Page 1 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
EXCHANGE 2013 COEXISTENCE
ENVIRONMENT AND OUTLOOK
INFRASTRUCTURE | PART 2/2 | PART 14#23
In the current article, we will continue to review the subject of the Outlook client
protocol connectivity flow in an Exchange 2013 coexistence environment, but now,
we will have a closer look at the specific charters, which build the Outlook and the
Exchange relationship in this environment.
Page 2 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The parts which we will review are:
1. The relationships between Exchange 2013 CAS and legacy Exchange CAS servers
in Exchange 2013 coexistence environment
2. The relationships between Exchange 2013 CAS and legacy Outlook Exchange
clients in Exchange 2013 coexistence environment
3. The required configuration setting that is needed for “CAS to CAS
communication” meaning:
1. Outlook Anywhere (RPC\HTTP) support and setting on the legacy Exchange
CAS servers – The requirement of enabling the option of Outlook Anywhere
(RPC\HTTP) on the legacy Exchange CAS servers
2. The authentication protocol settings-
The required setting of the authentication protocol that are involved in the Outlook
client protocol connectivity flow:
Page 3 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The authentication protocol that is used by Outlook client when he needs to
provide his identity to the Exchange CAS server.
The authentication protocol that is used by Exchange 2013 CAS when he proxy
the Outlook user credentials to the Exchange CAS server legacy infrastructure.
In the last part of the article, we will provide a brief example for the implementation
of the required configurations setting using PowerShell.
Exchange 2013 coexistence environment and
Outlook client | The required configuration
settings
To be able to demonstrate the flow in an Exchange 2013 coexistence environment,
let’s use the following scenario:
Exchange site, which include Exchange CAS 2013 server + Exchange 2010
infrastructure (Exchange 2010 CAS server + Exchange 2010 Mailbox server).
An Exchange, Outlook client that his mailbox is hosted at the Exchange 2010
Mailbox server need access to his mailbox.
Note – we use an Exchange 2013/2010 coexistence environment for the
demonstration, but the same logic is also implemented in Exchange 2013/2007
coexistence environment.
The Outlook client protocol connectivity flow, will be implemented as follows:
1. Outlook client communication requests will be “pointed” to the Exchange 2013
CAS server.
2. The communication channel between Outlook mail client and the Exchange
2013 CAS server must be implemented as “Outlook Anywhere” (RPC/HTTP/S).
RPC over HTTP/s is the default method for Outlook client connections – there are
no more direct RPC connections to the servers for Outlook clients.
Page 4 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
3. The Outlook client will provide the user credentials using an authentication
protocol that is supported by the “server side”. The available options are: Basic,
NTLM or negotiation.
4. Because the user mailbox is hosted at a “legacy Exchange infrastructure”
(Exchange 2010 CAS server), Exchange 2013 CAS server, will proxy the Outlook
communication request to the suitable legacy Exchange CAS server.
5. In the process of “proxying” the request to the “legacy Exchange infrastructure”
(Exchange 2010 CAS server), the Exchange CAS 2013 server will “forward” the
user credentials to the “destination” legacy Exchange 2010 CAS server.
6. To be able to “forward” the user credentials to the “legacy Exchange
infrastructure” (Exchange 2010 CAS server), the authentication protocol settings
for the Exchange 2013 CAS server + the “legacy Exchange infrastructure”
(Exchange 2010 CAS server), must be set to NTLM.
RPC Endpoint name versus Exchange host
name
The flow of legacy Exchange, Outlook client in an Exchange 2013 coexistence
environment, could be sometimes confusing.
The general concept of this flow is that, legacy Exchange, Outlook clients, will need
to address the Exchange 2013 CAS as their “RPC Endpoint” server and in his turn,
Page 5 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
the Exchange 2013 CAS will need to proxy their request to the appropriate legacy
Exchange CAS server.
We have mentioned before that in an Exchange 2013 coexistence environment, we
will need to enable the Outlook Anywhere (RPC\HTTP) on each of the legacy
Exchange CAS servers.
A main configuration parameter that when enabling Outlook Anywhere (RPC\HTTP)
on the Exchange CAS server is: the “external host name”
The external host name is the RPC Endpoint name who “represent” the Exchange
CAS server who provides the Outlook Anywhere (RPC\HTTP) services.
