If you’re upgrading from Exchange 2003 to Exchange Server 2010, the two servers will have to coexist during the upgrade process. Since the architecture of Exchange 2010 differs from Exchange 2003, you’ll have to think about how those changes will affect mobile users connecting through ActiveSync during a long-term coexistence.
For example, Direct Push, which is based on ActiveSync and runs on the front-end server, manages mobile device synchronization in Exchange 2003. Exchange Server 2010, on the other hand, uses server roles in place of front-end and back-end servers. ActiveSync is a function of Exchange 2010’s client access server role, and primarily acts as a front-end server.
Preparing your client access server
After you’ve upgraded to Exchange 2010, check that your client access server is properly configured. Next, you’ll need to purchase a Subject Alternative Name (SAN) certificate for your CAS and apply it. SAN certificates allow mobile devices to establish SSL-encrypted sessions with the CAS; they must contain three values:
- Mail.<your domain name>.com
- Autodiscover.<your domain>.com
- Legacy.<your domain>.com
Next, create DNS records that point your fully qualified domain names (FQDNs) to the client access server role. By default, your mail.<your domain>.com DNS record will probably be pointed to an Exchange 2003 front-end server. Redirect this record so it points to an Internet-facing Exchange 2010 CAS.
If your organization is only running Exchange Server 2003, it won’t contain Autodiscover.<your domain>.com or a Legacy.<your domain>.com DNS records, and you’ll need to create them. The Autodiscover DNS record is used in the automatic configuration process, while the Legacy DNS record is used for traffic that’s bound for Exchange 2003 mailbox servers. You must have these two records in place in order for the CAS to work correctly in a coexistence scenario.
How Exchange 2010 CAS and ActiveSync work together
What happens when you bring ActiveSync into the picture? The CAS acts as a proxy and relays synchronization requests to Exchange 2003 mailbox servers. Therefore, you probably won’t need to reconfigure your users’ mobile devices.
ActiveSync is configured to connect to mail.<your domain>.com. When a device issues a synchronization request, it’s sent to the Exchange 2010 CAS because of the changes you’ve made to the DNS records.
As you edit your DNS records, keep in mind that the IP address associated with a DNS record doesn't actually point to an Exchange Server; it points to a firewall. And that firewall uses port-forwarding rules to direct inbound traffic to the Exchange server. If your network is configured this way, you’ll need to reconfigure your firewall’s port forwarding rules so that they forward ActiveSync requests to the Exchange 2010 CAS -- not an Exchange 2003 front-end server.
When the CAS receives the request, it authenticates the mobile device and performs an LDAP query of your Active Directory to determine the location of the user’s mailbox. Then the CAS proxies the request to the Exchange 2003 mailbox server, which hosts its own ActiveSync virtual directory.
After the Exchange 2003 server authenticates the user, it sends requested data to the CAS. The client access server relays the data to the end user’s mobile device.
Final steps to get ActiveSync up and running
Check to make sure that all mobile devices in your environment trust your client access server’s certificate authority (CA). This shouldn’t be a problem unless you generated the certificate in house. You’ll also need to install a Microsoft hot fix on your Exchange 2003 mailbox servers to correct an ActiveSync-related authentication issue. Synchronization will fail if you don’t install this hot fix.
Finally, configure the ActiveSync virtual directory on your Exchange 2003 mailbox servers to use Integrated Windows Authentication. I recommend that you make this change from the Exchange System Manager, not from the IIS Manager, otherwise the system may overwrite your change.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.