Documente Academic
Documente Profesional
Documente Cultură
| Part 1#2 |
Part 17#36
The current article is dedicated to the Interesting and not so clear subject of
Exchange infrastructure namespace.
Exchange server architecture, enable us to use a different interface with internal
Exchange clients versus external Exchange clients that is based on different
namespace.
The major question that I will try to answer in this article are:
1. Is it good or bad to use a different namespace?
2. What are the characters of Exchange environment that is based on two
different namespaces?
Page 2 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 3 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Lets jump to question number 4: Should I spend my precious time reading this
article?
My answer is -Yes
I think that is important to spend the time because very soon, every Exchange
administrator will need to deal with the subject of using ONE public naming
scheme for Exchange Infrastructure.
Page 4 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 5 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 6 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
The interface with the internal Outlook client, was implemented using RPC
protocol and internal namespace based on an internal domain name such as
local domain suffix.
The interface with external Outlook clients, was implemented using
RPC/HTTPS protocol (Outlook Anywhere) and public namespace based on a
public domain name such as com domain suffix.
Note the definition of Exchange server 2010 as part of the former Exchange
server version is not a scientific definition. Many times, organizations
implemented the Exchange 2010 infrastructure based upon the characters of
modern mail environments.
The common convention, which dictates the need to differentiate and separate
Exchange interface with internal Exchange clients versus external Exchange clients
were changed over time into a new convention that was based on a simplify the
concept in which the Exchange interface with internal Exchange clients versus
external Exchange clients will be configured as an identical interface.
For example, in an Exchange 2013 environment, the only available communication
protocol with Outlook client is Outlook Anywhere (RPC\HTTPS or MAPI\HTTPS).
In other words, we cannot set a different communication protocol for internal
Outlook client versus external Outlook client.
Regarding the subject of namespace, theoretically, Exchange 2013 enables us to
use the option on internal namespace for internal Outlook client versus external
namespace for an external Outlook client but most of the time we will not
implement this option.
Another element that relates to the new trend in which we cancel the different
Exchange interface with internal Exchange clients versus external Exchange clients
is because in the current time, public certificate cannot and will not support host
name who includes non-public or public domain name suffix.
In other words even in case that we decide to continue to use Exchange internal
and external namespace, when we need to renew our public certificate, we cannot
ask to include the internal host name as part of the certificate.
Page 7 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Note you can read more information about the new public certificate standard in
the article Public SAN certificate | Deprecated support in the internal server name
| Part 19#36
Existing Exchange infrastructure based on internal and external namespace
In the former section, we have mentioned that modern Exchange environment is
moving toward consolidation or unification of the Exchange interface with internal
Exchange clients versus external Exchange clients.
However, in reality, there are many organizations that still use the former
convention in which we implement two different Exchange interfaces with internal
Exchange clients versus external Exchange clients.
In the next sections, we will review some examples for this type of infrastructure in
which we use two different Exchange interface, the characters of this environment
and the flow that is implemented between Exchange server and his client.
While reading the information, you could feel that my opinion is that organization
that use separation of Exchange interface should work toward unification if this
Exchange interface into one global interface.
The next article Exchange infrastructure | Implementing single domain
namespace scheme | Part 2#2 | Part 18#36, Will deal with the how to part in a
scenario in which we decide to use a single namespace with internal Exchange
clients versus external Exchange clients.
Page 8 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 9 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 10 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 11 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Q: Why should I avoid from using the option of Exchange dual namespace?
A: The short version of the answer for that question is because of two main two
reasons:
1. No internal server names on SAN certificates after 2015
In case that we use the Exchange dual naming scheme infrastructure, the Exchange
public certificate will need to include the host name of internal host (host that use
the Active Directory private domain name) and the Public host name.
This type of configuration will be no longer supported since 1 November 2015
Note If you need to read more information about this subject, read the article
Public SAN certificate | Deprecated support in the internal server name | Part
19#36
2. Because its the right way
The short version of the answer is that using the option of Exchange dual naming
scheme infrastructure instead of using ONE public naming scheme for Exchange
Infrastructure is not the right way.
Page 12 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
The reason for using dual namespace is because historical reasons that are not
valid or relevant anymore to the modern environment.
Using the option of Exchange dual naming scheme infrastructure makes thing
complicated, makes it difficult for Exchange client that needs to memorize two
different naming convention, makes it difficult to troubleshoot Exchange issues
and much more.
Page 13 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Many organizations use a private domain name for the Active Directory if the
results are that the Exchange infrastructure will have to use two domain names
infrastructure.
Q1: What is the meaning of a private domain name?
A2: The technically implementation of a private domain name is, by using a
domain name that uses the local as a suffix.
The local domain suffix is a preserved suffix and there is no option of purchasing
a domain name with the local suffix.
The term public domain name is used in case that we have purchased the domain
name from a public provider such as GoDaddy etc.
Page 14 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Q2: Why does the Active Directory use a private domain name?
A2: In the good old days, the general concept was that using a private domain
name for the Active Directory, is the preferred method because this is a good
security practice.
My personal opinion always was that, this is just a mambo jumbo of a security
personnel because, I have never managed to understand the reason for this
assumption and no one never could provide me a real explanation for this
assumption.
This theory of using a private domain name for the Active Directory domain name
was based on a faulty assumption that the use of private domain name is
required or mandatory for protecting the origination private network from the risks
and hazards that exist in the public network that will harm the private
organization resources.