When Outlook client address Exchange CAS server, looking for Autodiscover
information, part of the Autodiscover information that Exchange CAS server will
provide, include a “reference” to the “Exchange CAS server” that is dedicated to
serving the Outlook Anywhere client or in other words, can serve as the RPC
Endpoint server.
In the following screenshot, we can see an example of an “Autodiscover answer”
that is sent to the Outlook client by the Exchange CAS server.
In our example, the Exchange CAS server “tell” Outlook client that is the RPC
Endpoint server name is: europe.mail.o365info.com
The information about the RPC Endpoint server appears in the section:
Protocol: Exchange HTTP under the server parameter.
Page 6 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the Exchange 2013 coexistence environment, we need to change the default
Outlook client protocol connectivity flow.
Instead of the configuration in which legacy Outlook client will connect a legacy
Exchange CAS server who serves as an RPC Endpoint, in the Exchange 2013
coexistence environment, we need to implement a new configuration in which
native Outlook client and legacy Outlook client will address only the Exchange 2013
CAS as: RPC Endpoint server.
Additionally, we need to enable the Outlook Anywhere service on each of the legacy
Exchange CAS servers.
In our scenario, we want to use the following namespace: mail.o365info.com as the
name if the RPC Endpoint that will be “published” to all the Outlook clients (native
Exchange 2013 client and legacy Exchange clients such as: 2007/2010).
When a legacy Exchange Outlook client addresses the Exchange 2013 CAS as the:
“RPC Endpoint”, the Exchange 2013 CAS will know how to proxy the legacy
Exchange Outlook client request to the proper legacy Exchange CAS server.
Page 7 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
For this reason, when we enable the Outlook Anywhere service from a legacy
Exchange CAS server, such as Exchange 2007/2010 CAS, we will need to set the
value of the “external host name” using the “primary namespace” such
as: mail.o365info.com
The namespace (mail.o365info.com in our scenario) will point to the Exchange 2013
CAS.
Outlook client will refer to the Exchange 2013 CAS as an RPC Endpoint using the
name: mail.o365info.com
When the Exchange 2013 CAS needs to Proxy the request for the legacy Exchange
CAS server, he will address the legacy Exchange CAS server\s by using the server
“standard host name”
In the following diagram, we can see an example of an Exchange 2010 Outlook
client protocol connectivity flow.
Exchange 2010 client address the Exchange 2013 CAS using the host
name: mail.o365info.com
Exchange 2013 CAS will proxy the Outlook client request to the Exchange 2010 CAS
and address the Exchange 2010 CAS using the server name: Exc2010.o365info.com
Page 8 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see an example for the configuration setting
that relates to the “external host name” in Exchange 2010 CAS.
In our example, we enable the Outlook Anywhere on the Exchange 2010 CAS +
configure the value of the “external host name” to: mail.o365info.com
Page 9 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In case that you are wondering: what will happen if I use a different “external host
name” for each of the existing Exchange CAS servers, the answer is that the
Exchange 2013 CAS will provide a different RPC Endpoint name to Outlook client
based on their “Exchange version”.
Outlook client protocol connectivity flow | The
two interfaces
In the Exchange 2013 coexistence environment, Outlook client protocol connectivity
flow is consisted of two parts:
Outlook Exchange 2013 CAS communication
Exchange 2013 CAS and Exchange CAS server legacy communication.
Page 10 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
By looking at the following diagram, we can see the concept of the “two interface”
or “two parts” that building the Outlook client protocol connectivity flow.
1. The “A Part” is the area that describes the relationships between the Exchange
2013 CAS server and his Outlook client.
2. The “B Part”, is the area that describes the relationships between the Exchange
2013 CAS server and the legacy Exchange CAS server infrastructure.
PART A| Outlook client and the “user credentials”
The “A part” of the Outlook client protocol connectivity flow is the “circle” that exists
between the Outlook client and the Exchange 2013 CAS server.
Page 11 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The first part in the Outlook client protocol connectivity flow, start with the
“authentication” in which Outlook client will need to provide the user credentials to
Exchange CAS server.
Note – if we want to be more accurate, the Outlook client protocol connectivity flow
start with the Autodiscover process in which Outlook client get the name of the
Exchange CAS server who serves as RPC Endpoint.
