terry l@u's blog_ client access server proxying and redirection

8/28/12 Terry L@u's blog: Client Access Server proxying and redirection

1/12terrytlslau.tls1.cc/2011/04/client-access-server-proxying-and.html

T U E S D A Y, A P R I L 1 2 , 2 0 1 1

Client Access Server proxying and redirection

Client Access Server proxying

Proxying requests between two Exchange 2010 Client Access servers

enables organizations that have multiple Active Directory sites to

designate one Client Access server as an Internet-facing server and

have that server proxy requests to Client Access servers in sites that

have no Internet presence. The Internet-facing Client Access server

then proxies the request to the Client Access server closest to the

user's mailbox.

Remark: In each Exchange organization that wants to allow access

from Internet-based clients, at least one Active Directory site must be

Internet facing. All non-Internet-facing Active Directory sites rely on the

Internet-facing Client Access server or servers to proxy all pertinent

requests from external clients.

I will setup the following lab environment.

Computer FQDN: DC1.contoso.com

IP/Network: 10.10.1.1/8

Roles: Domain Controller, DNS Server, Global Catalog

OS: Windows Server 2008 R2 Enterprise

AD Site: Default-First-Site-Name

Computer FQDN: EX1.contoso.com

IP/Network: 10.5.0.1/8

Roles: Exchange Server 2010 SP1 with all typical roles



Computer FQDN: Mail.contoso.com

IP/Network: 10.1.1.1/8

Roles: Exchange Server 2010 SP1 CAS role (Internet-facing)



S E A R C H T H I S B L O G

Search

T R A N S L A T E

Select Language

Pow ered by Translate

C A T E G O R Y

Active Directory (42)

Active Directory Certificate

Serv ices (1)

Backup Exec (2)

Citrix (1)

DHCP (3)

Exchange Server (27 )

Exchange Server 2007 (18)



Group Policy (14)

Hy per-V (10)

Outlook (3)

PowerShell (2)

Remote Desktop Serv ices (3)

SQL Server 2008 (2)

SQL Server 2008 R2 (1)

Sy stem Center Data Protection

Manager (1)

Sy stem Center Operations Manager

(1)

Sy stem Center Virtual Machine

Manager (1)

VMware (6)

Share Report Abuse Next Blog Create Blog Sign In

T E R R Y L @ U ' S B L O GS HA R I N G I T K N O W L E D G E



Computer FQDN: DC2.contoso.com

IP/Network: 172.16.0.10/16

Roles: Domain Controller, DNS Server, Global Catalog


AD Site: Branch

Computer FQDN: EX2.contoso.com

IP/Network: 172.16.0.11/16

Roles: Exchange Server 2010 SP1 with all typical roles


AD Site: Branch

Computer FQDN: Workstation

IP/Network: 192.168.0.10

Roles: Workstation (Internet client)

OS: Windows 7

Assuming Default-First-Site-Name is the Internet-facing site. I have

created 2-mailbox (Susan Tam and Peter Pan). Susan Tam mailbox

stores in EX1.contoso.com and Peter Pan stores in

EX2.contoso.com.

Wanting to access the mailbox by Outlook Web App in the Branch AD

site, Susan has to enter https://ex1.contoso.com/owa to access

her mailbox. If she tries to use https://ex2.contoso.com/owa to

access her mailbox, she gets the following error:

Figure 1: Outlook Web App isn't available

Solving this problem, I have to configure the Client Access Server

proxying. Mail.contoso.com will be the Internet-facing Client Access

Server. After I configure the internet-facing Client Access Server, all

users will use https://mail.contoso.com/owa to access their

mailbox.

1. At Mail, log in as Domain Administrator.

2. Launch "Exchange Management Console", expand "Microsoft

Exchange On-Premises > Server Configuration > Client Access".

3. At right pane, select "MAIL".

4. Next to "Outlook Web App", right-click "owa (Default Web Site)",

select "Properties".

Windows 8 (2)

Windows Clients (13)

Windows Server (24)

Windows Server 2012 (18)

Windows Server 8 (10)

B L O G A R C H I V E

2012 (37 )

2011 (119)

November (8)

October (4)

September (6)

August (12)

July (5)

June (9)

May (7 )

April (27 )

Installing SCDPM 2010 with

local SQL

Simplify the Outlook Web

Access URL

Set the Forms-Based

Authentication Private and

Pub...

