Upload
o365infocom
View
215
Download
0
Embed Size (px)
DESCRIPTION
The dual identity of the Exchange server | Part 08#36 http://o365info.com/the-dual-identity-of-the-exchange-server-part-08-of-36 Reviewing the infrastructure of the Exchange server who serves as a Public facing Exchange server. The services that the Exchange server provides to the internal Exchange client versus the public Exchange clients. Eyal Doron | o365info.com
Citation preview
Page 1 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The dual identity of the Exchange
server | Part 08#36
One of the most confusing and unclear subjects in the Exchange architecture is
what I describe as – “the dual identity of the Exchange server”.
I use the term “dual identity” because the Exchange server relates in a different way
to Exchange client that are located on the internal \Private network versus the
Exchange client that are located on the Public network.
Page 2 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: What is the reason for using this Exchange “dual identity”?
A1: The general answer is that – there is a difference between the needs and the
behavior, of Exchange clients that are located on the internal\private network
versus, Exchange clients located on a public network.
For example, the basic assumption is that the internal\Private network considers as
“secured” versus the public network that is considered “un-safe” or network that is
exposed to different threats.
For this reason, the communication protocol, which Outlook client uses for
communicating the Exchange server in the internal network, doesn’t have to be
encrypted.
On the contrary, when Outlook client is located on a public network, there is a
mandatory need for using secure communication channel (an encrypted
communication protocol) using the HTTPS protocol.
Page 3 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q2: Are all Exchange servers using dual identity?
A2: The answer is “NO”. Only the Exchange server who described as Public facing
Exchange server. The meaning is Exchange server who is “exposed” to the public
network and provide services for internal and external Outlook clients at the same
time.
In case that the Exchange server has “public identity” in addition to his “standard”
private or internal identity, the Exchange server will need to use two different set of
parameters for communicating with internal versus external Outlook clients.
Q3: Is there a difference between Exchange 2007/2010 versus Exchange 2013
regarding the subject of “dual identity”?
A3: Yes, and no. Exchange 2007/2010 server and Exchange 2013 are based on the
concept of “dual identity” in which, the Exchange use two “languages” or interface
for serving external versus internal Exchange clients.
Page 4 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The main difference is that Exchange 2013 server, places a mandatory requirement
for internal + external Outlook client to use only the Outlook Anywhere protocol
(RPC\HTTPS) or in case that the Outlook client supports the new communication
protocol – the MAPI over HTTPS protocol.
Exchange 2007/2010 server version enables an outlook client that is located on the
internal network to use RPC over TCP protocol.
Page 5 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q4: When you say that each of the Exchange interfaces has a specific character,
what are these characters?
A4: The three main elements that use different parameters when relating to
internal verse external Outlook clients are:
1. Communication protocol
2. Authentication protocol
3. Exchange web service URL address
Page 6 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following diagram, we can see the optional parameters for each of the
Exchange interfaces (public versus internal).
1. Communication protocol
As mentioned, Exchange 2013 has a mandatory requirement for using Outlook
Anywhere (RPC over HTTPS) protocol by internal + external Outlook clients versus
Exchange 2007/2010 that uses the Direct RPC (RPC over TCP) protocol as a
communication protocol for internal Outlook clients.
2. Authentication protocol
The authentication protocols that can be used are – basic authentication protocol
and NTLM authentication protocol.
Note – technically speaking, the internal Outlook client can also use the Kerberos
protocol, but we will not cover this option.
The Exchange administrator can decide which of the authentication protocol will be
used by the internal and external Outlook clients.
3. Exchange web service URL address
When an Exchange server provides information about the existing Exchange web
services and the hosts who provide this service, the information that includes the
URL address of the Exchange web service is different between internal and external
Outlook clients.
Regarding internal Outlook clients – the Exchange web service URL address,
will include the internal or the private hostname of the Exchange server who
provides the specific web service.
Regarding external Outlook clients – the Exchange web service URL address,
will include the public hostname of the Exchange server who provides the
specific web service.
Page 7 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: Who are the Exchange clients that are interacting with the dual identity of
Exchange server
A1: The most Prominent Exchange client that is “affected” and relate to the “dual
identity” of Exchange server is the Outlook client.
