Overview of Exchange Server 2007 CAS Proxying and Redirection


In a Microsoft Exchange Server 2007 organization, a computer that is running Exchange 2007 that has the Client Access Server role installed can act as a proxy for other Client Access Servers within the organization. This is useful when multiple Client Access Servers (CAS) are present in different Active Directory sites in an organization and only one is exposed to the Internet.

Note: In case the Active Directory does not have multiple sites, you do not have to configure Exchange 2007 for proxying or redirection.

A Client Access Server can also perform redirection for Microsoft Office Outlook Web Access URLs. Redirection is useful when a user is connecting to a Client Access Server that is not in their local Active Directory site. Each site would have to have an Internet-facing CAS server with the ExternalURL set. Having the ExternalURL set is not a default configuration in Exchange 2007.

This topic explains how Client Access Server Proxying, Redirection and “Find the Best CAS” work, when each is used, and how to configure your Client Access Servers for different scenarios.

Understanding CAS Proxying

In Exchange 2003, the front-end server communicates with the back-end server over HTTP. In Exchange 2007, the Client Access Server communicates with the mailbox server over RPC.

It is a requirement to have a Client Access Server in each site where there is an Exchange 2007 Mailbox Server. The recommendation is to have the Client Access Server as the first Exchange 2007 Server role installed in each Active Directory site. If you were to just have a Mailbox Server role in any given site without a Client Access Server no users would be able to connect to their mailboxes via Outlook Web Access, ActiveSync, Exchange Web Services, POP3 and IMAP4.

The Client Access Server can be configured for internal access or can be Internet-facing named “First CAS”. If there is no Internet-facing Client Access Server in the same site as the mailbox, then the request will be proxied from the Internet-facing Client Access Server to the internal Client Access Server named “Second CAS”. All the traffic between First CAS and Second CAS is over http(s).

Note: By default Exchange 2007 installs a self certificate when you install the Client Access Server role. As a recommendation you should install a public or a private certificate.

Proxying is supported for clients that use Outlook Web Access, Exchange ActiveSync, Exchange Web Services, and the Availability service.

An Exchange 2007 Client Access Server can proxy requests in the following two scenarios:

Between Exchange 2007 Client Access Servers

Organizations that have multiple Active Directory sites can designate one Client Access Server as an Internet-facing server, named “First CAS”, and have that server proxy requests to Client Access Servers in sites that have no Internet presence, named “Second CAS”. The First CAS then proxies the request to the Client Access Server that is closest “Second CAS” to the user’s mailbox. This is known as CAS-CAS proxying as we can in see the following illustration:

The mailbox of User2 is located on a mailbox server MBX2 in a remote active directory site without presence on the Internet. When the User2 accesses his mailbox via OWA or ActiveSync, the First CAS which is present on the Internet receives the request and then proxies to the Second CAS in the same AD site where the User2 mailbox is located.

Note: Integrated Windows authentication for /owa virtual directory must be enabled via Exchange Management Console or Exchange Management Shell on the Second CAS. For /Microsoft-Server-ActiveSync virtual directory on Exchange 2007 SP1, you can enable via Exchange Management Shell via cmdlet Set-ActiveSyncVirtualDirectory.

Between an Exchange 2007 Client Access Server and an Exchange Server 2003 Back-end server

Proxying requests between an Exchange 2007 Client Access server and a Microsoft Exchange Server 2003 front-end server enables Exchange 2007 and Exchange 2003 to coexist in the same organization. External clients who connect to Outlook Web Access by using the /Exchange virtual directory or connect to Exchange ActiveSync by using the /Microsoft-Server-ActiveSync virtual directory will have their requests proxied to the appropriate Exchange 2003 back-end server (click to see a bigger version):

The above illustration presents the scenario where the mailbox of User2 is located on Exchange 2003 back-end server in an Active Directory remote site. When the User2 access his mailbox via OWA or ActiveSync, the First CAS proxies the request not to the Second CAS or any Exchange 2003 front-end server but straight to the Exchange 2003 back-end server via http where the user mailbox is located. If the mailbox is located on a Exchange 2003 back-end server in the same Active Directory site as the CAS, such as User1, the First CAS proxies the request straight to the Exchange 2003back-end server via http.

