The dual identity of the Exchange server | Part 08#36 No ratings yet. 14 min read

One of the most confusing and unclear subjects in the Exchange architecture is what I describe as – “the dual identity of the Exchange server”.

I use the term “dual identity” because the Exchange server relates in a different way to Exchange client that located on the internal \Private network versus the Exchange client that found on the Public network.

Exchange server split Personality

Article Series Table of content | Click to Expand

Exchange and Autodiscover infrastructure | Article Series

Exchange Autodiscover – Article series – INDEX

Exchange and Autodiscover infrastructure | The building blocks

Autodiscover infrastructure | FQDN and URL address

Exchange Autodiscover flow in different environments

Autodiscover infrastructure | Exchange infrastructure and namespace convention

Exchange, Autodiscover and security infrastructure

Autodiscover Troubleshooting tools

Autodiscover major flow scenarios

Autodiscover flow in an Exchange on-Premises environment | non-Active Directory environment

Autodiscover flow in an Office 365 based environment

Autodiscover flow in an Exchange Hybrid environment

Exchange Stage migration and Autodiscover infrastructure

Q1: What is the reason for using this Exchange “dual identity”?

A1: The general answer is that – there is a difference between the needs and the behavior, of Exchange clients that are located on the internal\private network versus, Exchange clients located on a public network.
For example, the underlying assumption is that the internal\Private network considers as “secured” versus the public network that is considered “unsafe” or network that exposed to different threats.

For this reason, the communication protocol, which Outlook client uses for communicating the Exchange server in the internal network, doesn’t have to be encrypted.

On the contrary, when Outlook client located on a public network, there is a mandatory need for using secure communication channel (an encrypted communication protocol) using the HTTPS protocol.

Q2: Are all Exchange servers using dual identity?

A2: The answer is “NO”. Only the Exchange server who described as Public facing Exchange server. The meaning is Exchange server who is “exposed” to the public network and provide services for internal and external Outlook clients at the same time.

In case that the Exchange server has “public identity” in addition to his “standard” private or internal identity, the Exchange server will need to use two different set of parameters for communicating with internal versus external Outlook clients.

Exchange server dual identity

Q3: Is there a difference between Exchange 2007/2010 versus Exchange 2013 regarding the subject of “dual identity”?

A3: Yes, and no. Exchange 2007/2010 server and Exchange 2013 based on the concept of “dual identity” in which, the Exchange use two “languages” or interface for serving external versus internal Exchange clients.

The main difference is that Exchange 2013 server, places a mandatory requirement for internal + external Outlook client to use only the Outlook Anywhere protocol (RPC\HTTPS) or in case that the Outlook client supports the new communication protocol – the MAPI over HTTPS protocol.

Exchange 2013 server - dual identity

Exchange 2007/2010 server version enables an Outlook client that is located on the internal network to use RPC over TCP protocol.

Exchange 2007- 2010 server - dual identity

Q4: When you say that each of the Exchange interfaces has a particular character, what are these characters?

A4: The three top elements that use different parameters when relating to internal verse external Outlook clients are:

  1. Communication protocol
  2. Authentication protocol
  3. Exchange web service URL address

Internal verse external Outlook parameters-01

In the following diagram, we can see the optional parameters for each of the Exchange interfaces (public versus internal).

1. Communication protocol

As mentioned, Exchange 2013 has a mandatory requirement for using Outlook Anywhere (RPC over HTTPS) protocol by internal + external Outlook clients versus Exchange 2007/2010 that uses the Direct RPC (RPC over TCP) protocol as a communication protocol for internal Outlook clients.

2. Authentication protocol

The authentication protocols that can use are – basic authentication protocol and NTLM authentication protocol.

Note – technically speaking, the internal Outlook client can also use the Kerberos protocol, but we will not cover this option.

The Exchange administrator can decide which of the authentication protocol used by the internal and external Outlook clients.

3. Exchange web service URL address

When an Exchange server provides information about the existing Exchange web services and the hosts who provide this service, the information that includes the URL address of the Exchange web service is different from internal and external Outlook clients.

  • Regarding internal Outlook clients – the Exchange web service URL address, will include the internal or the private hostname of the Exchange server who provides the specific web service.
  • Regarding external Outlook clients – the Exchange web service URL address, will include the public hostname of the Exchange server who provides the specific web service.

Internal versus external Outlook clients-01
Q1: Who are the Exchange clients that are interacting with the dual identity of Exchange server

A1: The most Prominent Exchange client that is “affected” and relate to the “dual identity” of Exchange server is the Outlook client.

