Exchange 2013 Upgrade with SSL and Name Change

Posted on 2014-01-28
Last Modified: 2014-01-29

We are looking to transition from Exchange 2007 to 2013.  We are a relatively small organization (~600 mailboxes), so we have decided to use just one server for MBX+CAS.  I have a couple of questions about this upgrade:

We have named our 2007 server and all of the service names "exchangesvr" (except for autodiscover).  We are considering switching to use "mail" as the service name for everything except autodiscover, since that seems to be pretty standard.  Is it a good idea to use the name "mail", or should we keep our existing name?  It seems like we may run into problems during co-existence if we keep the name "exchangesvr" for 2013 because that will still be the name of the physical 2007 machine, even though the service name will have switched to our 2013 server.  Also, if we do change the name from "exchangesvr" to "mail", does this mean that we do not need to use a legacy namespace?  We can just refer to "exchangesvr" as the legacy server, correct?

Also, our 2007 server has no SSL certificate.  We will most definitely be implementing an SSL certificate on the 2013 server.  How will that affect users during co-existence?  When we go live with 2013, I know we will have to change the ActiveSync profile on all our company phones to the new server name (if we go with a  new name) and to use SSL.  If a user's mailbox has not been migrated to the 2013 server, will there be issues when the user goes from an SSL connection with the 2013 server to not having an SSL connection with the 2007 server?  Would it be possible to have users who haven't been migrated to the new server continuing to use the same ActiveSync settings until we do migrate their mailbox to the new server?

Thanks in advance for your input.
Question by:ejscn

Accepted Solution

David Carr earned 250 total points
ID: 39815897
Using mail for Exchange Server 2013 is a good idea. You should still use a legacy namespace.

The ActiveSync/SSL piece would be trickier. Do you have a way to get the  new SSL cert pushed out to mobile devices? The certificate should have a URL with the new namespace. For 2007, Exchange will re-direct ActiveSync requests to a CAS in the domain where the mailbox server is located. It may be possible to get a new ActiveSync profile on the device with the settings for Exchange 2013 since it will be using a new  SSL Certificate while the "old" 2007 configuration is on the device.
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 39817082
Surprised you have no SSL on Exchange 2007, someone must have done a lot of work to get you in to that state.

What I would do is get a trusted SSL UC/SAN certificate with the following names on it: (common name)

Install the certificate on both the old and the new server.
On Exchange 2007, configure all external and internal URLs to
Ensure that resolves on the internet to Exchange 2007 server, as well as on the internal network.
Use the method I have outlined here to do that, but ignore the Autodiscover part.
Also configure to resolve internally to the new Exchange server.

Configure the other names EXTERNALLY to resolve to Exchange 2013 and in IIS manager turn off the require SSL option on the ActiveSync virtual directory.
On Exchange 2007, remove the external URL for ActiveSync.

That should allow everything to work correctly as it currently does. Exchange 2013 will proxy the ActiveSync traffic to the Exchange 2007 server.

Then start getting to the mobile devices and change their connection to the correct URL. Some of them will change on their own, if they support Autodiscover, as they will be corrected by Exchange when they connect the first time.


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now