In a Microsoft Exchange Server 2007 organization, a computer that is running Exchange 2007 that has the Client Access Server role installed can act as a proxy for other Client Access Servers within the organization. This is useful when multiple Client Access Servers (CAS) are present in different Active Directory sites in an organization and only one is exposed to the Internet.
Note: In case the Active Directory does not have multiple sites, you do not have to configure Exchange 2007 for proxying or redirection.
A Client Access Server can also perform redirection for Microsoft Office Outlook Web Access URLs. Redirection is useful when a user is connecting to a Client Access Server that is not in their local Active Directory site. Each site would have to have an Internet-facing CAS server with the ExternalURL set. Having the ExternalURL set is not a default configuration in Exchange 2007.
This topic explains how Client Access Server Proxying, Redirection and "Find the Best CAS" work, when each is used, and how to configure your Client Access Servers for different scenarios.
Understanding CAS Proxying
In Exchange 2003, the front-end server communicates with the back-end server over HTTP. In Exchange 2007, the Client Access Server communicates with the mailbox server over RPC.
It is a requirement to have a Client Access Server in each site where there is an Exchange 2007 Mailbox Server. The recommendation is to have the Client Access Server as the first Exchange 2007 Server role installed in each Active Directory site. If you were to just have a Mailbox Server role in any given site without a Client Access Server no users would be able to connect to their mailboxes via Outlook Web Access, ActiveSync, Exchange Web Services, POP3 and IMAP4.
The Client Access Server can be configured for internal access or can be Internet-facing named "First CAS". If there is no Internet-facing Client Access Server in the same site as the mailbox, then the request will be proxied from the Internet-facing Client Access Server to the internal Client Access Server named "Second CAS". All the traffic between First CAS and Second CAS is over http(s).
Note: By default Exchange 2007 installs a self certificate when you install the Client Access Server role. As a recommendation you should install a public or a private certificate.
Proxying is supported for clients that use Outlook Web Access, Exchange ActiveSync, Exchange Web Services, and the Availability service.
An Exchange 2007 Client Access Server can proxy requests in the following two scenarios:
Between Exchange 2007 Client Access Servers
Organizations that have multiple Active Directory sites can designate one Client Access Server as an Internet-facing server, named "First CAS", and have that server proxy requests to Client Access Servers in sites that have no Internet presence, named "Second CAS". The First CAS then proxies the request to the Client Access Server that is closest "Second CAS" to the user's mailbox. This is known as CAS-CAS proxying as we can in see the following illustration:
The mailbox of User2 is located on a mailbox server MBX2 in a remote active directory site without presence on the Internet. When the User2 accesses his mailbox via OWA or ActiveSync, the First CAS which is present on the Internet receives the request and then proxies to the Second CAS in the same AD site where the User2 mailbox is located.
Note: Integrated Windows authentication for /owa virtual directory must be enabled via Exchange Management Console or Exchange Management Shell on the Second CAS. For /Microsoft-Server-ActiveSync virtual directory on Exchange 2007 SP1, you can enable via Exchange Management Shell via cmdlet Set-ActiveSyncVirtualDirectory.
Between an Exchange 2007 Client Access Server and an Exchange Server 2003 Back-end server
Proxying requests between an Exchange 2007 Client Access server and a Microsoft Exchange Server 2003 front-end server enables Exchange 2007 and Exchange 2003 to coexist in the same organization. External clients who connect to Outlook Web Access by using the /Exchange virtual directory or connect to Exchange ActiveSync by using the /Microsoft-Server-ActiveSync virtual directory will have their requests proxied to the appropriate Exchange 2003 back-end server (click to see a bigger version):
The above illustration presents the scenario where the mailbox of User2 is located on Exchange 2003 back-end server in an Active Directory remote site. When the User2 access his mailbox via OWA or ActiveSync, the First CAS proxies the request not to the Second CAS or any Exchange 2003 front-end server but straight to the Exchange 2003 back-end server via http where the user mailbox is located. If the mailbox is located on a Exchange 2003 back-end server in the same Active Directory site as the CAS, such as User1, the First CAS proxies the request straight to the Exchange 2003back-end server via http.
Note: Integrated Windows authentication for /Exchange and /Microsoft-Server-ActiveSync virtual directories must be enabled via Exchange System Manager on Exchange 2003 back-end server.
Proxying and Redirection both do not support virtual directories that use Basic authentication. For client communications to be proxied or redirected between virtual directories on different servers, Integrated Windows authentication must be turn on the Second CAS for /owa and /Microsoft-Server-ActiveSync, as well as on an Exchange 2003 back-end server for the virtual directories /Exchange and /Microsoft-Server-ActiveSync.
Note: CAS-CAS Proxying will not work for Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4 (IMAP4) clients. A client who is using POP3 or IMAP4 must connect to a Client Access server in the same Active Directory site as their Mailbox server. If the user mailbox is located on a Exchange 2003 back-end server, POP3 and IMAP4 request will be proxied from CAS to Exchange 2003 back-end server.
Understanding CAS Redirection
Redirection is used when the organization has multiple Exchange 2007 Client Access Servers, in different Active Directory sites, facing to the Internet with the ExternalURL attribute enabled.
Outlook Web Access users who access an Internet-facing Client Access server that is in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server that is in the same site as their Mailbox server if that Client Access server is Internet-facing. When Outlook Web Access users try to connect to a Client Access server that is outside the Active Directory site that contains their Mailbox server, they will see a Web page that contains a link to the correct Client Access server for their mailbox. The scenario bellow presents how redirection works for Outlook Web Access and ActiveSync users.
The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /owa virtual directory. When the User2 accesses his mailbox via OWA pointing to the First CAS. The First CAS checks if the ExternalURL is configured on the Second CAS. In this case the First CAS will return a web page that contains a link to the correct Client Access server for their mailbox, in the case, the Second CAS in AD Remote site.
The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /Microsoft-Server-ActiveSync virtual directory. When the User2 accesses his mailbox via ActiveSync pointing to the First CAS, the First CAS checks if the ExternalURL attribute is configure on the Second CAS. In this case the First CAS will return an HTTP error code 451 and an application Event ID 1008.
In this case, you have to recreate the partnership with the device pointing to the right Exchange 2007 Client Access Server.
In next two blog posts on the subject, I will cover how Exchange 2007 CAS Proxying works for ActiveSync and OWA clients.
Additional reading on the subject
Microsoft Exchange Server 2007 Product Documentation
How to enable SSL for all customers who interact with your Web site in Internet Information Services
How to Use Certificates with Virtual Servers in Exchange Server 2003
Understanding Proxying and Redirection
The proxy request has failed to authenticate