In an Exchange environment, Outlook client can provide the user credentials using
one of the following authentication protocols:
1. NTLM
2. Basic
3. Negotiate
Just to make it more complicated, Exchange 2013 CAS server support to Outlook
Anywhere interface: internal Outlook Anywhere interface + external Outlook
Anywhere interface.
Page 12 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Each of these “interface”, can be configured using different setting such as different
authentication settings.
In the Exchange 2013 environment, the “outcome” is that technically we can
configure two “sets” of Outlook Anywhere configuration settings:
One set of internal Outlook Anywhere client and another set for external Outlook
Anywhere client while each of these “sets” uses the different authentication
protocol.
To required Outlook Anywhere configuration setting can be implemented by using
one of the following options:
1. Exchange 2013 – Web based management interface
2. Exchange 2013 – PowerShell interface
The Exchange 2013 CAS server graphical (web) interface, enable us to choose the
required authentication protocol. The authentication protocol that we will choose,
will apply to the booth of the Exchange 2013 CAS interfaces”: internal Outlook
Anywhere interface + external Outlook Anywhere interface.
The disadvantage of the Exchange 2013 web-based management interface is, when
we select a specific authentication protocol, the setting will apply to the booth of
the Outlook Anywhere interface: the internal Outlook Anywhere interface + external
Outlook Anywhere interface.
In other words, the Exchange 2013 CAS server graphical (web) interface doesn’t
include an option for selecting a different authentication protocol for internal
Outlook Anywhere interface versus the external Outlook Anywhere interface.
In the following screenshot, we can see that the Exchange 2013 CAS server
management interface enables us to set the required authentication protocol, but
the setting will be applied to the booth, of the “Outlook Anywhere client” (the
internal + external Outlook Anywhere).
Page 13 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: What is the recommended authentication protocol?
A1: The most simple and if I may say recommended way, is to choose the same
authentication protocol for the internal + external Outlook Anywhere client.
Note that an external Outlook Anywhere client supports only the option of: basic
authentication.
Technically, we can set a different authentication method for internal Outlook
Anywhere client versus an external Outlook Anywhere client, but, my mantra is: KIS
– keep is the simple meaning, I like to keep it simple and use the same
authentication protocol (Basic) for the both of the Outlook Anywhere client (internal
+ external)
Page 14 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Just to strengthen the subjects that we have review, I add some Quotes from a
Microsoft article that deal with this subject:
Note the two different authentication settings that are listed.
ClientAuthenticationMethod and IISAuthenticationMethods. For the detail oriented
people out there, you saw that one was plural and the other singular.
When you configure OA for Basic auth, then the ClientAuthenticationMethod and
IISAuthenticationMethods are both set to Basic.
The same is true for when OA is set to NTLM auth. In that case
ClientAuthenticationMethod and IISAuthenticationMethods are both set to use
NTLM.
When co-existing Exchange 2007 and 2010 with Exchange 2013, we need to ensure
that the correct authentication settings are in place.
There are two things that we need to pay attention to. Authentication at the IIS
layer and authentication at the client layer. This is the IISAuthenticationMethods
and ClientAuthenticationMethod properties respectively.
As specified in the Exchange Server Deployment Assistant, to allow CAS 2013 to
redirect Outlook Anywhere connections to Exchange 2010 and 2007, Outlook
Anywhere must be enabled and properly configured on Exchange 2007 and 2010.
Page 15 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
If Outlook Anywhere was previously deployed, then ensure that their configuration
will support Exchange 2013. The follow permission considerations need to be
addressed:
Client authentication, which is used to allow clients like Outlook 2013 to
authenticate with Exchange is properly configured. The same consistent OA client
authentication scheme should be deployed on legacy CAS and CAS 2013.
Internet Information Services (IIS) authentication, which is used to allow Exchange
servers to communicate must include NTLM auth.
[Source of information: Exchange 2007 And 2013 Outlook Anywhere Co-Existence ]
“In a coexistence scenario that still has 2007 or 2010 Client Access Servers, you
need to enable Outlook Anywhere on each legacy Client Access Server. For
instructions on enabling Outlook Anywhere for Client Access Servers running on
Exchange Server 2007″
[Source of information: Outlook Anywhere ]
“Customization of Outlook Anywhere settings is optional and only needed if you
want to change the settings from the default configuration. By default, Exchange
pushes down the Outlook Anywhere settings by using the Autodiscover service the
first time that Outlook is started”.
