Proxying requests between two Exchange 2010 Client Access servers enables organizations that have multiple Active Directory sites to designate one Client Access server as an Internet-facing server and have that server proxy requests to Client Access servers in sites that have no Internet presence. The Internet-facing Client Access server then proxies the request to the Client Access server closest to the user's mailbox.
Remark: In each Exchange organization that wants to allow access from Internet-based clients, at least one Active Directory site must be Internet facing. All non-Internet-facing Active Directory sites rely on the Internet-facing Client Access server or servers to proxy all pertinent requests from external clients.
I will setup the following lab environment.
IP/Network: 10.10.1.1/8
Roles: Domain Controller, DNS Server, Global Catalog
OS: Windows Server 2008 R2 Enterprise
AD Site: Default-First-Site-Name
Computer FQDN: EX1.contoso.com
IP/Network: 10.5.0.1/8
Roles: Exchange Server 2010 SP1 with all typical roles
OS: Windows Server 2008 R2 Enterprise
AD Site: Default-First-Site-Name
Computer FQDN: Mail.contoso.com
IP/Network: 10.1.1.1/8
Roles: Exchange Server 2010 SP1 CAS role (Internet-facing)
OS: Windows Server 2008 R2 Enterprise
AD Site: Default-First-Site-Name
Computer FQDN: DC2.contoso.com
IP/Network: 172.16.0.10/16
Roles: Domain Controller, DNS Server, Global Catalog
OS: Windows Server 2008 R2 Enterprise
AD Site: Branch
Computer FQDN: EX2.contoso.com
IP/Network: 172.16.0.11/16
Roles: Exchange Server 2010 SP1 with all typical roles
OS: Windows Server 2008 R2 Enterprise
AD Site: Branch
Computer FQDN: Workstation
IP/Network: 192.168.0.10
Roles: Workstation (Internet client)
OS: Windows 7
Assuming “Default-First-Site-Name” is the Internet-facing site. I have created 2-mailbox (Susan Tam and Peter Pan). Susan Tam mailbox stores in “EX1.contoso.com” and Peter Pan stores in “EX2.contoso.com”.
Wanting to access the mailbox by Outlook Web App in the Branch AD site, Susan has to enter “https://ex1.contoso.com/owa” to access her mailbox. If she tries to use “https://ex2.contoso.com/owa” to access her mailbox, she gets the following error:
Figure 1: Outlook Web App isn't available
Solving this problem, I have to configure the Client Access Server proxying. “Mail.contoso.com” will be the Internet-facing Client Access Server. After I configure the internet-facing Client Access Server, all users will use “https://mail.contoso.com/owa” to access their mailbox.
