The dual identity of the Exchange server | Part 08#36

Page 1 of 21 | The dual identity of the Exchange server | Part 08#36

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

The dual identity of the Exchange

server | Part 08#36

One of the most confusing and unclear subjects in the Exchange architecture is

what I describe as – “the dual identity of the Exchange server”.

I use the term “dual identity” because the Exchange server relates in a different way

to Exchange client that are located on the internal \Private network versus the

Exchange client that are located on the Public network.

http://o365info.com/the-dual-identity-of-the-exchange-server-part-08-of-36

https://il.linkedin.com/in/eyaldoron1

http://o365info.com/



Q1: What is the reason for using this Exchange “dual identity”?

A1: The general answer is that – there is a difference between the needs and the

behavior, of Exchange clients that are located on the internal\private network

versus, Exchange clients located on a public network.

For example, the basic assumption is that the internal\Private network considers as

“secured” versus the public network that is considered “un-safe” or network that is

exposed to different threats.

For this reason, the communication protocol, which Outlook client uses for

communicating the Exchange server in the internal network, doesn’t have to be

encrypted.

On the contrary, when Outlook client is located on a public network, there is a

mandatory need for using secure communication channel (an encrypted

communication protocol) using the HTTPS protocol.






Q2: Are all Exchange servers using dual identity?

A2: The answer is “NO”. Only the Exchange server who described as Public facing

Exchange server. The meaning is Exchange server who is “exposed” to the public

network and provide services for internal and external Outlook clients at the same

time.

In case that the Exchange server has “public identity” in addition to his “standard”

private or internal identity, the Exchange server will need to use two different set of

parameters for communicating with internal versus external Outlook clients.

Q3: Is there a difference between Exchange 2007/2010 versus Exchange 2013

regarding the subject of “dual identity”?

A3: Yes, and no. Exchange 2007/2010 server and Exchange 2013 are based on the

concept of “dual identity” in which, the Exchange use two “languages” or interface

for serving external versus internal Exchange clients.






The main difference is that Exchange 2013 server, places a mandatory requirement

for internal + external Outlook client to use only the Outlook Anywhere protocol

(RPC\HTTPS) or in case that the Outlook client supports the new communication

protocol – the MAPI over HTTPS protocol.

Exchange 2007/2010 server version enables an outlook client that is located on the

internal network to use RPC over TCP protocol.






Q4: When you say that each of the Exchange interfaces has a specific character,

what are these characters?

A4: The three main elements that use different parameters when relating to

internal verse external Outlook clients are:

1. Communication protocol

2. Authentication protocol

3. Exchange web service URL address






In the following diagram, we can see the optional parameters for each of the

Exchange interfaces (public versus internal).


As mentioned, Exchange 2013 has a mandatory requirement for using Outlook

Anywhere (RPC over HTTPS) protocol by internal + external Outlook clients versus

Exchange 2007/2010 that uses the Direct RPC (RPC over TCP) protocol as a

communication protocol for internal Outlook clients.


The authentication protocols that can be used are – basic authentication protocol

and NTLM authentication protocol.

Note – technically speaking, the internal Outlook client can also use the Kerberos

protocol, but we will not cover this option.

The Exchange administrator can decide which of the authentication protocol will be

used by the internal and external Outlook clients.


When an Exchange server provides information about the existing Exchange web

services and the hosts who provide this service, the information that includes the

URL address of the Exchange web service is different between internal and external

Outlook clients.

Regarding internal Outlook clients – the Exchange web service URL address,

will include the internal or the private hostname of the Exchange server who

provides the specific web service.

Regarding external Outlook clients – the Exchange web service URL address,

will include the public hostname of the Exchange server who provides the

specific web service.






Q1: Who are the Exchange clients that are interacting with the dual identity of

Exchange server

A1: The most Prominent Exchange client that is “affected” and relate to the “dual

identity” of Exchange server is the Outlook client.

The Autodiscover process that is implemented between the Outlook client, and the

Exchange server is based on information that the Exchange server provides to the

Outlook client (the Autodiscover response).

