How Exchange 2007 CAS Proxying works for ActiveSync

As a last part in my series of posts covering Exchange 2007 CAS Proxying and Redirection (see previous posts here and here) - I wanted to cover Proxying for ActiveSync. There are three steps involved in handling a request:

1. Determining whether to proxy a given request
2. Proxying the request
3. Causing the proxied request to execute on behalf of the user that issues the initial request

The mobile device communicates with the First CAS via AirSync protocol. When a request is received by the Internet-facing Client Access Server, a decision must be made whether to handle it directly, proxy it, or return an error. The proxy decision relies on the Microsoft Exchange Active Directory Topology Service (MSExchangeADTopology) to determine if a request must be proxied. The following logic will be used for each request that is handled by an Exchange 2007 CAS. Please click onto the thumbnail to see the high resolution version: 1. The First CAS queries the Active Directory to determine the location of the user's mailbox and the version of Microsoft Exchange that is installed on the Mailbox server. If the user's mailbox is on an Exchange 2003 server, the request will be proxied directly to the destination Exchange 2003 back-end server, even if there is an Exchange 2007 Client Access server within the destination Active Directory site. Windows Integrated authentication is required on Exchange 2003 Microsoft-Server-ActiveSync virtual directory. . If the user's mailbox is on an Exchange 2003 server, the request will be proxied directly to the destination Exchange 2003 back-end server, even if there is an Exchange 2007 Client Access server within the destination Active Directory site. Windows Integrated authentication is required on Exchange 2003 Microsoft-Server-ActiveSync virtual directory. Note: If the value for BlockLegacyMailboxes is true, CAS will not proxy the request for Exchange 2003 mailbox users. By the default this value is set to False. The file Web.Config is located in \Program Files\Microsoft\Exchange Server\ClientAccess\Sync\Web.Config. 2. If the Mailbox is on Exchange 2007, the First CAS will determine the best CAS, a Client Access Server in the same AD site as the user's mailbox server. Once it is determined where the user mailbox is located, in this case on a Mailbox Exchange 2007 Server named Chicago.fourthcoffee.com. The First CAS has already made the decision to talk directly to a mailbox server in the same site, proxy the request to the Second CAS or return an error. As the mailbox is on an AD remote site, the request is proxied to the Second CAS named Dallas.fourthcoffe.com. If the First CAS itself is the Best CAS for the request it will handle the request and will initialize a mailbox session via RPC with the Exchange 2007 mailbox server. If the best CAS has an "ExternalURL" set on the /Microsoft-Server-ActiveSync virtual directory, than a HTTP error code 451 error is returned indicating that the client has misconfigured the hostname on the device. Note: InternalURL is configured automatically during Exchange 2007 Setup. For Client Access servers that do not have an Internet presence, the ExternalURL property should be set to $null 3. If there is a Client Access server that is closer to the user's Mailbox server, Exchange 2007 determines whether the Client Access server has the InternalURL property configured on Microsoft-Server-ActiveSync virtual directory and if the authentication method is Integrated Windows authentication. If so, the user is proxied to the Client Access server specified by the InternalURL property. Otherwise, an error code 403 is returned if no CAS was found in the same AD site as the mailbox server rejecting the request. Note: In case the InternalURL is not set properly or the authentication method is not correct an Event ID 1036 will appear in the Application Event Viewer of the First CAS. By default the "InternalURL" is set as https://<servername>.domain.com/Microsoft-Server-ActiveSync. 4. When attempting to connect to a proxy request, if the Second CAS returns a HTTP_441 response, it indicates that the Second CAS did not have the Client Security Context (CSC) for the SID that was passed. The First CAS will obtain the CSC, serialized into XML and issues a proxy login request. 5. The Second CAS opens a mailbox session to the Exchange 2007 mailbox server, checking for ActiveSync policies and if the device is allowed to sync. 6. The Second CAS initializes a new mailbox session to sync the user mailbox. Note: All Client Access Servers with ExternalUrl set has to have InternalUrl set also, unless it is a site that can only proxy to other site. If a site contains at least one Client Access Server with ExternalUrl set, all others CAS in the same Active Directory site which support ActiveSync must have the ExternalUrl set. Otherwise the ones without an ExternalUrl set will go idle. - Vandy Rodrigues