Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

Exchange 2003 FE, CAS replacement confusion

Background:  We are running a 2 node Exchange 2003 SP2 cluster on Windows Server 2003 SP2 (BE), with a single 2003 FE.  All Domain Controllers are Server 2003 SP2, with 1 Windows 2008 DC in a remote location.  I had a class in Exchange 2007, but it was entirely focused on a new install of Exchange 2007, not a coexistance with a 2003 environment.  I have 2 Windows 2008 R2 servers built for our Exchange 2007 implementation.  We are in native mode, and have already run the setup /preparelegacyexchangepermissions, setup /prepareschema, setup /preparead, and setup /preparedomain.  OU and all groups were created in AD and schema has been replicated to all DC's.  We are planning to install CAS on 1 of the 2008 R2 servers, and the mailbox and hub transport roles on the other 2008 R2 server.  We are using an Ironport instead of an Edge Transport or ISA server.  So, I have a few questions.  Some stupid, other not so dumb (or dumber, I don't care, just want to get this right).  

First, we attempted to install CAS, but when we did, our existing OWA ceased to function amoungst some other problems.  Once we uninstalled CAS and corrected the other issues (not sure if they were related or not), our OWA site was functional again.  We thought that we could install CAS and configure it, before installing our certificate and changing the VIP to point to it.  So our first question.  Do we have to remove Exchange 2003 from our FE before installing CAS?  When I installing CAS, do I have to install Hub Transport on the CAS server as well for routing?  Our mailbox/hub transport will not be up and running for a while yet.  We want to get CAS and OWA functional first before proceeding, and I have read in several sites that CAS and Hub Transport needed to be installed.  Please, I already know that there is a specific sequence to install and that CAS and Hub Transport need to be installed before the mailbox role, but many others seem to be installing CAS and Hub together??  Second,  I have read that you CANNOT run a 2003 FE when you install CAS (atkjedi response in Q_23786098), but in another response, (endital1097 responds in Q_24625550), that you can have them run simultaneously.  Others merely mention,  that all you have to do is a URL redirect to the /exchange virtual folder.  Can someone clarify this and if possible, provide a link to step-by-by step instructions for installing CAS.  Microsoft's documentation is horrible to say the least.  And every time I look for assistance, the story changes.
0
frevere
Asked:
frevere
  • 10
  • 10
  • 4
1 Solution
 
BusbarSolutions ArchitectCommented:
Hi,
This is the first time ever I see CAS corrupts OWA, there is nothing that makes it doesn't work, how ever the install sequence should be CHUM (CAS, HUB, UM, Mailbox).
you will have to install CAS and HUB and configure routing group connector, then remove the FE server and point the OWA URL to the CAS server.
in the coexistance there should be no issue, but you should hurry and remove FE, if you configured the URL to point to the CAS serve then you should remove the FE server.
0
 
Glen KnightCommented:
OK first thing, Exchange 2007 is not supported on Windows 2008 R2 so this could be causing your problem.

When you rebuild with Windows 2008 non R2 then make sure you install all the prerequisites as per: http://www.petri.co.il/installing-exchange-2007-prerequisites-on-windows-server-2008.htm

when you install your CAS server make sure you dont install the mailbox role on it and ensure its part of your existing exchange organisation.

The clients should then use https://casservername/exchange
0
 
frevereAuthor Commented:
Ok guys.  Maybe R2 is the major problem, but once again (and a perfect example), busbar mentions to install hub with cas.  We really wanted CAS by itself and to install hub along with mbx.  Can CAS (without hub) be installed in coexistance and replace the FE for OWA, and after the certifcate and URL are redirected to CAS with the FE removed, hub be installed with mbx?

Or, is hub really required for CAS to work correctly?

Confusion, confusion and no one makes it simple.  Thanks for the link.  Will read this as we rebuild both servers, and hopefully have more answers by then.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
BusbarSolutions ArchitectCommented:
HUB is not required for CAS, CAS can work by itself, but the problem is in mail flow, FE in 2003 can handle client access and message flow, while CAS can do client access only, if you want to replace FE in 2003 it should be replaced by HUB and CAS.

the solution is either to redirect the send/receive connectors to the BE server or dedicate a single FE server to handle mail traffic and install CAS server to handle client traffic.
0
 
Glen KnightCommented:
You can seperate all the roles or have MBX/HUB/CAS all on the same server.

You need to replace your FE server with a 2007 CAS server, if the FE server is also handling SMTP traffic (which they don't always do) then you will also need to install the Hub Transport role on the CAS server to allow it to be a direct replacement for the FE server.

This is by no means necessary

0
 
Glen KnightCommented:
The HT role can be installed with the MBX role it just means that all SMTP traffic will go through this server.

You are better off if you have a CAS server setting this up as the HT role as well, this way the perimiter services are all on one server.
0
 
frevereAuthor Commented:
okay guys.  got a much better understanding of the situation now.  Please bare with me for the next several days as I build a 2008 SP 2 server with all the requirements.  Thanks Demazter for the great link.  Will keep adding information and/or questions as I go.  Don't want to really close this question and have to reopen another one just for additional information.
0
 
Glen KnightCommented:
Absolutely!
Yiu have any further questins just let us know.
0
 
frevereAuthor Commented:
Finally have the server built as Windows 2008 and fully patched to SP2.  Using the following article, http://www.petri.co.il/installing-exchange-2007-prerequisites-on-windows-server-2008.htm, to install all the prerequisites since it is considerable more than Windows 2003.
0
 
Glen KnightCommented:
Excellent, how did it go?
0
 
frevereAuthor Commented:
Have the CAS server built as a Windows 2008 SP2 with all prerequisites installed.  Before I install CAS on this server, I am building the MBX server as Windows 2008 SP2 with the appropriate prerequisites.  Still, conflicted on where to install the Hub Transport.  I know you keep mentioning to install on the CAS server, but according to Q_23864270, this user did like we were planning and installed CAS by itself and the Hub Transport and Mailbox together.  So, before I make a decision and go any further with the installation of Exchange 2007, what are the implications of the 2 scenarios?  If I am right, and correct me if I am not, if Hub Transport is installed with CAS, the two will be in the same routing group and nothing more needs done for CAS to function, but connections will need to be created to the Mailbox server.  But if Hub Transport is installed on the MBX server, connections will need to be created for CAS to route to the Exchange 2003 BE.  Is this correct to say?  While I wait for you expert advise, I will finish up the MBX server and proceed from there.
0
 
Glen KnightCommented:
Put the HUB transport role on the CAS server.
This way your only opening ports to one server

if you install the new servers into the existing exchange organisation you will not need to configure anything for CAS to work it will just work (or at least that's my experience anyway)

and again for the HUB transport role you can install it wherever you like but you will need to make sure the required ports are open for it to function properly.
0
 
frevereAuthor Commented:
Okay, demazter, that is beginning to make some more sense.  My whole line of questioning was, why did MS make so many roles, besides a smaller security footprint, if they can be installed on the same server or each on their own server.  All the documentation I was reading, like http://searchexchange.techtarget.com/generic/0,295582,sid43_gci1305408,00.html#, claims to install CAS first, get it operational and remove the FE BEFORE installing the Hub Transport, thus I was getting confused believing that the Hub Transport was needed to get CAS to work in a coexistance environment because everyone, like yourself has been talking about putting CAS and HUB on the same server.

In my situation though, I do not believe this is a problem and I can do it either way since I have 80 and 443 open to the FE, soon to be CAS; and have an IronPort that is acting as my edge server which passes 25 to the BE/bridgehead, soon to be Hub Transport/Mailbox.
0
 
Glen KnightCommented:
They talk about installing the CAS first because to co-exist that's the requirement.
It's not essential to install HT at the same time.

There are not any real hard and fast rules about role placement.

Personally I tend not to put the HT role on the MBX server in a multi-server environment.
0
 
frevereAuthor Commented:
Sounds good demazter.  So here is an update.  I have both servers (CAS, MBX) at Windows 2008 SP2, fully patched and all prerequisites for each role installed on the appropriate server.  Today I installed CAS on the CAS server (duh),  and did a simple test.  https://<fqdn>/exchange.  I was able to login and was redirected to the 2k3 BE.  Currently I am using the self signed certificate installed with CAS.  2 problems I found and here is where I need the additional help, are 1) when you click on "new" for a new message, nothing happens.  2) the same happens when you click logoff.  I probably missed something in the configuration which I will be looking over tonight and tomorrow.  Any suggesions?
0
 
BusbarSolutions ArchitectCommented:
if you are using IE from a server please add the server to the trusted zone,
0
 
frevereAuthor Commented:
This was using IE 8 from 2 different workstations.  Is the server going to have to be added in the trusted zone for all workstations in order to work (i.e. internally and externally)?
0
 
BusbarSolutions ArchitectCommented:
Yup, or use a valid certificate from an Internal CA or use a commercial certificate
0
 
Glen KnightCommented:
You will need a commercial certificate for it to work properly.
You can get a UCC/SAN certificate from GoDaddy for around $60 per year.
0
 
frevereAuthor Commented:
Okay, update.  Everything works in Rules and Options using the self signed certificate, but nothing else (i.e. mail, contacts, etc.)  Read your last posting demazter, so I have this follow-up question.  If I export my certificate (Verisign) from my FE, how do I install it on the new CAS server.  I have been poking around and IIS7 is completely different.  I have zero knowledge on Windows 2008.  Was hoping management would authorize a class.....yeah, right, so this is a learn as I go process.  I know I can export our license to a .pfx.  Is this going to import on IIS7?

If all goes wells and this last step works, we are planning to try changing over to the CAS and then remove the FE, at which time I can install HT on the CAS server and start proceeding forward with the MBX.
0
 
Glen KnightCommented:
There is a whole section here on technet: http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx

As for exporting and importing from another server I don't know because I have never done it, what I normally do is generate a new request and then re-key the certificate with that new request and install it.

Here is just one example of the installation process: http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
0
 
frevereAuthor Commented:
Hah....Demazter, correct if wrong.  In IIS7, you no longer install the certificate by website like in 2003, but rather on the server itself.  correct?  Only question is, does the certificate have to be a .cer or can it be an exported .pfx, so I can use my current certificate.
0
 
Glen KnightCommented:
I believe you can import a pfx file.
Correct the certificate is installed using Exchange (or the Certificates snapin depending on what you are doing) and then you associate it with the Website through the Management shell as per the SSL shopper link
0
 
frevereAuthor Commented:
sorry for the delay.  Although the exchange 2007 migration is important, had a emergency that took precident.  Cert resolved last issues.  
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 10
  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now