The Autodiscover process that implemented between the Outlook client and the Exchange server based on information that the Exchange server provides to the Outlook client (the Autodiscover response).

The Autodiscover information that is provided to the Outlook client includes two sets of configuration settings:

  • One set of configuration settings that are relevant only for the external Outlook client.
  • One set of configuration settings that are relevant only for the internal Outlook client.

Our main focus is on the Outlook as Autodiscover client

Mobile (ActiveSync) Exchange client can communicate only with the “public identity” of the Exchange server.

Exchange web client (OWA) can communicate with the internal + the external identity of the Exchange server. The only factor that relates to the internal or the external identity of the Exchange server is the URL address that the OWA mail client type into his browser.

For example, in the case that the Exchange server uses a different URL address for OWA services, when users located on the internal organization’s network, they will have to use a particular URL address for accessing Exchange OWA services versus external OWA mail client that will need to use the public OWA URL address.

In the following screenshot, we can see Exchange 2010 server settings that relate to the internal versus the external URL address that users will need to use for accessing their mailbox using the OWA web client.

  • Internal users will need to use the internal URL address – https://ex01.o365info.local/owa
  • Internal users will need to use the external URL address – https://mail.o365info.com/owa

Exchange 2010 internal versus external URL address

In the following screenshot, we can see the same concept, but now, we can see the management interface of Exchange 2013 based server.

Exchange 2013 – OWA URL address – internal versus external URL

Q1: How does the Exchange server “understand” that he has two different identities?

A1: This is a fascinating question, and the person who asks this question must be brilliant!

The Exchange server “understand” that he has two different identities when we choose to enable the Outlook Anywhere on a particular Exchange server. After we enable the Outlook Anywhere, the Exchange “understand” that from now on, he will need to support “two type” of Outlook clients – internal versus external Outlook clients.

The additional parameter that relates to the two different identities of the Exchange server is the parameters of internal versus external URL address that will assign to the various services that the Exchange server provides.

The ability of Exchange server to figure out that he has two different identities

In the following screenshot, we can see an example of the Exchange 2010 settings that relate to Outlook Anywhere configuration.

We can see that the status of the Outlook Anywhere is – Enabled

Also, we can choose the authentication protocol that used by the Outlook Anywhere client (basic or NTLM authentication).

Exchange 2010 internal versus external identity settings-1

In the following screenshot, we can see an example of the Exchange 2013 settings that relate to Outlook Anywhere configuration.

Exchange 2013 architecture includes a couple of updates that relate to the Outlook Anywhere settings.

For Exchange, Exchange 2013 enables us to define a different Exchange server name who used by the internal Outlook clients versus the external Outlook clients.

Exchange 2013 internal versus external settings

Q1: How do the required parameters configure for each of the different Exchange identities?

A1: Some of the parameters consider as “default parameters” and the Exchange administers to have the ability to change or update these particular settings based on his needs.

Some of the parameters can configure by using the Exchange graphic interface, and some of the parameters can be defined only by using PowerShell.

Q2: How does Outlook recognize his physical location (internal versus external network)?

A2: The method that the Outlook client use for recognizing his “location” (internal versus external network) depends on the Exchange server version and the communication protocol that is used by Outlook client.

Outlook client physical location

In an Exchange Server 2007\2010 based environment, the method that is utilized by the Outlook client builds upon an algorithm that described as “Fast\Slow network”.

The logic assumption in which the algorithm relies on is that internal network (LAN) considers as a “fast network” while the public network recognizes as “slow network.”

My opinion is that the logic behind this method was “correct” in the past in a modern network environment; the logic of this algorithm cannot realize.

The simple explanation is that in nowadays, the even home network that connected to the public network (WAN) has a very fast bandwidth that is very similar to the bandwidth of internal (LAN) network.

In a scenario in which the Exchange environment based on 2007\2010, Outlook Anywhere client will try to estimate the network speed.

  • In case that the Outlook client “decide” that he is located on a “fast network” (LAN), the Outlook client will try to use the Direct RPC (RPC over TCP) protocol as a communication protocol with the Exchange server.
  • In case that the Outlook client “decide” that he is located on a “slow network” (WAN), the Outlook client will try to use the Outlook Anywhere (RPC over HTTPS) protocol as a communication protocol with the Exchange server.

Exchange server version 2007- 2010 - Communication methods with Outlook client

Regarding Exchange 2013, server-based environment, the method which is used by the Outlook client for recognizing in which network type he located builds on a different way.