[Source of information: Configure Outlook Anywhere on Outlook 2013 ]
PART B | Outlook client Proxy process and the “user credentials”
The “second part” of the Outlook client protocol connectivity flow relates to the part
which can be described as: CAS to CAS communication. In this part, the Exchange
2013 CAS “forward” (Proxy) the Outlook client requites to the legacy Exchange CAS
server.
To be able to successfully complete the communication channel, two conditions will
need to be fulfilled:
Page 16 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
1. The legacy Exchange CAS server should be configured to support Outlook
Anywhere.
2. The Exchange 2013 CAS + the legacy Exchange CAS server should be configured
to support IIS Authentication Method using NTLM ( IISAuthenticationMethods:
{Basic, Ntlm})
Exchange 2013 CAS and the process of Proxy the Outlook user credentials
Don’t forget the simple fact: when a “legacy Exchange server” such as: Exchange
2010 CAS server, get the “proxy request” from the Exchange CAS 2013 server, he
doesn’t “see” the Outlook user or directly communicate with the Outlook client.
This is a classic scenario of “man in the middle”. The “legacy Exchange server”
cannot “trust” the Outlook user, or “understand” how to route the communication
request until he gets the required user credentials.
Page 17 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
To the solution for this “trust” problem, is implemented by using an “authentication
proxy mechanism” in which the Exchange 2013 CAS server “forward” (Proxy) the
user credentials to the required legacy Exchange CAS server.
In theory, the process of “forwarding” the user credentials can be implemented by a
variety of authentication protocols, but in reality, the only supported authentication
protocol that could be used for “forwarding the user credentials” is the NTLM
protocol.
In simple words: to be able to implement the communication channel between the
Exchange CAS 2013 server and the legacy Exchange CAS servers, we will need to
verify that both of the sides support the use of the authentication protocol: NTLM
In the following diagram, we can see the Outlook client protocol connectivity flow
that relates to the subject of user credentials.
The Outlook client authentication protocol is: Basic
When Exchange 2013 CAS Proxy the user credentials to Exchange 2010 CAS, the
authentication protocol is: NTLM
Page 18 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Exchange 2013 coexistence environment |
Outlook client | Required preparations check
list
Ok, I exhaust myself with the boring talks about Exchange, authentication protocol
and more. So… just a quick recap:
Manage Exchange Outlook Anywhere settings
In the following section, we will review the way that we use PowerShell commands
for creating the required configuration of the Exchange 2013 coexistence
environment and the Outlook Anywhere infrastructure.
1. Viewing an existing configuration settings
The first step is to view the existing configuration setting and based upon the
information, create the required configuration updates.
Page 19 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Example 1: Get information about the Outlook Anywhere settings of a specific
Exchange CAS server
To be able to see the Outlook Anywhere settings on the Exchange 2013 CAS server,
we can use the PowerShell command:
PowerShell
Get-OutlookAnywhere -Server <Exchange CAS server>
Note – use the following command from the Exchange 2013 CAS server PowerShell
console.
In the following screenshot, we can see the information about the Outlook
Anywhere setting of Exchange 2013 CAS server named: STS
The following values, relate to the authentication protocol that the Outlook
Anywhere client will use when they provide the user credentials to the Exchange
2013 CAS server.
In our scenario, the server setting configured as follows:
Page 20 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
External Outlook Anywhere are instructed to use the basic authentication
protocol:ExternalClientAuthenticationMethod: Basic
Internal Outlook Anywhere clients are instructed to use the NTLM authentication
protocol:InternalClientAuthenticationMethod: NTLM
The Exchange 2013 CAS server IIS component supports the following
authentication protocols: basic, NTLM and Negotiate: IISAuthenticationMethods:
{Basic, Ntlm, Negotiate}
Example 2: Get a list of all the available Exchange 2010 CAS server, display the
information about the Outlook Anywhere settings.
