Some few customers are still running on premise legacy Exchange 2007 in parallel with Exchange 2013. In case you are offloading the authentication process on a Netscaler, you may encounter some Single Sign On (SSO) issues.
The picture below does state a scenario we have to deal with. We are authenticating our users on a Netscaler AAA level, and our content switching vServer is handeling the traffic between the Exchange environment (2007 and 2013) (Just OWA in this case), depending on partly which url the user is entering (this is further explained later on this article)
In this scenario, we do not have a clue regarding the location of our users mailboxes. They could reside on either 2007 or 2013 environment, which lead us to start thinking about the way we should authenticate our users, and how we alternatively need to configure our content switching policies to redirect users to respective users mail boxes.
Well! We do have two public URLs available:
1. URL 1 (Exchange 2007): exchange-legacy.domain.com
2. URL 2 (Exchange 2013): exchange.domain.com
Note that, Exchange 2007 introduced a new user attribute called msExchVersion that tracks the Exchange version a mailbox is created on. This may be useful if you want to manage mailboxes by Exchange version. In our case we will take advantage of those values, in order to authenticate our users towards the appropriate Exchange environment.
Here follows the typical “msExchVersion” values depending on Exchange version being used:
Exchange 2007 = “4535486012416”
Exchange 2010 = “44220983382016”
Exchange 2013 = “88218628259840”
This means:
If users mailbox resides on Exchange 2007 the attribute value is: 4535486012416
If users mailbox resides on Exchange 2013 the attribute value is: 88218628259840
So let’s start by configuring an LDAP action using group attribute name as msExchVersion
add authentication ldapAction LDAP_Action -serverIP 1.1.1.1 -ldapBase “dc=smali,dc=net” -ldapBindDn “CN=sa-ldap,OU=SA_Accounts,DC=smali,DC=net” -ldapBindDnPassword ae45267842d32e88e9 -encrypted -ldapLoginName samAccountName -groupAttrName msExchVersion
Create an LDAP policy using (ns_true) as expression and bind it to the action you just created. Bind this policy to your AAA vServer.
Now we need to create a couple of responder actions and policies to redirect the users to the right OWA (Exchange version) depending on the following:
1. The URL the user is using
2. The msExchVersion attribute value of the user
add responder action Exchange-2007-CS-OWA-Redirect-Action redirect “\”https://exchange-legacy.domain.com/owa\””
add responder action Exchange-2013-CS-OWA-Redirect-Action redirect “\”https://exchange.domain.com/owa\””
add responder policy Exchange-2007-CS-OWA-Redirect-Policy “HTTP.REQ.HOSTNAME.EQ(“exchange-legacy.domain.com”)&& HTTP.REQ.USER.IS_MEMBER_OF(\”4535486012416\”)” Exchange-2007-CS-OWA-Redirect-Action
add responder policy Exchange-2013-CS-OWA-Redirect-Policy “HTTP.REQ.HOSTNAME.EQ(“exchange.domain.com”)&& HTTP.REQ.USER.IS_MEMBER_OF(\”88218628259840\”)” Exchange-2013-CS-OWA-Redirect-Action
The final step is to bind your content switching policies to the content switching vServer, and the Netscaler will handle the OWA ridirection for you.