The Exchange 2013 provides Outlook client information (Autodiscover information) about his internal name + external name.

By default, Outlook Anywhere client (Exchange 2013 support only Outlook Anywhere clients) will try to communicate with the Exchange server using the internal hostname. In case that the Outlook client doesn’t manage to communicate with the internal Exchange host name, the Outlook client tries to address the Exchange server by using the external hostname of the Exchange server.

Exchange server version 2013 - Communication methods with Outlook client

Exchange Server 2013 introduces the InternalHostname property in Outlook Anywhere. When you use Outlook Anywhere to connect to Exchange Server 2013, Outlook first uses the internal host name. However, when Outlook cannot connect to Exchange Server 2013 by using the internal host name, Outlook uses the external host name instead of the internal host name.

[Source of information – Outlook Exchange Proxy Settings dialog box always displays the internal host name as the Proxy server in an Exchange Server 2013 environment]

Q: How does the Exchange server “tell” outlook client about his dual identity?

A: The way that Exchange server use for providing information about his different identities (internal versus external) + the distinct characters for each of the identities as by using the Autodiscover information.

When Outlook client address Exchange server, asking for Autodiscover information, the Exchange server provides the Outlook client detailed information about the internal + external Exchange infrastructure by using the Autodiscover response.

For example, the Autodiscover response includes information about how to address (what URL address to use) when the Outlook client located in the internal\private network versus a scenario in which the Outlook client located on the external network.

Exchange server provide information using the Autodiscover response

In the following diagram, we can see an example of the concept of the dual identity of the Exchange server and the Autodiscover response.

The Autodiscover response includes all the available infrastructure about the external + the internal Exchange infrastructure.

  • When Outlook client “recognize” that is he located on the internal network, he will use only the part in the Autodiscover response that relates to the internal Exchange identity (the green color in our diagram).
  • When Outlook client “recognize” that is he located in the external network, he will use only the part in the Autodiscover response that relates to the external Exchange identity (the red color in our diagram).

Outlook client - Internal versus external configuration settings

Q: What are the parameters that include in the Autodiscover Response?

A: The Autodiscover response includes many different parameters that we will not review in the current article, but the most prominent parameters that relate to the

1. Communication protocol

Exchange 2007\2010 supports two major communication protocols that can be used by Outlook clients:

  • Outlook Anywhere – RPC over HTTPS or RPC over HTTP.
    The concept of this protocol based on a method which described as encapsulation. One protocol uses another protocol as a “transport mechanism”. The RPC protocol uses the HTTP or the HTTPS protocol as a “transport protocol”. Technically, Exchange administrators can choose to use HTTP (not encrypted communication protocol) or the HTTPS (secure communication protocol) as the transport protocol.
  • Direct RPC (RPC over TCP)
    A communication protocol, that can be used by Outlook client only on the internal \private network.

2. Authentication protocol

The Exchange administrator can decide which of the authentication protocol used by the internal and external Outlook clients.

The optional authentication protocols are: NTLM or Basic authentication

3. Exchange web service URL address

Exchange server “tell” Outlook client about available Exchange web services by publishing the URL address of each of the existing Exchange web services.

Outlook client - Internal versus external configuration settings -The specific configuration parameters

In the following diagram, we can see an example of the different characters for each of the Exchange “identities.”

For example, the Exchange web services that are “published” for the internal Outlook client based on a URL address that includes the private\internal host name of

Outlook client - Internal versus external configuration settings - Specific configuration parameters example

In the following diagram, we can see an example of the methods that are use by the Outlook client for “selecting” a particular communication method with the Exchange server.

  • Outlook client that use the RPC\HTTPS protocol, will dictate the network type (external versus internal) by trying to measure the speed of the communication link.
  • Outlook client that use the MAPI\HTTPS protocol, will use a default option in which the Outlook client will try to address the Exchange server as an “internal client” and if the communication cannot implemented, communicate with Exchange server as external client.

Outlook client version, Exchange Server version - Internal and external communication methods-01

Now it’s Your Turn!
It is important for us to know your opinion on this article

Summary
The dual identity of the Exchange server | Part 08#36
Article Name
The dual identity of the Exchange server | Part 08#36
Description
One of the most confusing and unclear subjects in the Exchange architecture is what I describe as – “the dual identity of the Exchange server”.I use the term “dual identity” because the Exchange server relates in a different way to Exchange client that located on the internal \Private network versus the Exchange client that located on the Public network.
Author
Publisher Name
o365info.com
Publisher Logo

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *