Exchange 2013 and 2007 coexistence with ISA 2006

Short and simple question: Should this configuration work, am I just missing something stupid or do we need to rethink the entire architecture? Should Exchange 2013 directly internet-facing CAS be able to redirect 2007 mailbox users to ISA-published Exchange 2007 OWA without double authentication in coexistence scenario?

I have a Exchange 2007 environment which works just fine:
- Two CAS servers and two mailbox servers
- OWA and AS are published to internet with an ISA 2006 gateway.
- ISA is configured to have FBA authentication on web listener, doing LDAP auth from two domains (the same domain where the Exchange servers are and an another domain in different forest) and delegating to Exchange as basic auth.
- On Exchange FBA is disabled for OWA, Basic and Integrated enabled.

Now we would like to introduce an Exchange 2013 server to the environment, switch client access over to it and have users accessing their OWA emails on the Exchange 2007 mailboxes before the mailboxes are transferred to Exchange 2013. ISA 2006 will be decommissioned together with the Exchange 2007 environment and Exchange 2013 will be directly internet facing, but at least the first attempt to get this to work failed.

We have two separate single-name certificates, let's call them mail.company.com and mail2007.company.com. The later one is for the legacy email, and first one is used and has been used for the actual client connections.

- mail.company.com is assigned to Exchange 2013 CAS, mail2007.company.com to ISA server listener.
- DNS records to mail.company.com are switched to point to Exchange 2013 CAS public IP, mail2007.company.com to ISA public IP.
- ISA rules were updated to accept the mail2007.company.com host name and multiple different authentication configurations were tried.
- Exhange 2007 OWA and other virtual directories were updated to use mail2007.company.com as the external URL.

I could get Exchange 2013 OWA to authenticate the user and forward the connection to ISA FBA, but with any configuration I couldn't get rid of double authentication. Disabling ISA FBA and letting client authenticate with Exchange directly didn't work out any better.


  • Edited by stnz Tuesday, March 31, 2015 8:24 PM
March 31st, 2015 8:23pm

Hi,

According to your description, I noticed that on Exchange FBA is disabled for OWA, Basic and Integrated enabled. Please enable FBA on both Exchange 2007 and Exchange 2013.

Generally, if the user whose mailbox is located in Exchange 2007, when he uses mail.company.com as his namespace endpoint to access OWA, CAS2013 will authenticate the user, do a service discovery, and determine that the mailbox is located within the local AD site on an Exchange 2007 Mailbox server. CAS2013 will initiate a single sign-on silent redirect (assumes FBA is enabled on source and target) to mail2007.company.com. CAS2007 will then facilitate the request and retrieve the necessary data from the Exchange 2007 Mailbox server.

Please enable the FBA in Exchange 2007 by these steps:

1. Open EMC, expand Server Configuration > Client Access.

2. In Outlook Web Access tab, double-click owa(Default Web Site).

3. In Authentication tab, check Use forms-based authentication.

4. Click OK to save the changes.

5. Restart IIS service by running IISReset in a command Prompt windows.

Regards,

Free Windows Admin Tool Kit Click here and download it now
April 1st, 2015 8:57am

That we cannot do at the moment, because basic and integrated authentication are required on Exchange 2007 and they are not compatible with FBA.

FBA IS enabled on mail2007.company.com, BUT it is enabled on the ISA 2006. Recheck my earlier post, mail2007.company.com does not point to Exchange 2007 but to pre-authenticating ISA 2006 web listener, which has mail2007.company.com certificate and FBA authentication enabled. ISA 2006 will then pass on the authentication to Exchange 2007 as basic authentication.

The point of the post was exactly to inquiry if anyone knows should this work? Can ISA 2006 FBA in combination with Exchange 2007 be used as the redirection target, or should the ISA be bypassed? That cannot be easily done due to political things.

April 1st, 2015 9:02am

Would love to know the answer to this as well. We have exactly the same setup.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 3:11pm

Well, it started working just fine after enabling FBA on the old Exchange 2007 server. Seems like the Exchange 2013 can pass the credentials to the 2007 server either through ISA FBA or directly to FBA. It doesn't work if the Exchange 2007 server doesn't have FBA enabled.
April 27th, 2015 3:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics