Blog Post

Exchange Team Blog

6 MIN READ

Overview of Exchange Server 2007 CAS Proxying and Redirection

Platinum Contributor

Sep 05, 2007

In a Microsoft Exchange Server 2007 organization, a computer that is running Exchange 2007 that has the Client Access Server role installed can act as a proxy for other Client Access Servers within the organization. This is useful when multiple Client Access Servers (CAS) are present in different Active Directory sites in an organization and only one is exposed to the Internet.

Note: In case the Active Directory does not have multiple sites, you do not have to configure Exchange 2007 for proxying or redirection.

A Client Access Server can also perform redirection for Microsoft Office Outlook Web Access URLs. Redirection is useful when a user is connecting to a Client Access Server that is not in their local Active Directory site. Each site would have to have an Internet-facing CAS server with the ExternalURL set. Having the ExternalURL set is not a default configuration in Exchange 2007.

This topic explains how Client Access Server Proxying, Redirection and "Find the Best CAS" work, when each is used, and how to configure your Client Access Servers for different scenarios.

Understanding CAS Proxying

In Exchange 2003, the front-end server communicates with the back-end server over HTTP. In Exchange 2007, the Client Access Server communicates with the mailbox server over RPC.

It is a requirement to have a Client Access Server in each site where there is an Exchange 2007 Mailbox Server. The recommendation is to have the Client Access Server as the first Exchange 2007 Server role installed in each Active Directory site. If you were to just have a Mailbox Server role in any given site without a Client Access Server no users would be able to connect to their mailboxes via Outlook Web Access, ActiveSync, Exchange Web Services, POP3 and IMAP4.

The Client Access Server can be configured for internal access or can be Internet-facing named "First CAS". If there is no Internet-facing Client Access Server in the same site as the mailbox, then the request will be proxied from the Internet-facing Client Access Server to the internal Client Access Server named "Second CAS". All the traffic between First CAS and Second CAS is over http(s).

Note: By default Exchange 2007 installs a self certificate when you install the Client Access Server role. As a recommendation you should install a public or a private certificate.

Proxying is supported for clients that use Outlook Web Access, Exchange ActiveSync, Exchange Web Services, and the Availability service.

An Exchange 2007 Client Access Server can proxy requests in the following two scenarios:

Between Exchange 2007 Client Access Servers

Organizations that have multiple Active Directory sites can designate one Client Access Server as an Internet-facing server, named "First CAS", and have that server proxy requests to Client Access Servers in sites that have no Internet presence, named "Second CAS". The First CAS then proxies the request to the Client Access Server that is closest "Second CAS" to the user's mailbox. This is known as CAS-CAS proxying as we can in see the following illustration:

The mailbox of User2 is located on a mailbox server MBX2 in a remote active directory site without presence on the Internet. When the User2 accesses his mailbox via OWA or ActiveSync, the First CAS which is present on the Internet receives the request and then proxies to the Second CAS in the same AD site where the User2 mailbox is located.

Note: Integrated Windows authentication for /owa virtual directory must be enabled via Exchange Management Console or Exchange Management Shell on the Second CAS. For /Microsoft-Server-ActiveSync virtual directory on Exchange 2007 SP1, you can enable via Exchange Management Shell via cmdlet Set-ActiveSyncVirtualDirectory.

Between an Exchange 2007 Client Access Server and an Exchange Server 2003 Back-end server

Proxying requests between an Exchange 2007 Client Access server and a Microsoft Exchange Server 2003 front-end server enables Exchange 2007 and Exchange 2003 to coexist in the same organization. External clients who connect to Outlook Web Access by using the /Exchange virtual directory or connect to Exchange ActiveSync by using the /Microsoft-Server-ActiveSync virtual directory will have their requests proxied to the appropriate Exchange 2003 back-end server (click to see a bigger version):

The above illustration presents the scenario where the mailbox of User2 is located on Exchange 2003 back-end server in an Active Directory remote site. When the User2 access his mailbox via OWA or ActiveSync, the First CAS proxies the request not to the Second CAS or any Exchange 2003 front-end server but straight to the Exchange 2003 back-end server via http where the user mailbox is located. If the mailbox is located on a Exchange 2003 back-end server in the same Active Directory site as the CAS, such as User1, the First CAS proxies the request straight to the Exchange 2003back-end server via http.

