Forum Discussion

Divya C's avatar
Divya C
Copper Contributor
May 12, 2019
Solved

Exchange 2013 Hybrid with Reverse Proxy

Hi team,   My customer is having a 3-Tier architecture of Exchange 2013 infrastructure as below:   Tier 1 - SMTP Gateways, Hybrid CAS server Tier 2 - All CAS servers Tier 3 -  All Mailbox serve...
2013
exchange online
Exchange Server
hybrid
office 365
  • Danny Pastuszynski's avatar
    Danny Pastuszynski
    May 16, 2019

    Divya C Yes you can use IIS ARR for the reverse proxy just as that article states.  Hybrid auth isn't my specialty, but you don't need ADFS for SSO, AADC can provide this now (that article was published before AADC even came out).  You can see here you can use AADC or ADFS for SSO:  SSO options

    Hope that helps!

Danny Pastuszynski's avatar
Danny Pastuszynski
Former Employee
May 16, 2019

That should work, but the Edge Transport server can only create an edge subscription to an Exchange 2013 server running the Mailbox role, so you'll likely have to install the CAS and MBX role to the Exchange Server in Tier 2 to create the subscription, which the Tier 2 server can route mail to/from the Tier 3 Exchange servers.  Although I would recommend going with Exchange 2016 if possible.

 

I'm assuming Tier 1 is a DMZ, Tier 2 and Tier 3 are internal networks that are allowed to communicate with each other via any/any rules, why not put Exchange in the Tier 2 network so all the Exchange servers can communicate with one another?

Divya C's avatar
Divya C
Copper Contributor
May 16, 2019

Danny PastuszynskiThanks Danny! The plan is to move Hybrid CAS which is also having mailbox role to Tier 2. The Reverse Proxy and Edge Transport shall be deployed in Tier 1 (which is like a DMZ). 

I would like to validate that this proposed design option shall remediate the issues with Autodiscover publishing and mail flow routing without exposing the internal mailbox servers. 

 

One last query I have is that - do we just use IIS ARR as reverse proxy to establish hybrid connectivity to Office 365. As per this TechNet https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2013%2F10%2F16%2Fpart-4-iis-arr-as-a-reverse-proxy-and-load-balancing-solution-for-o365-exchange-online-in-a-hybrid-configuration%2F&data=02%7C01%7Csuresh.menon%40microsoft.com%7C547c49382e744716558908d6d9dfeec3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636935953211366428&sdata=bq1p6I0lr9yW%2Fie%2BTVSh5HlUxi%2F4UIYjzNOoscKWU%2B8%3D&reserved=0, it seems that IIS ARR also need ADFS to establish hybrid connectivity, but I think this is no longer a requirement since we are using AADC with PTA to provide single sign on authentication. Do you see that IIS ARR alone can fulfill this requirement to establish hybrid connectivity?

 

 

  • Danny Pastuszynski's avatar
    Danny Pastuszynski
    Former Employee
    May 16, 2019

    Divya C Yes you can use IIS ARR for the reverse proxy just as that article states.  Hybrid auth isn't my specialty, but you don't need ADFS for SSO, AADC can provide this now (that article was published before AADC even came out).  You can see here you can use AADC or ADFS for SSO:  SSO options

    Hope that helps!

    • Divya C's avatar
      Divya C
      Copper Contributor
      May 16, 2019

      Danny PastuszynskiAppreciate it for clarifying my queries ! Thanks a lot!

       

      • Divya C's avatar
        Divya C
        Copper Contributor
        Jun 23, 2019

        Hello Danny Pastuszynski ,

         

        Happy to share that this design is proven to be working, have successfully deployed it in production. The Hybrid CAS server is behind IIS ARR which handles the external EWS/Autodiscover requests and Edge Transport handles the mail flow in Tier 1. 

        Thank you!

         

        Regards,

        Divya 

        Divya C 

Resources