We've recently assisted a number of clients in Exchange 2007 à 2010 upgrades. In each case, they've been using ISA or TMG to publish external Exchange services. For the most part, it's been easy to find information on the subject: the MS Exchange team has a really nice write up on the ISA configurations for 2010 upgrade; ISAserver.org has a good write-up in general on ISA and Exchange; Elan Shudnow has a post or two on the subject; and there's always technet. All the info is helpful, however my issue was that there are 1,000,000 ways to configure these services with ISA and Exchange: Basic? NTLM? Prompts? Web listeners? Pre-Authentication? So many different routes has led to some confusion in setup.

Practically speaking, it turned out that most customers really wanted a simple setup:

1. a single name (mail.company.com)
2. Never prompted users for credentials in Outlook. Ever!

If this is sounds like you (or your customers), then I've got a condensed guide to make life easy. Below assumes that you have all users coming through ISA/TMG and going to the CAS 2010 servers. This also assumes that you have Exchange 2007 and 2010 mailboxes co-existing.

1. Use a single name for Exchange 2010: mail.company.com
2. Use a single name for Exchange 2007: legacymail.company.com
3. Set up URL redirection for 2007 users. This article is really important as it outlines exactly how to transition from CAS 2007 to 2010.
4. Use only one web listener with Forms Based Authentication turned on.

   

   1. Make sure that in the "advanced" box, you uncheck "all users must authenticate" and that you put in your AD domain for Basic Authentication

      

   2. Ensure you have "single sign-on" enabled on your web listener. This is required especially for OW 2007 and 2010 co-existence. See below for details on why this is.

      

5. Use separate web publishing rules, all bound to your one listener, for each service:
   1. Outlook Anywhere 2010
      1. Authentication delegation: "no delegation, but client may access directly"

         

      2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange. See below for details.

         

      3. Destination: Exchange 2010 CAS (or CAS farm)
   2. Outlook Web Access 2010
      1. Authentication delegation: Basic

         

      2. Users: "all authenticated users"

         

      3. Destination: Exchange 2010 CAS (or CAS farm)
   3. Active Sync 2010
      1. Authentication delegation: Basic

         

      2. Users: "all authenticated users"

         

      3. Destination: Exchange 2010 CAS (or CAS farm)
   4. Outlook Anywhere 2007
      1. Authentication delegation: "no delegation, but client may access directly"
      2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange.
      3. Destination: Exchange 2007 CAS (or CAS farm)
   5. Outlook Web Access 2007
      1. Authentication delegation: Basic
      2. Users: "all authenticated users"
      3. Destination: Exchange 2007 CAS (or CAS farm)
   6. Active Sync 2007
      1. Authentication delegation: Basic
      2. Users: "all authenticated users"
      3. Destination: Exchange 2007 CAS (or CAS farm)
6. Exchange server 2010 authentication:
   1. Outlook Anywhere: NTLM only
   2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
   3. Active Sync: Basic
7. Exchange server 2007 authentication:
   1. Outlook Anywhere: NTLM only
   2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
   3. Active Sync: NTLM only
8. Outlook 2007 / 2010 Authentication
   1. Set to NTLM

Q: Why should I only use one web listener / enable SSO?

The main reason why you should use one web listener for all 2007 and 2010 rules is due to single-sign on in OWA.

When you have an Exchange 2010 user coming through ISA and being connected to an Exchange 2010 CAS server for OWA, ISA will use forms-based authentication to authenticate the user & pass the user right on to the 2010 CAS. That's all great.

But when a user whose mailbox is still on Exchange 2007 connects to mail.company.com for OWA, ISA will handle the request, pass the request on to Exchange 2010 CAS. Exchange 2010 CAS will realize that the user is an Exchange 2007 user and it will send a client-side redirect to the user's browser for "legacymail.company.com", which is also being published by ISA. (assuming you've set this up properly). When the client's browser gets the redirect, you don't want the user to connect to legacymail.company.com and get prompted AGAIN.

You can do this – but it requires using a single web listener for both OWA publishing rules. The reason is that ISA doesn't support Single Sign-on (SSO) across multiple web listeners. So if you have the mail.company.com rule bound to the same listener as legacymail.company.com listener – the user will not get prompted when Exchange redirects him/her to the legacymail OWA page.

If you're using separate listeners, the redirection to legacymail will cause the user to get re-prompted.

Q: Why do I need to set the Outlook Anywhere rule to use "All Users"

Your main web listener is set to use Forms Based Authentication. This is what you'll need to make OWA work. But as you can imagine, Outlook Anywhere and Active Sync are not going to work with FBA. That's ok- if a client tries to connect to an FBA-enabled listener and it's unable to handle the form, ISA will fall back to Basic authentication.

Active Sync is cool with this; you've already entered your user name and password into your Active Sync device. This is good enough to get you through ISA.

Outlook Anywhere, however, is not cool with this. Since you've set your Outlook Anywhere authentication method to NTLM (step 7 above) it's not going to authenticate to a web listener that's looking for Basic. If you change Outlook Anywhere to use Basic authentication, this will work… but your end users will be prompted for username and password. Which you probably don't want.

So how best to fix it? Just set your Outlook Anywhere web publishing rule to allow "all users". So even though ISA is falling back to Basic authentication on the web listener, your rule is now saying: "I don't care if they're authenticated or not, just send them through". This allows anyone from the outside to at least make it through ISA without having ISA authenticate you. And since you've set the Outlook Anywhere rule to "no delegation, but allow client to authenticate directly" the Outlook client will just pass right through ISA and authenticate directly to the CAS server. The Outlook client is set to NTLM and now it's hitting the CAS server directly – so it's important to have the CAS server's authentication for Outlook Anywhere set to NTLM (step 5a above).

Q: Is it a bad idea to bypass ISA pre-authentication for Outlook Anywhere?

I personally don't think it's a big deal. Elan Shudnow's post has more to say about that, however.

If you are totally opposed to this concept, then you're going to need to live with either:

• A separate name for Outlook Anywhere (outlook.company.com) with its own cert and web listener. OR
• Use Basic authentication and force your users to be prompted for username and password.