• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 623
  • Last Modified:

Exchange 2013 Upgrade with SSL and Name Change


We are looking to transition from Exchange 2007 to 2013.  We are a relatively small organization (~600 mailboxes), so we have decided to use just one server for MBX+CAS.  I have a couple of questions about this upgrade:

We have named our 2007 server and all of the service names "exchangesvr" (except for autodiscover).  We are considering switching to use "mail" as the service name for everything except autodiscover, since that seems to be pretty standard.  Is it a good idea to use the name "mail", or should we keep our existing name?  It seems like we may run into problems during co-existence if we keep the name "exchangesvr" for 2013 because that will still be the name of the physical 2007 machine, even though the service name will have switched to our 2013 server.  Also, if we do change the name from "exchangesvr" to "mail", does this mean that we do not need to use a legacy namespace?  We can just refer to "exchangesvr" as the legacy server, correct?

Also, our 2007 server has no SSL certificate.  We will most definitely be implementing an SSL certificate on the 2013 server.  How will that affect users during co-existence?  When we go live with 2013, I know we will have to change the ActiveSync profile on all our company phones to the new server name (if we go with a  new name) and to use SSL.  If a user's mailbox has not been migrated to the 2013 server, will there be issues when the user goes from an SSL connection with the 2013 server to not having an SSL connection with the 2007 server?  Would it be possible to have users who haven't been migrated to the new server continuing to use the same ActiveSync settings until we do migrate their mailbox to the new server?

Thanks in advance for your input.
2 Solutions
David CarrCommented:
Using mail for Exchange Server 2013 is a good idea. You should still use a legacy namespace.

The ActiveSync/SSL piece would be trickier. Do you have a way to get the  new SSL cert pushed out to mobile devices? The certificate should have a URL with the new namespace. For 2007, Exchange will re-direct ActiveSync requests to a CAS in the domain where the mailbox server is located. It may be possible to get a new ActiveSync profile on the device with the settings for Exchange 2013 since it will be using a new  SSL Certificate while the "old" 2007 configuration is on the device.
Simon Butler (Sembee)ConsultantCommented:
Surprised you have no SSL on Exchange 2007, someone must have done a lot of work to get you in to that state.

What I would do is get a trusted SSL UC/SAN certificate with the following names on it:

mail.example.com (common name)

Install the certificate on both the old and the new server.
On Exchange 2007, configure all external and internal URLs to legacy.example.com
Ensure that legacy.example.com resolves on the internet to Exchange 2007 server, as well as on the internal network.
Use the method I have outlined here to do that, but ignore the Autodiscover part.
Also configure mail.example.com to resolve internally to the new Exchange server.

Configure the other names EXTERNALLY to resolve to Exchange 2013 and in IIS manager turn off the require SSL option on the ActiveSync virtual directory.
On Exchange 2007, remove the external URL for ActiveSync.

That should allow everything to work correctly as it currently does. Exchange 2013 will proxy the ActiveSync traffic to the Exchange 2007 server.

Then start getting to the mobile devices and change their connection to the correct URL. Some of them will change on their own, if they support Autodiscover, as they will be corrected by Exchange when they connect the first time.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now