MS-203 Microsoft 365 Messaging Topic: Managing and Implementing Client Access Part 1
December 20, 2022

1. Understanding Client Access Services in Exchange

I want to spend some time now going over the concepts of understanding the client access services in Microsoft Exchange. Now, as I told you before, back when Exchange 2007 came out, they had broken Exchange into a bunch of different roles. And then slowly, over the years, Microsoft has gone in the opposite direction. They’ve now reduced Exchange to two main individual roles. One is the Edge Transport role here, and the other is the mailbox database server. So the mailbox server is going to be your main role as far as internal environments and internal networks go. Your mailbox server is going to host pretty much everything. However, one of the things that has happened recently is that we still have some of those hub transport services, client access services, and so on that we had as far back as Exchange 2007.

But what’s happened is they’ve condensed it all into this mailbox server role, okay? And the Edge transport role is similar to relaying data from the Internet. So let’s take a look at this diagram that we’ve got here. First things first. If you look at the inside of our network, we’ve got a couple of mailbox servers. We have three different mailbox servers. We have some mailbox databases. This is part of an active directory domain. So an on-premises domain adds value, right? From there, they set up a database availability group. So the databases on the mailbox servers here are synchronizing between the different mailbox servers. They have a load balancer on their internal network that’s probably just kind of funneling traffic as it flows in. That traffic could be dispersed to whichever of these three mailbox servers they want, depending on where that database currently exists. So that’s what our load balancer is going to do for us. And then we’ve got what’s called an “internal firewall” that’s separating this internal network from this perimeter network. The perimeter network is, of course, the DMZ, or Demilitarized Zone. We also have an Edge transport server.

So again, we’ve just got the two main roles in Exchange going on here. We’ve got the Edge transport server role, and we’ve got these mailbox servers, okay? And then from there, we’ve got another firewall. That firewall is called the external firewall. So, as I like to kind of show, we have an internal firewall here that’s going to connect to the internal network, and we have an external firewall that is connected to our perimeter and the Internet. So the internal firewall connects the internal network and the perimeter. An external firewall connects to the perimeter and the Internet. So as we get out on the Internet, we start working with cloud services. You’ll notice we have Exchange Online, all right? And Exchange Online has an extremely powerful protection system called Exchange Online Protection. And we can receive email coming in from external SMTP that can be managed by Exchange Online Protection. Or it could flow directly in. So I want you to notice that if you look at the Internet, there are three different ways that things are happening, okay? For one, we’ve got mobile devices, web clients, and Outlook clients that can talk straight through the perimeter if we want.

We can allow them to go straight through the perimeter and straight through our firewall and talk to our mail servers internally. Of course, as you can probably imagine, that’s not going to be the most secure way to go about doing things right. Another thing is that we can have email that comes from external email servers, which it relays to Edge, and then Edge sends it into our internal environment. And then finally, a third way—and this is actually the way Microsoft recommends it—is that everything funnels through Exchange Online Protection. EOP. Okay, as I mentioned previously, there is another component. If you’ve got the right licencing in your Microsoft365 environment, there is a technology you get: not only do you get EOP (Exchange Online Protection), but you also get ATP (Advanced Threat Protection), which is an incredibly powerful and secure technology that’s going to really increase the security in our environment. If it’s implemented with Advanced Threat Protection, we can do something called safe links, and we can do something called safe attachments. Okay, so safe links and safe attachments And this is going to actually scan every link and every attachment, which is really neat. It actually runs it in something called a detonation chamber, which is actually a containerized virtual machine. So every email that comes in, if it’s got an attachment, it’s got a link. It’s going to run it in this detonation chamber, which is a virtualized container where it checks from our side and actually analyses to see if whatever programme it is  trying to execute anything, if it’s trying to edit the registry, and if it’s a safe link.

If the link is safe, it actually follows the link in a web browser environment and actually tests the link to see if it’s malicious. So this is something that you get. This ATP is a subscription you can get if you have the Enterprise Mobility Plus security subscription, you get that. Now, whether you’ve got ATP or not, you definitely have EOP (Exchange Online Protection) as part of the deal. This is why Microsoft says you really should manage your mail flow so that everything goes through Exchange Online. If you have Exchange Online and are not only in a prem Exchange environment, everything should flow through Exchange Online. So the safest path, according to Microsoft, is to flow through Exchange Online to your edge and then into your environment. Even so, Microsoft recommends that if you’re interacting with your mail server in an internal environment, you should also relay that information to Exchange Online. As opposed to going to your mail server, your mail server is going straight out to the Internet. This is the recommended route that Microsoft says you should take if you really want to lock things down for client access services. So there are different ways you can go about doing it. Again, you can come straight in; even an external SMTP server can go straight in, but ultimately the most secure path is going to be Exchange Online protection.