Note: Integrated Windows authentication for /Exchange and /Microsoft-Server-ActiveSync virtual directories must be enabled via Exchange System Manager on Exchange 2003 back-end server.

Proxying and Redirection both do not support virtual directories that use Basic authentication. For client communications to be proxied or redirected between virtual directories on different servers, Integrated Windows authentication must be turn on the Second CAS for /owa and /Microsoft-Server-ActiveSync, as well as on an Exchange 2003 back-end server for the virtual directories /Exchange and /Microsoft-Server-ActiveSync.

Note: CAS-CAS Proxying will not work for Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4 (IMAP4) clients. A client who is using POP3 or IMAP4 must connect to a Client Access server in the same Active Directory site as their Mailbox server. If the user mailbox is located on a Exchange 2003 back-end server, POP3 and IMAP4 request will be proxied from CAS to Exchange 2003 back-end server.

Understanding CAS Redirection

Redirection is used when the organization has multiple Exchange 2007 Client Access Servers, in different Active Directory sites, facing to the Internet with the ExternalURL attribute enabled.

Outlook Web Access users who access an Internet-facing Client Access server that is in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server that is in the same site as their Mailbox server if that Client Access server is Internet-facing. When Outlook Web Access users try to connect to a Client Access server that is outside the Active Directory site that contains their Mailbox server, they will see a Web page that contains a link to the correct Client Access server for their mailbox. The scenario bellow presents how redirection works for Outlook Web Access and ActiveSync users.

The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /owa virtual directory. When the User2 accesses his mailbox via OWA pointing to the First CAS. The First CAS checks if the ExternalURL is configured on the Second CAS. In this case the First CAS will return a web page that contains a link to the correct Client Access server for their mailbox, in the case, the Second CAS in AD Remote site.

The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /Microsoft-Server-ActiveSync virtual directory. When the User2 accesses his mailbox via ActiveSync pointing to the First CAS, the First CAS checks if the ExternalURL attribute is configure on the Second CAS. In this case the First CAS will return an HTTP error code 451 and an application Event ID 1008.

In this case, you have to recreate the partnership with the device pointing to the right Exchange 2007 Client Access Server.

Note: Redirection is supported only for clients that use Outlook Web Access. Clients that use Exchange ActiveSync, Exchange Web Services, POP3, and IMAP4 cannot use redirection.

In next two blog posts on the subject, I will cover how Exchange 2007 CAS Proxying works for ActiveSync and OWA clients.

Additional reading on the subject

Microsoft Exchange Server 2007 Product Documentation

http://technet.microsoft.com/en-us/library/bb124558.aspx

How to enable SSL for all customers who interact with your Web site in Internet Information Services

http://support.microsoft.com/kb/298805/en-us

How to Use Certificates with Virtual Servers in Exchange Server 2003

http://support.microsoft.com/kb/823024/en-us

Understanding Proxying and Redirection

http://technet.microsoft.com/en-us/library/bb310763.aspx

The proxy request has failed to authenticate

http://technet.microsoft.com/en-us/library/bb217371.aspx

Vandy Rodrigues

Comments (28)
  1. tom kern says:

    So, does this mean you can put a CAS server in your DMZ ala Exchange2k3 FE/BE scenarios?

    or is this not supported by MSFT?

    Good article.

    Great site

    Thanks

  2. Nik says:

    Ditto Tom’s comment above – what’s the best way to put the CAS server in the DMZ (outside of the domain)? As far as I can see, edge servers do not support forwarding CAS requests.