The Autodiscover process that is implemented between the Outlook client, and the
Exchange server is based on information that the Exchange server provides to the
Outlook client (the Autodiscover response).
The Autodiscover information that is provided to the Outlook client includes two
sets of configuration settings:
One set of configuration settings that are relevant only for the external Outlook
client.
One set of configuration settings that are relevant only for the internal Outlook
client.
Page 8 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Mobile (ActiveSync) Exchange client can communicate only with the “public identity”
of the Exchange server.
Exchange web client (OWA) can communicate with the internal + the external
identity of the Exchange server. The only factor that relates to the internal or the
external identity of the Exchange server is the URL address that the OWA mail client
type into his browser.
For example, in the case that the Exchange server uses a different URL address for
OWA services, when users are located on the internal organization’s network, they
will have to use a specific URL address for accessing Exchange OWA services versus
external OWA mail client that will need to use the public OWA URL address.
Page 9 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see Exchange 2010 server settings that relate to
the internal versus the external URL address that users will need to use for
accessing their mailbox using the OWA web client.
Internal users will need to use the internal URL address
– https://ex01.o365info.local/owa
Internal users will need to use the external URL address
– https://mail.o365info.com/owa
In the following screenshot, we can see the same concept, but now, we can see the
management interface of Exchange 2013 based server.
Page 10 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: How does the Exchange server “understand” that he has two different
identities?
A1: This is a very interesting question and the person who asks this question must
be very intelligent!
The Exchange server “understand” that he has two different identities when we
choose to enable the Outlook Anywhere on a specific Exchange server. After we
enable the Outlook Anywhere, the Exchange “understand” that from now on, he will
need to support “two type” of Outlook clients – internal versus external Outlook
clients.
Page 11 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
The additional parameter that relates to the two different identities of the Exchange
server is the parameters of internal versus external URL address that will be
assigned to the different services that the Exchange server provides.
In the following screenshot, we can see an example of the Exchange 2010 settings
that relate to Outlook Anywhere settings.
We can see that the status of the Outlook Anywhere is – Enabled
In addition, we can choose the authentication protocol that will be used by the
Outlook Anywhere client (basic or NTLM authentication).
Page 12 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following screenshot, we can see an example of the Exchange 2013 settings
that relate to Outlook Anywhere settings.
Exchange 2013 architecture includes a couple of updates that relate to the Outlook
Anywhere settings.
For Exchange, Exchange 2013 enables us to define a different Exchange server
name who will be used by the internal Outlook clients versus the external Outlook
clients.
Page 13 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Q1: How do the required parameters configure for each of the different Exchange
identities?
A1: Some of the parameters consider as “default parameters” and the Exchange
administers to have the ability to change or update these specific settings based
upon his needs.
Some of the parameters can be configured by using the Exchange graphic interface,
and some of the parameters can be defined only by using PowerShell.
Q2: How does Outlook recognize his physical location (internal versus external
network)?
A2: The method that the Outlook client use for recognizing his “location” (internal
versus external network) is depended on the Exchange server version and the
communication protocol that is used by Outlook client.
Page 14 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In an Exchange server 2007\2010 based environment, the method that is used by
the Outlook client is based upon an algorithm that described as “Fast\Slow
network”.
The logic assumption in which the algorithm is based on is that internal network
(LAN) considers as a “fast network” while the public network considers as “slow
network”.
My opinion is that the logic behind this method was “correct” in the past in a
modern network environment; the logic of this algorithm cannot be realized.
The simple explanation is that in now days, even home network that are connected
to the public network (WAN) has a very fast bandwidth that is very similar to the
bandwidth of internal (LAN) network.
In a scenario in which the Exchange environment is based on 2007\2010, Outlook
Anywhere client will try to estimate the network speed.
Page 15 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In case that the Outlook client “decide” that he is located on a “fast network”
(LAN), the Outlook client will try to use the Direct RPC (RPC over TCP) protocol
as a communication protocol with the Exchange server.
In case that the Outlook client “decide” that he is located on a “slow network”
(WAN), the Outlook client will try to use the Outlook Anywhere (RPC over
HTTPS) protocol as a communication protocol with the Exchange server.