And of course, if you’re taking this exam, you definitely want to be aware of the fact that that is their preferred solution. So if you want to know Microsoft’s preferred solution, you should manage your mail flow through Exchange Online. Then it would go into Edge, and then it would make its way internally. If mail is being sent, it should first go to your mailbox server, then to Edgeand, and finally to Exchange Online. Okay. Or, of course, another option is that you can eventually migrate everything away from Exchange on Demand and go full-blown into Exchange Online. That may be an option, or it may be something that you do far into the future. Okay? All right. But hopefully, you now have a better understanding of what’s going on with this client access service. You’ll also notice that this works with their voice over IP. They’ve got an office online server farm here; they have voiceover IP. It all integrates and can be managed and load balanced through this load balancer while still flowing in and out of your environment. But hopefully, you now have a solid understanding of the concept of client services. And, of course, the recommended path that MicroSoft suggests you take. 

2. Configuring Virtual Directories and URLs

The EAC modified the administration center. We’re going to click on servers. And then there is the virtual directory. Now the virtual directory—this is where the magic happens in terms of attaching everything to your Exchange environment. So you may be familiar with almost everything in Exchange. This will take place via HTTPS and, of course, your Web Server, IIS. And you’ve heard me say that Internet information services play a huge role in tying everything together with Exchange. Okay? So as you can see, these are all the different entryways that you have coming into Exchange.

You have your auto-discovery system for discovering what mailbox server you’re supposed to go to and talk to. You’ve got ECP, and that’s going to show this, which is actually what the EAC is showing. is coming from EWS Exchange Web Services. You have Mappy, the messagingAPI application programming interface. There’s active sync. You have OAB, which is your offline address book. You have Owa. That used to be called Outlook Web Access. Then it was changed to the Outlook Web App.

Now this is referred to as “Outlook on the Web.” And then, finally, you even have a PowerShell connection here. So these virtual directories are your entry points for locating Exchange client access services and then your mailbox server, mailbox database, and so on. Right? If someone wanted to access Outlook on the web, for example, we can double-click on this virtual directory and see that we currently have an internal URL, which is the NYC Ex One and we have no external URL. So we’ve got to change that. All right. So what we’re going to do is go to our DNS server and configure it so that you can type mail and get and find Exchange. Okay? So I’m going to jump over to the DNS server. Now we’re going to do that. So we’re on the Need one. Need One is our DNS server. Okay? So we can go in the server manager, we can go to Tools, and then we can click DNS, and that’s going to pop DNS up on our screen for us. Okay, so let me zoom in on that for you. We’ll take a closer look, and we have forward lookup zones. That is where our exam practice DNS database is located at.

So we’ll go there, and as you can see, we have different records here. Of course, our two Exchange servers, NYC exone and NYC extol, are listed there under 192 168 00:11 and then twelve. There are a few things I could do now, one of which is create a CNAME record to identify the email server as So if I right-click this and say new alias and type the word mail, then I’m going to link that to NYC, DC, or Ex One. The problem with that is that if I create a CNAME record, that’s going to work. If you go to Mail, it will simply redirect you here. The problem with that is that it doesn’t support load balancing unless you have a hardware-based load balancer. Now there is a trick you can pull with DNS. It’s called DNS round-robin.

So if either one of these servers could accept client access connections, which they can, and I wanted to load balance that, all I have to do is right-click my DNS server and go to Properties. Okay, I’m going to click the Advanced tab and this thing right here, which is actually already turned on—enable round robin. This makes it so that if I have two records that have the same name but point to different addresses, it’ll load balance my clients for me. Watch this. I’m going to do this mail, and then I’m going to put in the IP address of the first Exchange server, which is 192-1680 dot ten. Okay, done. So, we’ve got Mail dot exam, Now it’s going to point there, and then let’s try creating another one. Mail now, and we’ll do 192 later. I just realised I typed the wrong address on that first 100:12. That’s going to be our second one. And I need to actually fix this real quick. I didn’t mean to point to the domain controller. So at 00:11, those are our servers.