  3. bday says:

    We haven’t had a FE in the DMZ since Exchange 2000, and it was an absolute pain in the neck to support. It talked over IPSec to the backend server and a couple pre-defined GCs. It was a very happy day when ISA went into the DMZ and the Exchange 2003 FE was brought up on the internal network instead. Sooooo much easier to administer, and more fail-safe not having to tell the box it can only use a couple GCs with IPSec. :)

  4. Lynn_Lunik says:

    The Microsoft Exchange Team (in this case Vandy Rodrigues) has posted a detailed Technical Article on the considerations for the Client Access Server Role.  Specifically, this article is of interest for Organizations with multiple Active Directory Sites and who intend to place Client Access Servers at local AD Sites.

  5. Jice says:

    Hello,

    I have two questions :

    – on the illustration of the scenario with ex2k7 and ex2k3, it seems that  http requests for user2 is send to the FE and not to the BE, is it normal ?

    – the internet CAS redirection works only when the CAS can be joined from internet, is a method exist to do the same thing automatically with ISA Server 2006 ?

    Thx

  6. Elan Shudnow says:

    Thanks for this article.  One thing I’d like to request is how Autodiscover works in this situation as well.  Based on what I have read, I believe it works in the following way. You should have autodiscover.domain.com point to your Internet facing CAS.  So let’s say you have two sites, one in Europe and one in US.  If a user who is external in Europe contacts the internet facing CAS in USA and hits the autodiscover, it should be presented with the External URLs.  The Autodiscover should present the external URLs for the Internet facing CAS server who will then do Proxying or Re-Direction depending on if your Europe CAS has externalURL configured.  Am I correct in my assumption?

  7. Craig Beere says:

    There is an inconsistency between text and picture. The text says FirstCAS proxies the request straight to the remote backend E2k3 server but the picture shows it proxying to the remote frontend server.

  8. jimwest says:

    Hi Everyone,

    It just so happens that Vandy is out on vacation so I was asked to stop by and address some of the questions popping up about the post.

    CAS server in DMZ
    It can work but don’t do it.  But don’t take my word for it, here’s a quote from the PM for Front End Server:

    Rahul Dhar said:
    Hi Andrew,

    You should NOT put CAS in the DMZ.  It’s not a scenario we test, support, or recommend.  CAS isn’t designed to live there.  ISA is designed to work in the DMZ.  You can put ISA there, and have it connect to the CAS in your internal network.

    You can read the entire entry here:

    http://msexchangeteam.com/archive/2007/02/07/434523.aspx

    Jice and Craig

    You are both right, that image isn’t very clear on what is happening.  A CAS server will connect directly to the mailbox server on behalf of the user.  A CAS server may ‘proxy’ this request to another CAS server in the local site of the mailbox server but in
    the case of Exchange 2003 it goes right for it.

    In regards to the ISA question, if I understand you correctly, you are asking if ISA is able to determine a site ‘affinity’ and redirect clients to the appropriate CAS server.  To my knowledge, no.  ISA will publish the CAS server and the CAS server will handle
    that.  I’m sure we’ll hear all about it if I’m wrong so stay tuned for any updates on that one and please correct me if I’m not understanding your question.

    Elan

    If I follow you correctly, yes you appear to understand how this works.  I’m sure you have read plenty of blogs and technet articles already but this may help if you don’t mind me dropping down a few links:

    How to Configure Exchange Services for the Autodiscover Service
    http://technet.microsoft.com/en-us/library/bb201695.aspx

    White Paper: Exchange 2007 Autodiscover Service
    http://technet.microsoft.com/en-us/library/bb332063.aspx

    Of course this leads to the certificates can of worms:

    Exchange 2007 Autodiscover and certificates
    http://msexchangeteam.com/archive/2007/04/30/438249.aspx

    and this is one of the best articles ever written in the history of mankind.  The authors of this are clearly brilliant and good looking:

    More on Exchange 2007 and certificates – with real world scenarios
    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

  9. NikHunt says:

    Hi Jim,

    How about letting https into the cas inside your network?

    Do we really need to buy ISA for this?

  10. jimwest says:

    Hi NikHunt,

    No, you don’t have to buy ISA to publish HTTPS into your LAN through your firewall(s).