Note: Integrated Windows authentication for /Exchange and /Microsoft-Server-ActiveSync virtual directories must be enabled via Exchange System Manager on Exchange 2003 back-end server.

Proxying and Redirection both do not support virtual directories that use Basic authentication. For client communications to be proxied or redirected between virtual directories on different servers, Integrated Windows authentication must be turn on the Second CAS for /owa and /Microsoft-Server-ActiveSync, as well as on an Exchange 2003 back-end server for the virtual directories /Exchange and /Microsoft-Server-ActiveSync.

Note: CAS-CAS Proxying will not work for Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4 (IMAP4) clients. A client who is using POP3 or IMAP4 must connect to a Client Access server in the same Active Directory site as their Mailbox server. If the user mailbox is located on a Exchange 2003 back-end server, POP3 and IMAP4 request will be proxied from CAS to Exchange 2003 back-end server.

Understanding CAS Redirection

Redirection is used when the organization has multiple Exchange 2007 Client Access Servers, in different Active Directory sites, facing to the Internet with the ExternalURL attribute enabled.

Outlook Web Access users who access an Internet-facing Client Access server that is in a different Active Directory site than the site that contains their mailbox can be redirected to the Client Access server that is in the same site as their Mailbox server if that Client Access server is Internet-facing. When Outlook Web Access users try to connect to a Client Access server that is outside the Active Directory site that contains their Mailbox server, they will see a Web page that contains a link to the correct Client Access server for their mailbox. The scenario bellow presents how redirection works for Outlook Web Access and ActiveSync users.

The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /owa virtual directory. When the User2 accesses his mailbox via OWA pointing to the First CAS. The First CAS checks if the ExternalURL is configured on the Second CAS. In this case the First CAS will return a web page that contains a link to the correct Client Access server for their mailbox, in the case, the Second CAS in AD Remote site.

The mailbox of User2 is located on a mailbox server MBX2 in a remote Active Directory site where the Second CAS is Internet-facing, the ExternalURL attribute is set on for /Microsoft-Server-ActiveSync virtual directory. When the User2 accesses his mailbox via ActiveSync pointing to the First CAS, the First CAS checks if the ExternalURL attribute is configure on the Second CAS. In this case the First CAS will return an HTTP error code 451 and an application Event ID 1008.

In this case, you have to recreate the partnership with the device pointing to the right Exchange 2007 Client Access Server.

Note: Redirection is supported only for clients that use Outlook Web Access. Clients that use Exchange ActiveSync, Exchange Web Services, POP3, and IMAP4 cannot use redirection.

In next two blog posts on the subject, I will cover how Exchange 2007 CAS Proxying works for ActiveSync and OWA clients.

Additional reading on the subject

Microsoft Exchange Server 2007 Product Documentation

http://technet.microsoft.com/en-us/library/bb124558.aspx

How to enable SSL for all customers who interact with your Web site in Internet Information Services

http://support.microsoft.com/kb/298805/en-us

How to Use Certificates with Virtual Servers in Exchange Server 2003

http://support.microsoft.com/kb/823024/en-us

Understanding Proxying and Redirection

http://technet.microsoft.com/en-us/library/bb310763.aspx

The proxy request has failed to authenticate

http://technet.microsoft.com/en-us/library/bb217371.aspx

- Vandy Rodrigues

Updated Jul 01, 2019

Version 2.0

Platinum Contributor

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

28 Comments

Anonymous
Sep 06, 2007
Hi Everyone,

It just so happens that Vandy is out on vacation so I was asked to stop by and address some of the questions popping up about the post.

