EHLO; MAIL FROM: Aaron; RCPT TO: You; SUBJECT: Enjoy!
During my latest work transitioning a client’s Exchange environment from 2007 to 2010 I stumbled across an issue I had not ran in to previously. This issue involved running different versions of (2007 and 2010) Outlook Anywhere (OA) in one environment simultaneously. I couldn’t find good documentation on this process from Microsoft so I figured I’d hopefully help someone else out by documenting the process I went through.
First off, getting your Client Access Servers (CAS) up and running with the proper hostnames and associated SAN certificate is essential. The initial plan was to bring up the 2010 Outlook Anywhere (OA a.k.a. RPC over HTTP) and then disable the 2007 OA due to Microsoft’s recommendation to transition the CAS fully before proceeding with the migration. With this latest transition, I needed to keep both the Exchange 2007 and 2010 OA proxies running side-by-side. This was necessary due to having numerous domains that were hosted on this Exchange environment that wouldn’t be able to have their external DNS edited in time for the beginning of the migration (for a variety of reasons that are outside the scope of this post).
Due to Microsoft’s best practice recommendations, you would assume with two OA proxies that you would want to direct traffic to the 2010 OA as early in the migration as possible via Autodiscover. You can have Autodiscover point to a specific OA proxy by editing the EXPR Outlook Provider. You could run a command such as:
Set-OutlookProvider –Identity:EXPR –Server:mail.contoso.com
The problem with doing this though is that Autodiscover will start passing an “AuthPackage: unspecified” for the EXPR Outlook Provider. I’m not sure what the reason for this limitation is but the Exchange Team likely has a reason for this since they have already posted a TechNet article on this exact issue.
This wouldn’t be a problem for anyone expecting to use Basic authentication for OA (Basic is the default AuthPackage used by Outlook when one is not specified), but anyone with an environment that is compatible with NTLM should be setting:
Set-OutlookAnywhere -Identity:”SERVER\Rpc (Default Web Site)” -ClientAuthenticationMethod:Ntlm -IISAuthenticationMethods:Ntlm
NTLM is the ideal OA authentication mechanism due to its ability to pass stored credentials under all conditions. Microsoft states in multiple places on the Exchange Team Blog, TechNet, and various support articles that NTLM is the recommended method of authentication when possible (Kerberos is alternatively recommended for larger deployments):
“If you click Basic Authentication or NTLM Authentication and an LM Compatibility Level of less than 2, you will be prompted for a password each time a connection is made to Exchange. With Basic Authentication, the password is sent in clear text. For increased security, we recommend that you select the NTLM Authentication…”
I determined that the correct procedure after studying the problem is to actually leave the EXPR Outlook Provider’s “-Server:$null” and to leave both OA versions running. Users on the 2010 Mailbox server will proxy through the OA 2010 server and users on the 2007 Mailbox server will proxy through the OA 2007 server.
My main concern with running both the 2007 and 2010 OA was that the Move-Mailbox would not correctly alert the clients to change the OA settings and Mailbox server simultaneously. Fortunately, Outlook does an Autodiscover check every time that it boots up. The way this ends up working in practice is as follows:
I hope this helps fellow system administrators out there running through a similar migration. Please let me know if this did the trick for your migration, if you had different experiences, or have any related advice for how others and myself can further improve our Exchange transitions.
Here are a couple useful pieces to read as well:
- Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere on iLantz’ Blog
- The Autodiscover Service and Outlook Providers – how does this stuff work? on the Exchange Team Blog
- Outlook Anywhere Basic vs. Ntlm Authentication Explained on the SysAdmin Lab Blog