Regarding Exchange 2013, server based environment, the method which is used by
the Outlook client for recognizing in which network type he is located is based on a
different method.
The Exchange 2013 provides Outlook client information (Autodiscover information)
about his internal name + external name.
By default, Outlook Anywhere client (Exchange 2013 support only Outlook
Anywhere clients) will try to communicate with the Exchange server using the
internal host name. In case that the Outlook client doesn’t manage to communicate
with the internal Exchange host name, the Outlook client tries to address the
Exchange server by using the external host name of the Exchange server.
Page 16 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
Additional reading
Outlook Anywhere – behind the scene
Outlook Exchange Proxy Settings dialog box always displays the internal host
name as the Proxy server in an Exchange Server 2013 environment
Exchange Server 2013 introduces the InternalHostname property in Outlook
Anywhere. When you use Outlook Anywhere to connect to Exchange Server 2013,
Outlook first uses the internal host name. However, when Outlook cannot connect
to Exchange Server 2013 by using the internal host name, Outlook uses the external
host name instead of the internal host name.
[Source of information – Outlook Exchange Proxy Settings dialog box always
displays the internal host name as the Proxy server in an Exchange Server 2013
environment]
Q: How does the Exchange server “tell” outlook client about his dual identity?
Page 17 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
A: The way that Exchange server use for providing information about his different
identities (internal versus external) + the specific characters for each of the
identities as by using the Autodiscover information.
When Outlook client address Exchange server, asking for Autodiscover information,
the Exchange server provides the Outlook client detailed information about the
internal + external Exchange infrastructure by using the Autodiscover response.
For example, the Autodiscover response includes information about how to
address (what URL address to use) when the Outlook client is located in the
internal\private network versus a scenario in which the Outlook client is located on
the external network.
In the following diagram, we can see an example of the concept of the dual identity
of the Exchange server and the Autodiscover response.
The Autodiscover response includes all the available infrastructure about the
external + the internal Exchange infrastructure.
Page 18 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
When Outlook client “recognize” that is he located on the internal network, he
will use only the part in the Autodiscover response that relates to the internal
Exchange identity (the green color in our diagram).
When Outlook client “recognize” that is he located in the external network, he
will use only the part in the Autodiscover response that relates to the external
Exchange identity (the red color in our diagram).
Q: What are the parameters that include in the Autodiscover Response?
A: The Autodiscover response includes many different parameters that we will not
be reviewed in the current article, but the most prominent parameters that relate
to the
1. Communication protocol
Exchange 2007\2010 supports two major communication protocols that can be
used by Outlook clients:
Outlook Anywhere – RPC over HTTPS or RPC over HTTP.
The concept of this protocol is based upon a method which described as
encapsulation. One protocol uses another protocol as a “transport
mechanism”. The RPC protocol uses the HTTP or the HTTPS protocol as a
“transport protocol”. Technically, Exchange administrators can choose to use
Page 19 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
HTTP (not encrypted communication protocol) or the HTTPS (secure
communication protocol) as the transport protocol.
Direct RPC (RPC over TCP)
A communication protocol, that can be used by Outlook client only on the
internal \private network.
2. Authentication protocol
The Exchange administrator can decide which of the authentication protocol will be
used by the internal and external Outlook clients.
The optional authentication protocols are: NTLM or Basic authentication
3. Exchange web service URL address
Exchange server “tell” Outlook client about available Exchange web services by
publishing the URL address of each of the existing Exchange web services.
In the following diagram, we can see an example for the different characters for
each of the Exchange “identities”.
For example, the Exchange web services that are “published” for the internal
Outlook client based on a URL address that includes the private\internal host name
of
Page 20 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015
In the following diagram, we can see an example for the methods that are use by
the Outlook client for “selecting” a specific communication method with the
Exchange server.
Outlook client that use the RPC\HTTPS protocol, will dictate the network type
(external versus internal) by trying to measure the speed of the
communication link.
Outlook client that use the MAPI\HTTPS protocol, will use a default option in
which the Outlook client will try to address the Exchange server as an
“internal client” and if the communication cannot be implemented,
communicate with Exchange server as external client.
Page 21 of 21 | The dual identity of the Exchange server | Part 08#36
Written by Eyal Doron | o365info.com | Copyright © 2012-2015