CAS server in DMZ
It can work but don't do it. But don't take my word for it, here's a quote from the PM for Front End Server:

Rahul Dhar said:
Hi Andrew,

You should NOT put CAS in the DMZ. It's not a scenario we test, support, or recommend. CAS isn't designed to live there. ISA is designed to work in the DMZ. You can put ISA there, and have it connect to the CAS in your internal network.

You can read the entire entry here:

http://msexchangeteam.com/archive/2007/02/07/434523.aspx

Jice and Craig

You are both right, that image isn't very clear on what is happening. A CAS server will connect directly to the mailbox server on behalf of the user. A CAS server may 'proxy' this request to another CAS server in the local site of the mailbox server but in
the case of Exchange 2003 it goes right for it.

In regards to the ISA question, if I understand you correctly, you are asking if ISA is able to determine a site 'affinity' and redirect clients to the appropriate CAS server. To my knowledge, no. ISA will publish the CAS server and the CAS server will handle
that. I'm sure we'll hear all about it if I'm wrong so stay tuned for any updates on that one and please correct me if I'm not understanding your question.

Elan

If I follow you correctly, yes you appear to understand how this works. I'm sure you have read plenty of blogs and technet articles already but this may help if you don't mind me dropping down a few links:

How to Configure Exchange Services for the Autodiscover Service
http://technet.microsoft.com/en-us/library/bb201695.aspx

White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063.aspx

Of course this leads to the certificates can of worms:

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

and this is one of the best articles ever written in the history of mankind. The authors of this are clearly brilliant and good looking:

More on Exchange 2007 and certificates - with real world scenarios
http://msexchangeteam.com/archive/2007/07/02/445698.aspx
Anonymous
Sep 06, 2007
There is an inconsistency between text and picture. The text says FirstCAS proxies the request straight to the remote backend E2k3 server but the picture shows it proxying to the remote frontend server.
Anonymous
Sep 06, 2007
Thanks for this article. One thing I'd like to request is how Autodiscover works in this situation as well. Based on what I have read, I believe it works in the following way. You should have autodiscover.domain.com point to your Internet facing CAS. So let's say you have two sites, one in Europe and one in US. If a user who is external in Europe contacts the internet facing CAS in USA and hits the autodiscover, it should be presented with the External URLs. The Autodiscover should present the external URLs for the Internet facing CAS server who will then do Proxying or Re-Direction depending on if your Europe CAS has externalURL configured. Am I correct in my assumption?
Anonymous
Sep 06, 2007
Hello,

I have two questions :
- on the illustration of the scenario with ex2k7 and ex2k3, it seems that http requests for user2 is send to the FE and not to the BE, is it normal ?
- the internet CAS redirection works only when the CAS can be joined from internet, is a method exist to do the same thing automatically with ISA Server 2006 ?

Thx
Anonymous
Sep 06, 2007
The Microsoft Exchange Team (in this case Vandy Rodrigues) has posted a detailed Technical Article on the considerations for the Client Access Server Role. Specifically, this article is of interest for Organizations with multiple Active Directory Sites and who intend to place Client Access Servers at local AD Sites.
Anonymous
Sep 06, 2007
We haven't had a FE in the DMZ since Exchange 2000, and it was an absolute pain in the neck to support. It talked over IPSec to the backend server and a couple pre-defined GCs. It was a very happy day when ISA went into the DMZ and the Exchange 2003 FE was brought up on the internal network instead. Sooooo much easier to administer, and more fail-safe not having to tell the box it can only use a couple GCs with IPSec. :)
Anonymous
Sep 05, 2007
Ditto Tom's comment above - what's the best way to put the CAS server in the DMZ (outside of the domain)? As far as I can see, edge servers do not support forwarding CAS requests.
Anonymous
Sep 05, 2007
So, does this mean you can put a CAS server in your DMZ ala Exchange2k3 FE/BE scenarios?
or is this not supported by MSFT?

Good article.
Great site
Thanks