    Jim

  11. Adam Xu says:

    Hi Jim,

    In this blog, it states "All the traffic between First CAS and Second CAS is over http(s).". Sounds like the proxy requests between two CAS servers will be via HTTPS by default. But in another article,

    http://technet.microsoft.com/en-us/library/bb218543.aspx, it states "By default, proxy requests do not use SSL." Does that mean I have to follow one of the actions, such as installing public certificate on all the CAS servers, in order to make the proxy requests to use HTTPS? Appreciate if you could confirm on this.

    Thanks,

    Adam

  12. jimwest says:

    Hey Adam,

    Yes, CAS-CAS Proxy is done via HTTPS.  The article you are referencing is a bit old and I vaguely recall that it may have been accurate at that time but everything is ‘secure by default’ now.  I’ll try to get the article updated ASAP.

    In regards to installing public certificates, this isn’t required for proof of concept installations or initial deployments.  However, you’ll want to review some of the excellent blog posts on the subject and plan accordingly.  There are several links about
    this referenced above.

    The article you reference does include some optional configurations on how certs are used, so you aren’t stuck with the default configuration although I highly recomend that you don’t stray too far from it.  There’s also this, but it’s a little short on details
    but it’s a good overview:

    Understanding Proxying and Redirection
    https://technet.microsoft.com/en-us/library/bb310763.aspx

  13. Jice says:

    Hi Jim,

    thanks for the answer. I precise my questions about ISA: I have two physical sites. On each site I have an ISA cluster and some Exchange 2007 Cluster. I have one OWA url for each site (eg. webmail-siteA.corp.com and webmail-siteB.corp.com)

    The mailbox of userA is hosted on siteB. The user try to access to his mailbox with the URL webmail-siteA.corp.local. The ISA of site A send requests to CAS of site A which proxies them to CAS of site B. I haven’t found any method to redirect user to the ISA of site B and i doubt it is possible. Am I right ?

    Thanks,

    Jice

  14. Borat says:

    Glad to see Exchange gets simpler and serves me (more than the other way around) by the day….

  15. Alginald says:

    Is it true that CAS Proxying disables Sharepoint/File Server Access. i.e. If I only want to publish one f/e to the internet, and rely on CAS proxying for the other sites, I can’t access Sharepoint and file shares?

  16. jimwest says:

    Alginald,

    This is correct, for now.  CAS-CAS intersite proxy will not work with Sharepoint or UNC sites.  If this is truly critical to your deployment but are limited in how many servers you can deploy perhaps you should consider a centralized deployment to avoid the problem all together.  There are several ways you can work around this and still be in a supported configuration.

    Jim

  17. Jice says:

    Hi all,

    I answer to myself. You can use CAS redirection with ISA 2006 ;-).

    Just forward the original host header on ISA Rules and indicate the same host header on the external URL (be careful to the AD replication). The user will receive the message inviting him to use the URL of site B. The drawbacks are the second authentication on the ISA server on site B and the obligation for the user to connect to the URL of site B.

    Jice

  18. Raymond Diack says:

    Hi Jim

    Just to piggy-back off NikHunt’s question re. needing ISA for publishing your CAS to the internet… we have a Cisco PIX 515 firewall.  In the past we’ve always used a simple translation to expose our FE’s internal IP as an external IP, and only allowed certain necessary ports etc.  Will this still suffice for exposing our CA server?  At the moment we’ve just got one server running  CA/MB/HT roles but we want to get another server for the CA role to separate OWA from mailboxes.  We don’t particularly want to move over to ISA.

    Any suggestions/comments?

    Thanks, Ray.

  19. donteh says:

    Jim/Vandy,

    For environments that have a centralized deployment of Exchange mailbox servers, but wish to distribute CAS geographically – placing CAS closer to the remote client while ensuring that OWA/EAS traffic passes over a private network infrastructure rather than the Internet, is it possible to *disable* CAS redirection and force CAS proxying?  (i.e. prevent redirection of the remote client to the ExternalURL of the mailbox-server-site-resident CAS?)

    DJ

  20. jimwest says:

    Hi Ray,

    Yes, that will work fine.