1. At Mail, log in as Domain Administrator.
2. Launch "Exchange Management Console", expand "Microsoft Exchange On-Premises > Server Configuration > Client Access".
3. At right pane, select "MAIL".
4. Next to "Outlook Web App", right-click "owa (Default Web Site)", select "Properties".
5. Make sure the External URL is "https://mail.contoso.com/owa".
Figure 2: owa (Default Web Site) General tab
6. Select "Authentication" tab.
7. Make sure "Use forms-based authentication" is selected.
Figure 3: owa (Default Web Site) Authentication tab
8. Click "OK".
9. Next to "Exchange Control Panel", right-click "ecp (Default Web Site)", select "Properties".
10. Make sure the External URL is "https://mail.contoso.com/ecp".
Figure 4: ecp (Default Web Site) General tab
11. Select "Authentication" tab.
12. Make sure "Use forms-based authentication" is selected.
Figure 5: ecp (Default Web Site) Authentication tab
13. Click "OK".
14. Next to "Exchange ActiveSync", right-click "Microsoft-Server-Active-Sync (Default Web Site)", select "Properties".
15. Make sure the External URL is "https://mail.contoso.com/Microsoft-Server-ActiveSync".
Figure 6: Microsoft-Server-ActiveSync (Default Web Site) General tab
16. Select "Authentication" tab.
17. Make sure "Basic authentication" is checked.
Figure 7: Microsoft-Server-ActiveSync (Default Web Site) Authentication tab
18. Click "OK".
19. Enter "iisreset" in "Command Prompt".
20. Still in Exchange Management Console, select "EX1".
21. Next to "Outlook Web App", right-click "owa (Default Web Site)", select "Properties".
22. Make sure the External URL is empty.
Figure 8: Clear External URL
23. Select "Authentication" tab.
24. Select "Use one or more standard authentication methods".
25. Check "Integrated Windows Authentication".
Figure 9: Using Integrated Windows authentication on owa
26. Click "OK".
27. Next to "Exchange Control Panel", right-click "ecp (Default Web Site)", select "Properties".
28. Make sure the External URL is empty.
Figure 10: Clear External URL in ecp
29. Select "Authentication" tab.
30. Select "Use one or more standard authentication methods".
31. Check "Integrated Windows Authentication".
Figure 11: Using Integrated Windows authentication on ecp
32. Click "OK".
33. Next to "Exchange ActiveSync", right-click "Microsoft-Server-ActiveSync (Default Web Site)", select "Properties".
34. Make sure the External URL is empty.
Figure 12: Clear External URL in Microsoft-Server-ActiveSync
35. Click "OK".
36. Launch "Exchange Management Shell", enter the following cmdlet to configure EWS external URL:
Set-WebServicesVirtualDirectory -Identity "EX1\EWS (Default Web Site)" -ExternalUrl $null
Figure 13: Configure the EWS external URL
37. Enter "iisreset" in "Command Prompt" of EX1.
38. Repeat step 20 -37 on EX2.
Test result
1. At EX1, launch "Internet Explorer".
2. Go to "https://mail.contoso.com/owa".
3. Log in as Peter Pan.
Figure 14: Peter Pan's mailbox
4. At Ex2, launch "Internet Explorer".
5. Go to "https://mail.contoso.com/owa".
6. Log in as Susan Tam.
Figure 15: Susan Tam's mailbox
As a result, Client Access Server proxying is working fine.
Client Access Server Redirection
Outlook Web App users who access an Internet-facing Client Access server in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server in the same site as their Mailbox server if that Client Access server is Internet facing. When an Outlook Web App user tries to connect to a Client Access server outside the Active Directory site that contains their Mailbox server, they'll see a Web page that contains a link to the correct Client Access server for their mailbox.
Exchange ActiveSync users who access an Internet-facing Client Access server in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server in the same site as their Mailbox server if that Client Access server is Internet facing and if the client mobile phone or device has correctly implemented the redirection logic built in to the protocol that's used when communicating with Exchange 2007 and Exchange 2010. The redirection for Exchange ActiveSync users is achieved by sending the device an HTTP 451 error code that contains the URL the device should be using. The device then reconfigures itself to use the new URL.
I will add Mail2 in the existing environments.
Computer FQDN: Mail2.contoso.com
IP/Network: 172.16.0.12/16
Roles: Exchange Server 2010 SP1 CAS role (Internet-facing)
OS: Windows Server 2008 R2 Enterprise
AD Site: Branch
Assuming 2 sites are the internet-facing site.
1. At Mail2, log in as Domain Administrator.
2. Launch "Exchange Management Console", expand "Microsoft Exchange On-Premises > Server Configuration > Client Access".
3. At right pane, select "MAIL2".
4. Next to "Outlook Web App", right-click "owa (Default WebSite)", select "Properties".
5. Make sure the External URL is "https://mail2.contoso.com/owa".
Figure 16: Mail2 owa (Default Web Site)
6. Select "Authentication" tab.
7. Make sure "Use forms-based authentication" is selected.
8. Click "OK".
9. Next to "Exchange Control Panel", right-click "ecp (Default Web Site)", select "Properties".
10. Make sure the External URL is "https://mail2.contoso.com/ecp".
Figure 17: Mail 2 ecp (Default Web Site)
11. Select "Authentication" tab.
12. Make sure "Use forms-based authentication" is selected.
13. Click "OK".
14. Next to "Exchange ActiveSync", right-click "Microsoft-Server-ActiveSync (Default Web Site)", select "Properties".
15. Make sure the External URL is "https://mail2.contoso.com/Microsoft-Server-ActiveSync".
Figure 18: Mail2 Microsoft-Server-ActiveSync (Default Web Site)
16. Select "Authentication" tab.
17. Make sure "Basic authentication" is checked.
18. Click "OK".
19. Enter "iisreset" in "Command Prompt" of all Exchange Servers.
Test result
1. At workstation, launch "Internet Explorer".
2. Go to "https://mail.contoso.com/owa".
3. Log in as Peter Pan.
Figure 19: Outlook Web App redirection
Peter is redirected to branch site Client Access Server.
4. Launch "Internet Explorer" again.
5. Go to "https://mail2.contoso.com/owa".
6. Log in as Susan Tam.
Figure 20: Outlook Web App redirection
Susan is redirected to Default-First-Site-Name site Client Access Server.
As a result, Client Access Server redirection is working fine.
This posting is provided “AS IS” with no warranties, and confers no rights!
No comments:
Post a Comment