to install a new server, all this so that  can do a good job of proxy with users of Exchange 2003, ok?

- I'm going to publish this new server through an ISA Server with a new iP publishes.

In this way, users have mailbox in both exchange will be able to successfully access through OWA.

- I'm going to finish migrate from Exchange 2003 mailbox to exchange 2007

I'm going to uninstall the Exchange 2003 back end server

-I 'm going to uninstall the Exchange 2003 back end server

In this instance, there are going to publish a Ip for route emails (from the front end Exchange 2003 server to Exchange 2007 and HT MB)
and other IP for the CAS to use OWA



until everything is right there?

Thank you

until everything is right there?

Thank you
0
 
LVL 3

Expert Comment

by:dsolaris
Comment Utility
Yeh that will work.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Yes that would be fine :)
0
 
LVL 2

Author Closing Comment

by:thor_08
Comment Utility
Thanks!!
Really Thanks!!
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
Thanks guys!
2 were excellent, I gave more points to dsolaris by the quick response,
But the truth than the 2 very good predisposition
Thanks real
0
 
LVL 2

Author Comment

by:thor_08
Comment Utility
hello again

I need your help, I have already installed the CAS, with this certificate by default.

I'm going to make the publication with the ISA server, as a beginning?

We have an internal CA, I request a certificate?

On the other hand is, I open a new question.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23841049.html

Thank you
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now