As you can see, NYC ex one maps to this one, and NYC ex two maps to that one. So what Round Robin will do, as people query Mail, is go back and forth, back and forth, back and forth. Another cool thing you can do is if your Exchange servers are in different offices and someone queries them via DNS, it will route them to the one closest to the client. But in order to do that, there’s a feature you have to turn on. If I right-click my server and go to Properties, I go to Advanced. The feature is this thing called “enable netbask ordering.” Netmask ordering makes it so that when somebody sends a query to DNS, it looks at their address and the subnet they’re on and tries to relay them to the one that it points them to as the one that is nearest to where they are. Okay, so now I’ve got my DNS server set up. Keep in mind that if I’m doing this on the inside, this is how I would do it on the inside. If I was doing it on the outside, I’d be pointing to my edge servers. Okay, so we’re setting this up right here, as though it were on the inside. In any case, if we were doing this externally, you would do it the same way you would have Edge one and Edge two instead of NYCex one and Edge two.

And you would do the exact same thing, just with an outside DNS server. So that gets our DNS stuff set up. Now we’re ready to jump back over to our Exchange server and configure our virtual directories. Okay? So the first thing I’m going to do now that I’m on my Exchange server is just shoot a ping out just to verify that DNS is actually responding the way it’s supposed to. So we’re going to try pinging mail, Round Robin is going to send me to the first one. And so we’re just going to go ahead, we’re going to ping, we’re going to hit enter on that, and see if we get a reply. And we were fortunate to have done so. And it went to the first one in this case. All right, so DNS is doing its job. That’s proof right there that it’s doing its job. That record is working. Okay, let’s go back into the EAC now. And we’re going to try this out with Owa. So we’re going to edit the OWA here.

Okay? We are going to change this path right here. So let me zoom in on that for you. We’re going to change this path. It’s no longer going to be a NYC-only one. I’m going to change it to mail. And I’m going to copy this path for external because it’ll be the same for external. Okay, we’re going to hit save on that now. Okay, so we’ve now officially got this edited, and we’ve made the internal and external mail servers for But there’s one more thing I want to do. I’m going to go up here to this little wrench symbol and configure the external access domain. So I need to clarify what the external access domain is going to be. So let’s click that, and it says, “Okay, what are the servers to use with the external URL?” Okay, well, in this case, I’ve only got a Nycx One booted up. Right now. I don’t have my second one set up at the moment, but I’m just going to add that first one, and then I’m going to identify it with Mail

Okay. So we’re going to save that. It’s going to take a moment. I’ll pause it and let it get done. Okay, so it’s done. I’m going to hit close. All right. And now we are officially ready to test this out. Okay? So I’m going to open up a different web browser. We’re going to open up Chrome for this. So we’re in a completely different web browser. All right. And we’ll put it in our path; we’ll put it in the Mail ECP. Okay? One thing you will notice is that it will inform you that it is not secure. And the reason we’re getting this message is because the digital certificate that Exchange has set up is not registered to that new name. Okay, we’re going to talk more about certificates a little later, but notice that it’s issued to NycxOne and the server is no longer identified. It’s not identified by that right now.

It’s identified by email at So you’re going to get that little message right now. If you get an error, you can simply tell it to continue anyway. And at that point, we’re ready to log on. Okay, let’s try going now to Owa. Let’s go to mail Okay, so I forgot to put the Http and S before it. There we go. I’m logging in with the Examlabpracticeadministrator, and I enter my password. Okay. So it’s popped up on the screen for us here. And, of course, I could check my email, send email, and do everything else at that point. Now, the virtual directory did work correctly for Owa. I want to show you now that you can also look at all this and manage it using EMS Exchange Management Shell, so we can actually use PowerShell. So I’m going to pop up my Exchange Management Shell,  and the first thing I want to do is show you that there are a lot of commands that involve virtual directories. So I’ll enter “Getcommandnounstar” into the virtual directory star. That’s going to show me every command where we have the noun “virtual directory” in the command, okay? And, as you can see, there are numerous commands. We were given a slew of git commands involving virtual directories. Okay.

We’ve got the ability to create new virtual directory information, remove a virtual directory, and then set virtual directories. So why don’t we use the virtual directory GetOWA? Now? It’s just going to give me, like, a quick table view, which is not really going to give me much information. But I wanted to show it to you to start with. So what it gives you is very basic. What I’m going to do now is hit the up arrow, and I’m going to pipe that to formatlist. That will take the object and show it to you completely, listing it out, rather than summarising it as in a table view. Now here’s what I want to show you. Examine the internal URL to see what it is set to, then the external URL. So that is exactly what we set it to a second ago. Of course, again, you could use the Set OWAvirtual Directory command if you wanted to alter that. Okay? All right. So hopefully that gives you guys a decent understanding now of managing these virtual directories using both the graphical tool as well as how we could do it through the EMS.

