Exchange 2007 CAS Proxy and Redirection:

Proxy:

· Only for Outlook Web Access, Exchange ActiveSync, and Exchange Web Services.

· Communications between Client Access servers in different sites occur over Secure HTTP (HTTPS).

· Proxying is not supported between virtual directories that use Basic authentication.

· Proxying will happen if there is an (Internal URL) field and if there is no (External URL) field.

Redirection:

OWA are the only type of services that will not return en error if the external URL is configured. Instead Redirection will happen.

To disable redirection in case the Internet is down in one of the Internet facing CAS servers:

set-owavirtualdirectory “owa (default web site)” -RedirectToOptimalOWAServer $false

To restore redirection, use the same cmdlet and change the RedirectToOptimalOWAServer parameter to $true.

The need for Proxying:

While the connection between the front end exchange 2003 and its back end is pure HTTP traffic, the case in different in Exchange 2007.CAS server role will communicate over RPC with the MBX server role.

This introduces some performance issues when you have multiple AD sites with exchange server roles .If the CAS receive a request for a user whose mailbox is hosted in another AD site ,the CAS will send RPC traffic to that MBX server.RPC over slow links is not recommended at all.

To solve this performance issue, the EWS Proxy feature is introduced in which the CAS server receiving the request, can proxy the request over HTTP to a CAS server in the other site.

Proxy for OWA

OWA supports proxy and redirection. If no (External Link) defined, then Proxy ,else redirection.

Internal URL: https://computername/OWA

External URL: https://mail.contoso.com/OWA

Authentication Method:

If the Internet Security and Acceleration (ISA) Server computer is using forms-based authentication, Outlook Web Access should use Integrated Windows authentication. If authentication is not being handled on the ISA Server computer, Outlook Web Access should be configured with forms-based authentication. Use Kerberos also

NLB URL for Internet Facing CAS:

Internal URL: https://computername/OWA

External URL: https://mail.contoso.com/OWA

NLB URL for Non-Internet Facing CAS

Internal URL: https://computername/OWA

External URL: Null

NLBBypassURL setting: Null

Affinity Handling:

OWA uses its own affinity when dealing with NLB CAS. If a user tries to access Outlook Web Access through https://www.contoso.com/owa and is proxied to a non-Internet facing Active Directory site that contains CAS-01, CAS-02, and CAS-03, a user who is proxied to CAS-01 the first time will always be proxied to CAS-01, even if CAS-02 has fewer concurrent connections. If CAS-01 is unavailable, the user will be proxied to CAS-02.

Proxy for ActiveSync

AS supports proxy only. If no (External Link) defined, then Proxy , else Error.

Internal URL: https://computername/Microsoft-Server-ActiveSync

External URL: https://mail.contoso.com/Microsoft-Server-ActiveSync

Authentication Method:

Integrated Windows authentication

NLB URL for Internet Facing CAS:

Internal URL: https://computername/Microsoft-Server-ActiveSync

External URL: https://www.contoso.com /Microsoft-Server-ActiveSync

NLB URL for Non-Internet Facing CAS

Internal URL: https://NLBname/Microsoft-Server-ActiveSync

External URL: Null

NLBBypassURL setting: Null

Affinity Handling:

NLB Affinity.If you don’t use NLB, then the user will be always be proxies to the same CAS server even if the CAS is unavailable and there are other CAS servers available in the same site. That is because the synchronization state for Exchange ActiveSync is stored in the mailbox for the client. Therefore, if a client is proxied to CAS-02 the first time that they connect, they will be proxied to CAS-02 every time that they connect.

Proxy for EWS

EWS supports proxy only. If no (External Link) defined, then Proxy, else Error.

Internal URL: https://computername/EWS

External URL: https://www.contoso.com/EWS/exchange.asmx

Authentication Method:

Integrated Windows authentication +Kerberos

NLB URL for Internet Facing CAS:

Internal URL: https://computername/EWS

External URL: https://www.contoso.com /EWS

NLB URL for Non-Internet Facing CAS

Internal URL: https://NLBname/EWS

External URL: Null

NLBBypassURL setting: https://computername/EWS

Affinity Handling:

Same as OWA.

Appendix:

 

Virtual directory settings for Internet-facing Client Access servers in an organization that uses NLB :

The InternalNLBBypassURL

As part of the EWS proxy feature, the *-WebServicesVirtualDirectory PowerShell cmdlets include a new parameter called InternalNLBBypassUrl which allows you to specify the direct URL to get to a CAS box.  When a CAS is configured as part of an NLB, the externalURL or internalURL (depending on the location of the NLB) is set to the Url of the NLB.  However, as we have seen , EWS must not use this address for proxying and instead relies on the InternalNLBBypassUrl for proxying.  When an Exchange CAS box is installed, the InternalUrl and InternalNLBBypassUrl are both set to the same value – the direct URL for that machine.  It is important that IF a CAS is put behind an NLB, you do NOT modify the InternalNLBBypassUrl for that virtual directory to point to the NLB.

EWS will only proxy requests to CAS servers that have the InternalNLBBypassUrl set to a non null value.  This also means that if you do *not* want to allow servers to proxy to each other, you can turn off proxying altogether by setting the InternalNLBBypassUrl of all your CAS servers to null.

If you want to see all the InternalNLBBypassUrls for web service virtual directories in your topology, run the following from the Exchange Management Shell:

[PS] D:\Windows\System32>Get-WebServicesVirtualDirectory | foreach {$_.InternalNLBBypassUrl.AbsoluteUri}

To set the InternalNLBBypassUrl for a specific CAS server, run the following Cmdlet:

[PS] D:\Windows\System32>$a = Get-WebServicesVirtualDirectory | where-object {$_.Server -eq “MyServerName”}

[PS] D:\Windows\System32>$a | Set-WebServicesVirtualDirectory -InternalNLBBypassUrl “https://MyServerName.MyDomain”

2 comments on “Exchange 2007 CAS Proxy and Redirection:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s