I use the term -mambo jumbo for describing the theory of using a private domain
name for protecting internal network resources because its simply not true.
Page 15 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 16 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Additional reading
You can read additional information about the concept of private domain name
and the local domain name suffix in the following articles:
.local
Multicast DNS
Top-level domain
Page 17 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 18 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
As mentioned, versus the Active Directory the serve only internal clients and doesnt
expose herself to the public client, the character if the Exchange infrastructure are
the opposite.
In the following diagram, we can see an example for the two worlds in which
Public facing Exchange CAS server needs to operate.
Q: In case that the Active Directory uses a private domain name, how does
Exchange serve external clients?
A: There are two passable solutions:
Option 1: Maintain two different domain name scheme
Page 19 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
In this scenario, the Active Directory private domain namespace will be used also by
the Exchange infrastructure for communicating with internal Exchange clients.
Exchange infrastructure will use the public domain name scheme for
communication with an external mail client.
In this scenario, the Exchange infrastructure is linked to two different domain
names at the same time.
For example in a scenario in which we use an Exchange CAS server who will also
provide service for external mail clients (Public facing Exchange CAS server), an
internal Exchange client will address the Exchange CAS server by using the host
named- ex01.o365info.local
The external Exchange client will address the Public facing Exchange CAS server by
using the host named mail.o365info.com
Page 20 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 21 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
For example, in a scenario in which we use an Exchange CAS server who will also
provide service for external mail clients (Public facing Exchange CAS server), an
internal Exchange client will address the Exchange CAS server by using the
hostname mail.o365info.com
The external Exchange client will address the Public facing Exchange CAS server by
using the host named mail.o365info.com
Page 22 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
The Public domain name that the company has and that is used for publishing
hosts in the external network is o365info.com
By default, each of the internal hosts in the Active Directory will have a
hostname or if we want to be more accurate, FQDN that is based on the
following naming convention <host>.o365info.local
All of the internal hosts, is automatically registered at the Active Directory
DNS server under the domain named o365info.local
The company Exchange server, serve as Public facing Exchange server, that
provide services to external mail clients.
In this case, external mail clients will address the Public facing Exchange
server by using the public domain name scheme, in our scenario
o365info.com
The public name of the Public facing Exchange server is mail.o365info.com and
additional name, which is used for the Autodiscover service for an external
mail client autodiscover.o365info.com
The same Exchange server is published in the internal network by using the
internal FQDN o365info.com
Page 23 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 24 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
o365info.local the name whom the Exchange server use for his internal mail
client for all types of communications and services.
o365info.com the external or the public name of the Public facing
Exchange CAS server who is allocated for the Autodiscover services. External
mail client will use this name for locating their Exchange CAS server
(Autodiscover Endpoint).
o365info.com the external or the public name of the Public facing
Exchange CAS server who external mail client use for accessing and
communicating with their Exchange server.
Page 25 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
When an internal Exchange client needs to access his mailbox, he needs to find +
communicate his Exchange CAS server. In the internal network, the communication
path between the Exchange client and the Exchange CAS server is based on the
following workflow:
1. The mail client connects the local Active Directory (SCP) and asks for a list of
available Exchange CAS server\s
In our scenario, the Active Directory reply with an answer such as
https://exo1.o365info.local/autodiscver/autodiscover.xml
2. The mail client connects the local DNS server and asks for the IP address of
exo1.o365info.local (the DNS reply will include the Private IP address: 192.168.1.5)
3. Mail client connects to the local Exchange CAS server, verify that he can
communicate using HTTPS and ask for the server certificate.
Page 26 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
When the Exchange CAS server provides his certificate to the mail client, the mail
client will check and verify only one host name exo1.o365info.local
The internal Exchange client will ignore all the rest of the host names who appear
in the certificate.
The reason for this is that the Exchange client acknowledge or relate to the
internal Exchange CAS server, using only the hostname exo1.o365info.local
The mail client doesnt care about additional host names who exist in the
certificate that the Public facing Exchange CAS server provides
(mail.o365info.com and o365info.com).
Page 27 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
The mail infrastructure that is used by the external mail client has a very different
character.
The external mail infrastructure will include the following parts and components:
1. Public IP
A public IP address should be acquired and assigned to the Exchange CAS server
who serves as a Public facing Exchange CAS server (most of the time, this public IP
address will be assigned to the company Firewall server who will forward requests
from external mail client to the internal IP address of the Exchange CAS server).
2. Public\external DNS server
Every Public facing Exchange CAS server will have at least, two public host names.
These public names (FQDNs) will have to be registered at the public DNS server
who hosts the company public domain name.
In our scenario, we will need to register under the o365info.com zone (domain
name) the following host names mail and autodiscover
3. Public Exchange server certificate
The Exchange CAS server certificate will need to include the two public names who
Page 28 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
When an external Exchange client needs to access his mailbox, the following flow is
implemented:
1. Locking for the Public IP of the Autodiscover Endpoint
The mail client connects the public DNS looking for the IP address of
mail.o365info.com (in the reality, the mail client will start the Autodiscover process
by looking for the host name o365info.com and only if he cannot find or connect to
this host, he will create an NDS query looking for the FQDN of the Autodiscover
Endpoint).
Page 29 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36
Page 30 of 30 | Should I use a single namespace for Exchange Infrastructure? | Part 1#2 |
Part 17#36