3. Working with Namespaces in Exchange Online

I now want to take some time and go through namespaces in dealing with Exchange Online. Okay, so you saw me draw this picture earlier in the course. I wanted to revisit this for a minute. So basically, what we have is our Active Directory domain, which is We’ve also got a Microsoft 365 cloud subscription. And we’ve set up Exchange Online in the cloud. Actually, there’s not really a lot of set up. When you subscribe to Microsoft 365, exchange online is already included and comes with EOP Exchange Online protection, though advanced threat protection is available. Okay, so this is all part of our Microsoft 365 services. Now the other thing is that when you set up a Microsoft 365 account, you’re going to get what’s called a tenant name. And the tenant name will have an extension. For example, when I set up the Exam lab practice, it would be examlabpractice

But that’s not what I want to be known as. I want my email space and my namespace to be Okay, well, I’ve already got it setup on the internal side of things. I need things to work on the external side as well. So in order to do that, you’re going to have to create what’s called a “custom domain name” in Microsoft 365. And that custom domain name is going to require you to create a text record or an MX record on your DNS server to prove that you actually own that name. Okay? So when I go to register that name, and I’m going to show you this here, coming up, when I go to register that name, Exchange Online is going to say, “Okay, if you really own this name,, you’ve got to prove it.”

So there are multiple ways you can prove it. One is that if you use GoDaddy, you can enter your GoDaddy credentials and it will log on to Go Daddy and verify that you own the name. Okay? If you aren’t using something like GoDaddy, then what it’s going to do is say, “I’m going to try to talk to your DNS server.” In this case, we’ve got a public-facing DNS server that’s in our DMZ. It’s not going to be able to hit this guy. You don’t want to expose your internal DNS server to the cloud. So you’re only exposing this, which is known as an Internet-facing DNS server. He’s in your DMZ. So what’s going to happen is that Exchange is going to say, “I need you to prove to me that you own the name.” So it’s going to tell me to create a text record with a code, okay? And I’m going to have to enter that code, or it’ll ask me to do that with an MX record. I can do either one of those. Use the text message with the code or MX record. I’m going to create that in this database. Then I’m going to come back in here to my Microsoft 365 services, and it’s going to verify that that record exists in the database. Okay? All right, so let me just say that we’re going to jump now into Microsoft 365, and I’ll demonstrate this. Okay. So I’m in Portal, and I’m going to drop everything down here. And then I’m going to click Settings and then Domains. Now that I’m here on Domains, you will notice that I actually already have the name registered. I also have my other domain name, the one.

But let’s pretend for a minute that I don’t actually have the name already registered. We’re going to click here on “add a domain,” and we’ll just say, “I’m going to call this” We’ll say again? If I were doing this for the first time, it would definitely be But we’re just going to put B there. I’m going to say, “Use this domain.” And here we go. This is what I was talking about. It’s going to ask me to verify that I actually own this name, okay? So I can verify by creating a text record in DNS for this guy right here. Or I can do it with an MX record. And I would create this record they told me to create in DNS. So we’re going to go to DNS and create this record so that we can prove to Microsoft 365 and Exchange Online that we actually own this name.

Okay? So we’re going to write this down or copy it, and we’re going to create this record in DNS. Okay? I’m now on my DNS server, all right. And there is the database right here. And all I’ve got to do is right-click this, and I can click to click on other new records. And then I’m going to scroll down and find the text record. So there it is, right there. I’m going to say “create a record,” and I’m going to actually leave this top field blank. This is where you actually have to put the code that they’re asking you to put in. So I’m going to say Ms. Equals. And then we’re going to put that same code in that they told us. 2814-1050. That was the code. Okay? So at that point, I would click OK. And I’ve now officially created this code and this record. As you can see, we’ll close this out of this.It’s right here. So that’s the code they’re looking for.

So then we’re going to jump back over to the Microsoft 365 dashboard, and that’s where we can verify. So here we are. We’re back. We would be able to now click “Verify,” and it would confirm that we actually own the record. Again, I’ve actually already registered it. And I don’t have the exam lab practise B, but I could say verify, and it would verify it for me. Okay, so at that point, it’s registered. The next step will be to log into Exchange Online. So let’s go over here to Exchange Online. Okay, so let’s return to Exchange Online. We’ve got mail flowing. We would want to go over here to accepted domains, and we would want to add our accepted domain there, which we’ve already got. is added as an exception to the domain.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!