    DJ,

    Thanks for posting both your question and your answer :-)

    Jim

  21. Ivan Prescott says:

    Lynn Lunik makes reference to an article discussing placing Internet facing CAS in an Exchange topology with multiple AD sites containing mailbox servers. But she omitted the URL for that article – can this be supplied please? Can such a config co-exist with Exchange 2003 mailbox servers?

  22. jimwest says:

    Ivan,

    I think this might be the article Lynn was referring to:

    http://msexchangeteam.com/archive/2007/09/10/446957.aspx

    Yes, that topology will work with E2K3 but you have to plan carefully.

    Jim

  23. JOHN.SMITH says:

    Your discussion does not make clear the security setting on the CAS /Exchange and /Public virtual directories in order to facilitate a proxy to an Exchange 2003 mailbox server.  Please advise.

  24. Vandy Rodrigues says:

    Hi John,

    By default we have Basic authentication configured for /Exchange and /Public vitual directorioes. If your mailbox is located on an Exchange 2003 server you need to enable Integrated Windows Authentication via Exchange System Manager.

    Proxying is not supported between virtual directories that use Basic authentication. For client communications to be proxied between virtual directories on different servers, the virtual directories must use Integrated Windows authentication.

    When you install Exchange 2007, four virtual directories are created for Outlook Web Access: owa, Exchange, Public, and ExchWeb. The owa virtual directory provides access to Exchange 2007 mailboxes. The Exchange and Public virtual directories provide Exchange
    2003 mailbox access. If a user who has a mailbox on an Exchange 2003 server logs on by using
    https://server name/owa, they will receive an error telling them that their mailbox is on an Exchange 2003 server. They must use the Exchange virtual directory. If they log on by using
    https://server name/Exchange, the Exchange 2007 Client Access server will proxy their request to the Exchange 2003 mailbox server. If a user who has a mailbox on Exchange 2007 accesses
    Outlook Web Access by using
    https://server name/owa, they will be able to access their mailbox directly. If they log on to Outlook Web Access by using
    https://server name/Exchange, they will be redirected to
    https://server name/owa.

    Here you will find more information about Proxying and Redirection.

    http://technet.microsoft.com/en-us/library/bb310763.aspx

    Vandy Rodrigues

  25. JOHN.SMITH says:

    Vandy, Thank you for your reply.  After further research your comment of adding integrated authentication on the /Exchange legacy directory on the CAS seems to be in conflict with following msexchangeteam blog that states legacy directories on the CAS can only support forms and basic security.  Could you please clarify further?

    REF:

    Outlook Web Access and Exchange 2007, 2003 and 2000 coexistence

    Another authentication issue to be aware of is that legacy virtual directories on a CAS (i.e., the ones that use exprox) really are the same as the virtual directories on an E2003 FE server. This means that you can only use forms-based authentication (FBA) or basic authentication.

  26. Vandy Rodrigues says:

    Hi John,

    When your mailbox is on Exchange 2007 Mailbox Server you  are doing CAS-CAS Proxying and there is not need to touch the permissions on the legacy virtual directory /Exchange on the CAS.

    However if your mailbox is on a Exchange 2003 BE server, then you are proxying from CAS to Exch2K3 BE, and it only works if Integrated Windows Authentication is enabled on the Exch2K3 BE server /Exchange virtual diretory.

    Proxying is not supported between virtual directories that use Basic authentication. For client communications to be proxied between virtual directories on different servers, the virtual directories must use Integrated Windows authentication.

    http://technet.microsoft.com/en-us/library/bb310763.aspx

    Vandy Rodrigues

  27. andrew987 says:

    Hi, I’m a little confused still about placing a Client access server which is the AD site and it being internet facing but secure? Do I place a CAS in the DMZ for web access and then it proxies the request to the internal CAS by https? I can understand if you use an ISA server in the DMZ but in a previous post it was said you don’t need an ISA server and it will still be secure for have a CAS client and internet facing.  Thankyou

Comments are closed.