The Autodiscover information that is provided to the Outlook client includes two

sets of configuration settings:

One set of configuration settings that are relevant only for the external Outlook

client.

One set of configuration settings that are relevant only for the internal Outlook

client.






Mobile (ActiveSync) Exchange client can communicate only with the “public identity”

of the Exchange server.

Exchange web client (OWA) can communicate with the internal + the external

identity of the Exchange server. The only factor that relates to the internal or the

external identity of the Exchange server is the URL address that the OWA mail client

type into his browser.

For example, in the case that the Exchange server uses a different URL address for

OWA services, when users are located on the internal organization’s network, they

will have to use a specific URL address for accessing Exchange OWA services versus

external OWA mail client that will need to use the public OWA URL address.






In the following screenshot, we can see Exchange 2010 server settings that relate to

the internal versus the external URL address that users will need to use for

accessing their mailbox using the OWA web client.

Internal users will need to use the internal URL address

– https://ex01.o365info.local/owa

Internal users will need to use the external URL address

– https://mail.o365info.com/owa

In the following screenshot, we can see the same concept, but now, we can see the

management interface of Exchange 2013 based server.






Q1: How does the Exchange server “understand” that he has two different

identities?

A1: This is a very interesting question and the person who asks this question must

be very intelligent!

The Exchange server “understand” that he has two different identities when we

choose to enable the Outlook Anywhere on a specific Exchange server. After we

enable the Outlook Anywhere, the Exchange “understand” that from now on, he will

need to support “two type” of Outlook clients – internal versus external Outlook

clients.






The additional parameter that relates to the two different identities of the Exchange

server is the parameters of internal versus external URL address that will be

assigned to the different services that the Exchange server provides.

In the following screenshot, we can see an example of the Exchange 2010 settings

that relate to Outlook Anywhere settings.

We can see that the status of the Outlook Anywhere is – Enabled

In addition, we can choose the authentication protocol that will be used by the

Outlook Anywhere client (basic or NTLM authentication).






In the following screenshot, we can see an example of the Exchange 2013 settings

that relate to Outlook Anywhere settings.

Exchange 2013 architecture includes a couple of updates that relate to the Outlook

Anywhere settings.

For Exchange, Exchange 2013 enables us to define a different Exchange server

name who will be used by the internal Outlook clients versus the external Outlook

clients.






Q1: How do the required parameters configure for each of the different Exchange

identities?

A1: Some of the parameters consider as “default parameters” and the Exchange

administers to have the ability to change or update these specific settings based

upon his needs.

Some of the parameters can be configured by using the Exchange graphic interface,

and some of the parameters can be defined only by using PowerShell.

Q2: How does Outlook recognize his physical location (internal versus external

network)?

A2: The method that the Outlook client use for recognizing his “location” (internal

versus external network) is depended on the Exchange server version and the

communication protocol that is used by Outlook client.






In an Exchange server 2007\2010 based environment, the method that is used by

the Outlook client is based upon an algorithm that described as “Fast\Slow

network”.

The logic assumption in which the algorithm is based on is that internal network

(LAN) considers as a “fast network” while the public network considers as “slow

network”.

My opinion is that the logic behind this method was “correct” in the past in a

modern network environment; the logic of this algorithm cannot be realized.

The simple explanation is that in now days, even home network that are connected

to the public network (WAN) has a very fast bandwidth that is very similar to the

bandwidth of internal (LAN) network.

In a scenario in which the Exchange environment is based on 2007\2010, Outlook

Anywhere client will try to estimate the network speed.






In case that the Outlook client “decide” that he is located on a “fast network”

(LAN), the Outlook client will try to use the Direct RPC (RPC over TCP) protocol

as a communication protocol with the Exchange server.

In case that the Outlook client “decide” that he is located on a “slow network”

(WAN), the Outlook client will try to use the Outlook Anywhere (RPC over

HTTPS) protocol as a communication protocol with the Exchange server.

Regarding Exchange 2013, server based environment, the method which is used by

the Outlook client for recognizing in which network type he is located is based on a

different method.

The Exchange 2013 provides Outlook client information (Autodiscover information)

about his internal name + external name.