Configure offline domain join

Increase Exchange 2010

default move request

Active Directory Recy cle Bin

Domain rename with

Exchange server 2003

(Part 3)

Domain rename with


(Part 2)

Domain rename with


(Part 1)

RBAC Manager

Exchange routine jobs



5. Make sure the External URL is "https://mail.contoso.com/owa".

Figure 2: owa (Default Web Site) General tab

6. Select "Authentication" tab.

7. Make sure "Use forms-based authentication" is selected.

Figure 3: owa (Default Web Site) Authentication tab

8. Click "OK".

9. Next to "Exchange Control Panel", right-click "ecp (Default Web

Site)", select "Properties".

10. Make sure the External URL is "https://mail.contoso.com/ecp".

Aidan Finn, IT ProNew AD Replication Status Tool

3 days ago

Central Store for Group Policy

Administrative Temp...

Exchange 2007 and 2010:

Don't rename y our domain

n...

Keeping and Updating trusted

sites in Internet Exp...

Local Move Request error

Client Access Server proxy ing

and redirection

Limiting Exchange 2010 SP1

Database Cache

Configuring and using display

picture in Exchange ...

Deploy ing Exchange Server

2010 Hosting mode (Part ...

Migrating SY SVOL to DFS

replication (Part 2)

Exchange Server 2010

unattended mode



Migrating SY SVOL to DFS

replication (Part 1)



Using Print Migrator

Decommission a Windows

enterprise certification

au...

Migrate print servers fron

Windows Server 2003 to ...

March (30)

February (7 )

January (4)

F O L L O W E D W E B S I T E S



Figure 4: ecp (Default Web Site) General tab



Figure 5: ecp (Default Web Site) Authentication tab

13. Click "OK".

14. Next to "Exchange ActiveSync", right-click "Microsoft-Server-

Active-Sync (Default Web Site)", select "Properties".

15. Make sure the External URL is

"https://mail.contoso.com/Microsoft-Server-ActiveSync".

Clint Boessen's BlogAn insight into OWA Desktop by

Messageware

2 weeks ago

EighT wOne (821)The UC Architects Podcast

S01 E06

13 hours ago

Exchange Server ProA Guide to Back Pressure in

Microsoft Exchange Serv er

16 hours ago

Group Policy CentralHow manage Published (a.k.a

Metro) Apps in Windows 8 using

Group Policy

2 weeks ago

How Exchange WorksActiv e Directory Replication

Status Tool

3 weeks ago

John Policelli's BlogIntroducing the Exchange

Administration Center (EAC)

2 weeks ago

Jorge's Quest ForKnowledge!(2006-1 0-20) Activ e Directory

Metadata Cleanup Utility

5 years ago

MSExchange.orgX.400 Addresses and Exchange

201 0 (Part 2)

4 days ago

Petri IT KnowledgebaseVMworld 201 2: VMware

Launches v Cloud Suite 5.1

10 hours ago

T he Exchange T eam BlogBlog Post: FIM R2 est disponible !

2 months ago

O N L I N E T O O L

Barracuda Central IP/ Domain

Lookups

BlackListAlert

Conversion Calculator



Figure 6: Microsoft-Server-ActiveSync (Default Web Site) General tab


17. Make sure "Basic authentication" is checked.

Figure 7: Microsoft-Server-ActiveSync (Default Web Site)

Authentication tab

18. Click "OK".

19. Enter "iisreset" in "Command Prompt".

20. Still in Exchange Management Console, select "EX1".

21. Next to "Outlook Web App", right-click "owa (Default Web


22. Make sure the External URL is empty.

Exchange Remote Connectiv ity

Analy zer

Iptools

MX Lookup Tool

A B O U T M E

TERRY LA U

HONG KONG

MCSA: Windows Server 2008

MCTS: Windows 7 ,Configuring

Exchange Server 2010, Configuring

MCSE: Windows Server 2003

MCITP: Enterprise Support

Technician Server Administrator

Enterprise Administrator

Enterprise Messaging

Administrator

V IEW M Y COM PLETE PROFILE

M A P



Figure 8: Clear External URL


24. Select "Use one or more standard authentication methods".

25. Check "Integrated Windows Authentication".

Figure 9: Using Integrated Windows authentication on owa

26. Click "OK".

27. Next to "Exchange Control Panel", right-click "ecp (Default

Web Site)", select "Properties".


