Hi, I will have my new external namespace webmail.domain.com NAT'd in the firewall to my casarray and have my new legacy.domain.com exteranl namespace NAT'd to my exchange 2007 CAS server. I still have my exchange 2007 external namespace NAT'd to my exchange 2007 CAS server. Our firewall won't allow us to NAT 2 external IP's to the same internal IP. How can I get around this?

I am also confused on how if I remove the exchange 2007 external namespace and replace it with legacy.domain.com, how will all my activesync devices that are setup with the exchange2007.domain.com resolve to legacy.domain.com if exchange2007.domain.com is removed? Would it be easier for me to just use exchange2007.domain.com as my legacy.domain.com namespace, in other words keep it the same as it is right now (exchange2007.domain.com points to exchange 2007 CAS) and not worry about a brand new namespace called "legacy"? I am creating a brand new namespace for OWA, Activersync, etc in webmail.domain.com to get away from using server names. However, I have already created the external DNS namespace of legacy.domain.com and it is also on my new SSL Cert. Although the new SSL Cert does include all of my CAS servers so exchange2007 is on it as well. I am just a little confused, in most cases everyone is using the same external namespace that they are using with 2007 and creating a brand new namespace "legacy", but I am doing the opposite. I am creating a brand new external namespace for 2010 and don't know how to have my current namespace "exchange2007" and the new "legacy" namespace coexist as per my firewall NAT. My thought was to leave "exchange2007" in place as it is right now (pointing to exchange 2007) point the new namespace "webmail" to 2010 and point the new namespace "legacy" to exchange 2007. So, since I have "exchange2007" namespace already in use and pointing to exchange 2007, do I still need "legacy"? This is what I have thus far: External DNS = webmail.domain.com points to external interface of the firewall. The firewall forwards it to casarray.domain.com External DNS = exchange2007.domain.com points to external interface of the firewall. The firewall forwards it to our exchange 2007 CAS server. External DNS = legacy.domain.com points to external interface of the firewall. The firewall forwards it to our exchange2007 CAS server (this NAT cannot be made in the firewall due to the exchange2007.domain.com that already exists).

Your RPC CAS Array should not have a NAT and should not be resolvable from the Internet. It is for internal traffic only and for RPC traffic, not HTTPS. Therefore you would have three names involved. casarray.example.local - RPC CAS Array, internal only. mail.example.com - OWA, ActiveSync, Outlook Anywhere and MX record, set as the common name on the certificate. legacy.example.com - the host name for Exchange 2007. The reason a new namespace is used is so that end users who enter an existing hostname can be directed to the Exchange 2010 login page and then Exchange sorts out which OWA they should get. For ActiveSync, you will have to continue to use the existing name space, pointing at Exchange 2010, with the use of the old name slowly fading away over time. This is because ActiveSync clients do not all support Autodiscover correctly and therefore will not update. NAT is not usually tied to a name, it is tied to an IP address, therefore the fact that you have multiple names does not matter one bit. As long as the legacy host name resolves to a different IP address to the host name being used for Exchange 2010, and the SSL certificate are correct, then it will work. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thank you. So this is what I should do: Current: exchange2007.domain.com (OWA, Activesync for current exchange 2007 environment). Points to current exchange 2007 CAS via Firewall NAT. current name of exchange 2007 CAS server. New: webmail.domain.com (OWA, Activesync for new exchange 2010 environment). Will point to new exchange 2010 CAS (internal casarray) via firewall NAT. legacy.domain.com (OWA, Activesync for old exchange 2007 environment). Will point to old exchange 2007 CAS via Firewall NAT. exchange2007.domain.com (OWA, Activesync for current exchange 2007 environment). Currently points to current exchange 2007 CAS via Firewall NAT. Remove and do not use anymore. Current name of exchange 2007 CAS server. Is this correct, just completely get rid of the current exchange2007.domain.com namespace and firewall rule and replace it with legacy.domain.com? So everything that currently points to exchange2007.domain.com will automatically go to my old exchange 2007 CAS server through the legacy.domain.com namespace? If I remove the exchange2007.domain.com namespace form external DNS and remove its firewall NAT how will anything pointing to exchange2007.domain.com resolve? I apologize for my ignorance with understanding this concept. I really just want to leave exchange2007.domain.com and not create a new one called legacy.domain.com because I just don't understand how externally "legacy" can be resolved if I remove "exchange2007". All of our activesync devices are setup with "exchange2007.domain.com" not "legacy.domain.com". If I could just NAT both "legacy" and "exchange2007" to the same internal IP (my current exchange 2007 CAS server) I would feel the safest, but my firewall guy says our firewall won't allow for the NAT'ing of 2 external IP's to the same internal IP.

Your RPC CAS Array should not have a NAT and should not be resolvable from the Internet. It is for internal traffic only and for RPC traffic, not HTTPS. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me. Hi, my CAS Array does not have an external namespace nor is it on my SSL cert. However, I am pointing my exchange 2010 namespace (webmail.domain.com) to my CAS Array in the firewall. Is this not correct? Where should my external exchange 2010 namespace be forwarded or NAT'd to in the firewall if not to my cas array internal IP? Should it go directly to one of my exchange 2010 CAS servers directly and bypass the cas array?

Your RPC CAS Array should not have a NAT and should not be resolvable from the Internet. It is for internal traffic only and for RPC traffic, not HTTPS. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me. Hi, my CAS Array does not have an external namespace nor is it on my SSL cert. However, I am pointing my exchange 2010 namespace (webmail.domain.com) to my CAS Array in the firewall. Is this not correct? Where should my external exchange 2010 namespace be forwarded or NAT'd to in the firewall if not to my cas array internal IP? Should it go directly to one of my exchange 2010 CAS servers directly and bypass the cas array? You can use the same IP address, what you cannot use is the same host name. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.