By default, Outlook Anywhere client (Exchange 2013 support only Outlook

Anywhere clients) will try to communicate with the Exchange server using the

internal host name. In case that the Outlook client doesn’t manage to communicate

with the internal Exchange host name, the Outlook client tries to address the

Exchange server by using the external host name of the Exchange server.






Additional reading

Outlook Anywhere – behind the scene

Outlook Exchange Proxy Settings dialog box always displays the internal host

name as the Proxy server in an Exchange Server 2013 environment

Exchange Server 2013 introduces the InternalHostname property in Outlook

Anywhere. When you use Outlook Anywhere to connect to Exchange Server 2013,

Outlook first uses the internal host name. However, when Outlook cannot connect

to Exchange Server 2013 by using the internal host name, Outlook uses the external

host name instead of the internal host name.

[Source of information – Outlook Exchange Proxy Settings dialog box always

displays the internal host name as the Proxy server in an Exchange Server 2013

environment]

Q: How does the Exchange server “tell” outlook client about his dual identity?




http://www.proexchange.be/forums/t/120.aspx

https://support.microsoft.com/en-us/kb/2754898/en-us

https://support.microsoft.com/en-us/kb/2754898/en-us

https://support.microsoft.com/en-us/kb/2754898





A: The way that Exchange server use for providing information about his different

identities (internal versus external) + the specific characters for each of the

identities as by using the Autodiscover information.

When Outlook client address Exchange server, asking for Autodiscover information,

the Exchange server provides the Outlook client detailed information about the

internal + external Exchange infrastructure by using the Autodiscover response.

For example, the Autodiscover response includes information about how to

address (what URL address to use) when the Outlook client is located in the

internal\private network versus a scenario in which the Outlook client is located on

the external network.

In the following diagram, we can see an example of the concept of the dual identity

of the Exchange server and the Autodiscover response.

The Autodiscover response includes all the available infrastructure about the

external + the internal Exchange infrastructure.






When Outlook client “recognize” that is he located on the internal network, he

will use only the part in the Autodiscover response that relates to the internal

Exchange identity (the green color in our diagram).

When Outlook client “recognize” that is he located in the external network, he

will use only the part in the Autodiscover response that relates to the external

Exchange identity (the red color in our diagram).

Q: What are the parameters that include in the Autodiscover Response?

A: The Autodiscover response includes many different parameters that we will not

be reviewed in the current article, but the most prominent parameters that relate

to the


Exchange 2007\2010 supports two major communication protocols that can be

used by Outlook clients:

Outlook Anywhere – RPC over HTTPS or RPC over HTTP.

The concept of this protocol is based upon a method which described as

encapsulation. One protocol uses another protocol as a “transport

mechanism”. The RPC protocol uses the HTTP or the HTTPS protocol as a

“transport protocol”. Technically, Exchange administrators can choose to use






HTTP (not encrypted communication protocol) or the HTTPS (secure

communication protocol) as the transport protocol.

Direct RPC (RPC over TCP)

A communication protocol, that can be used by Outlook client only on the

internal \private network.


The Exchange administrator can decide which of the authentication protocol will be

used by the internal and external Outlook clients.

The optional authentication protocols are: NTLM or Basic authentication


Exchange server “tell” Outlook client about available Exchange web services by

publishing the URL address of each of the existing Exchange web services.

In the following diagram, we can see an example for the different characters for

each of the Exchange “identities”.

For example, the Exchange web services that are “published” for the internal

Outlook client based on a URL address that includes the private\internal host name

of






In the following diagram, we can see an example for the methods that are use by

the Outlook client for “selecting” a specific communication method with the

Exchange server.

Outlook client that use the RPC\HTTPS protocol, will dictate the network type

(external versus internal) by trying to measure the speed of the

communication link.

Outlook client that use the MAPI\HTTPS protocol, will use a default option in

which the Outlook client will try to address the Exchange server as an

“internal client” and if the communication cannot be implemented,

communicate with Exchange server as external client.









Documents

The dual identity of the Exchange server | Part 08#36