Figure 10: Clear External URL in ecp


30. Select "Use one or more standard authentication methods".

31. Check "Integrated Windows Authentication".



Figure 11: Using Integrated Windows authentication on ecp

32. Click "OK".


ActiveSync (Default Web Site)", select "Properties".


Figure 12: Clear External URL in Microsoft-Server-ActiveSync

35. Click "OK".

36. Launch "Exchange Management Shell", enter the following

cmdlet to configure EWS external URL:

Set-WebServicesVirtualDirectory -Identity "EX1\EWS (Default

Web Site)" -ExternalUrl $null

Figure 13: Configure the EWS external URL

37. Enter "iisreset" in "Command Prompt" of EX1.

38. Repeat step 20 -37 on EX2.



Test result

1. At EX1, launch "Internet Explorer".

2. Go to "https://mail.contoso.com/owa".

3. Log in as Peter Pan.

Figure 14: Peter Pan's mailbox

4. At Ex2, launch "Internet Explorer".


6. Log in as Susan Tam.

Figure 15: Susan Tam's mailbox

As a result, Client Access Server proxying is working fine.

Client Access Server Redirection

Outlook Web App users who access an Internet-facing Client Access

server in a different Active Directory site than the site that contains

their mailbox can be redirected to the Client Access server in the same

site as their Mailbox server if that Client Access server is Internet

facing. When an Outlook Web App user tries to connect to a Client

Access server outside the Active Directory site that contains their

Mailbox server, they'll see a Web page that contains a link to the

correct Client Access server for their mailbox.

Exchange ActiveSync users who access an Internet-facing Client

Access server in a different Active Directory site than the site that

contains their mailbox can be redirected to the Client Access server in

the same site as their Mailbox server if that Client Access server is

Internet facing and if the client mobile phone or device has correctly

implemented the redirection logic built in to the protocol that's used



when communicating with Exchange 2007 and Exchange 2010. The

redirection for Exchange ActiveSync users is achieved by sending the

device an HTTP 451 error code that contains the URL the device

should be using. The device then reconfigures itself to use the new

URL.

I will add Mail2 in the existing environments.

Computer FQDN: Mail2.contoso.com

IP/Network: 172.16.0.12/16

Roles: Exchange Server 2010 SP1 CAS role (Internet-facing)


AD Site: Branch

Assuming 2 sites are the internet-facing site.

1. At Mail2, log in as Domain Administrator.

2. Launch "Exchange Management Console", expand "Microsoft

Exchange On-Premises > Server Configuration > Client Access".

3. At right pane, select "MAIL2".

4. Next to "Outlook Web App", right-click "owa (Default WebSite)",

select "Properties".

5. Make sure the External URL is "https://mail2.contoso.com/owa".

Figure 16: Mail2 owa (Default Web Site)



8. Click "OK".

9. Next to "Exchange Control Panel", right-click "ecp (Default Web


10. Make sure the External URL is "https://mail2.contoso.com/ecp".



Figure 17: Mail 2 ecp (Default Web Site)



13. Click "OK".


ActiveSync (Default Web Site)", select "Properties".

15. Make sure the External URL is

"https://mail2.contoso.com/Microsoft-Server-ActiveSync".

Figure 18: Mail2 Microsoft-Server-ActiveSync (Default Web Site)


17. Make sure "Basic authentication" is checked.

18. Click "OK".

19. Enter "iisreset" in "Command Prompt" of all Exchange Servers.

Test result

1. At workstation, launch "Internet Explorer".


3. Log in as Peter Pan.



Figure 19: Outlook Web App redirection

Peter is redirected to branch site Client Access Server.

4. Launch "Internet Explorer" again.

5. Go to "https://mail2.contoso.com/owa".

6. Log in as Susan Tam.

Figure 20: Outlook Web App redirection

Susan is redirected to Default-First-Site-Name site Client Access

Server.

As a result, Client Access Server redirection is working fine.

Reference: http://technet.microsoft.com/en-us/library/bb310763.aspx

POSTED BY TERRY LAU AT 6:00 AM

LABELS: EXCHANGE SERV ER, EXCHANGE SERV ER 2007, EXCHANGE SERV ER

2010

Recommend this on Google



Newer Post Older PostHome

terry l@u's blog_ client access server proxying and redirection

Documents