PowerShell
Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl
servername,externalhostname,*auth*
2. Configure Exchange CAS server Outlook Anywhere settings
The following PowerShell command syntax, is an example of “all the available
settings", that relate to Exchange 2013 CAS server Outlook Anywhere settings, that
relate to Exchange 2013 CAS server Outlook Anywhere settings: that relate to
Exchange 2013 CAS server Outlook Anywhere settings: that we can configure that
relate to the Exchange 2013 CAS server Outlook Anywhere settings:
PowerShell
Get-OutlookAnywhere –Server <Exchange 2013 CAS server>| Set-OutlookAnywhere -InternalHostname <Domain name> -InternalClien
tAuthenticationMethod
NTLM -InternalClientsRequireSsl $true -ExternalHostname <Doma
in name>
-ExternalClientAuthenticationMethod Basic -ExternalClientsReq
uireSsl $true
-IISAuthenticationMethods NTLM,Basic -ssloffloading:$false
Page 21 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
3. Enable NTLM on the IIS /RPC directory of your Exchange 2007/2010
servers
Example 1: Get a list of all of the available Exchange CAS servers beside Exchange
2013 CAS servers, enable (set) the Outlook Anywhere option and configure the
required IIS authentication protocol
PowerShell
Get-OutlookAnywhere | ?{ $_.AdminDisplayVersion -notlike "Version 15.*"}
| Set-OutlookAnywhere -IISAuthenticationMethods NTLM,Basic
Example 2: configure the Outlook Anywhere authentication settings of a specific
Exchange CAS server (configure the required IIS authentication protocol + the Client
Authentication Method).
PowerShell
Set-OutlookAnywhere -Identity '<ServerName>\Rpc (Default Web Site)' -ClientAuthenticationMethod Basic -IISAuthenticationMethods NTLM,
Basic
Example 3: enable the Outlook Anywhere of a specific Exchange CAS server +
configure the Outlook Anywhere authentication settings of a specific Exchange CAS
server (configure the required IIS authentication protocol + the Client
Authentication Method).
PowerShell
Set-OutlookAnywhere -Identity '<ServerName>\Rpc (Default Web Site)' -ClientAuthenticationMethod Basic -SSLOffloading $False –External
HostName <Exchange 2013 CAS server> -IISAuthenticationMethods NTLM,
Basic
Additional reading about the subject of: Exchange 2013 and Outlook
clients
How does Outlook Anywhere work (and not work)?
How to resolve several issues when running both Exchange 2010 and 2013
Page 22 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Users of Exchange Server 2013 or Exchange Online can’t open public folders or
shared mailboxes on an Exchange 2010 or Exchange 2007 server
Exchange Server 2010 to 2013 Migration – Preparing for Co-Existence
RPC Proxy doesn’t work: 2013/2010 Co-Existence with Outlook Anywhere
Exchange 2013: Configuring Outlook anywhere
Outlook Exchange Proxy Settings dialog box always displays the internal host
name as the Proxy server in an Exchange Server 2013 environment
Things to consider before configuring Autodiscover in Exchange 2010/2013
coexistence scenarios
Exchange 2010/2013 Co-Existence Experience
Outlook Anywhere coming to a CAS server near you soon
Exchange 2013 Outlook Anywhere Considerations
Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook
Anywhere
RPC Client Encryption in Exchange 2013
Exchange 2007 And 2013 Outlook Anywhere Co-Existence
Client Connectivity in an Exchange 2013 Coexistence Environment
Video links – general migration
Microsoft Exchange Server 2013 Client Access Server Role
Microsoft Exchange Hybrid Deployment and Migration on Your Terms
Microsoft Exchange Server 2013 On-Premises Upgrade and Coexistence
General information
Exchange Server 2010 to 2013 Migration – Preparing for Co-Existence
Exchange Server 2010 to 2013 Migration – Reviewing Autodiscover Configuration
Exchange 2007/2013 CoExistence URLs
Exchange 2010/2013 Co-Existence Experience
NTLM AND Basic Authentication for Outlook Anywhere (both)
Exchange 2007 And 2013 Outlook Anywhere Co-Existence
Client Connectivity in an Exchange 2013 Coexistence Environment
RPC Endpoint
Page 23 of 23 | Part 14#23 | Exchange 2013 coexistence environment and Outlook
infrastructure | Part 2/2
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Understanding RPC Client Access
Outlook, RPC end point and PF : The Microsoft Exchange Administrator has made
a change that requires you quit and restart Outlook
The Exchange 2013 coexistence article series index page