SOLVED

Exchange 2013 Hybrid with Reverse Proxy

%3CLINGO-SUB%20id%3D%22lingo-sub-562344%22%20slang%3D%22en-US%22%3EExchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-562344%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20customer%20is%20having%20a%203-Tier%20architecture%20of%20Exchange%202013%20infrastructure%20as%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETier%201%20-%20SMTP%20Gateways%2C%20Hybrid%20CAS%20server%3C%2FP%3E%3CP%3ETier%202%20-%20All%20CAS%20servers%3C%2FP%3E%3CP%3ETier%203%20-%26nbsp%3B%20All%20Mailbox%20servers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECustomer%20is%20planning%20to%20implement%20Exchange%202013%20Hybrid%20to%20migrate%20mailboxes%20from%20on-premise%20to%20Office%20365.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20current%20problem%20is%20that%20Ex2013%20Hybrid%20CAS%20server%20cannot%20be%20hosted%20in%20Tier%201%20as%20they%20cannot%20provide%20Any-Any%20access%20from%20Tier%201%20to%20Tier%203%20mailbox%20servers%20which%20is%20resulting%20in%20email%20queues%20on%20Hybrid%20server.%20Alternative%20solution%20is%20to%20move%20Hybrid%20CAS%20server%20to%20Tier%202%20which%20will%20have%20any-any%20access%20to%20Tier%203%20mailbox%20servers%2C%20then%20publish%20EWS%20and%20Autodiscover%20URLs%20using%20Reverse%20Proxy%2FWeb%20Publisher%20appliances%20hosted%20in%20Tier%201.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20centralized%20email%20routing%2C%20solution%20is%20to%20install%20Edge%20Transport%20server%20in%20Tier%201%20and%20create%20connectors%20between%20Edge%20Transport%20and%20Hybrid%20CAS.%20All%20internal%20emails%20to%2Ffrom%20O365%20will%20follow%20the%20path%20as%20%22Edge%20Transport%20%26lt%3B--%26gt%3B%20Hybrid%20CAS%20%26lt%3B--%26gt%3B%20Tier3%20Mailbox%20servers%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20above%20solution%20achievable%2C%20appreciate%20expert%20advise%20on%20the%20above%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-562344%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-579483%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-579483%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20should%20work%2C%20but%20the%20Edge%20Transport%20server%20can%20only%20create%20an%20edge%20subscription%20to%20an%20Exchange%202013%20server%20running%20the%20Mailbox%20role%2C%20so%20you'll%20likely%20have%20to%20install%20the%20CAS%20and%20MBX%20role%20to%20the%20Exchange%20Server%20in%20Tier%202%20to%20create%20the%20subscription%2C%20which%20the%20Tier%202%20server%20can%20route%20mail%20to%2Ffrom%20the%20Tier%203%20Exchange%20servers.%26nbsp%3B%20Although%20I%20would%20recommend%20going%20with%20Exchange%202016%20if%20possible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20assuming%20Tier%201%20is%20a%20DMZ%2C%20Tier%202%20and%20Tier%203%20are%20internal%20networks%20that%20are%20allowed%20to%20communicate%20with%20each%20other%20via%20any%2Fany%20rules%2C%20why%20not%20put%20Exchange%20in%20the%20Tier%202%20network%20so%20all%20the%20Exchange%20servers%20can%20communicate%20with%20one%20another%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-579539%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-579539%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208785%22%20target%3D%22_blank%22%3E%40Danny%20Pastuszynski%3C%2FA%3EThanks%20Danny!%20The%20plan%20is%20to%20move%20Hybrid%20CAS%20which%20is%20also%20having%20mailbox%20role%20to%20Tier%202.%20The%20Reverse%20Proxy%20and%20Edge%20Transport%20shall%20be%20deployed%20in%20Tier%201%20(which%20is%20like%20a%20DMZ).%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20validate%20that%20this%20proposed%20design%20option%20shall%20remediate%20the%20issues%20with%20Autodiscover%20publishing%20and%20mail%20flow%20routing%20without%20exposing%20the%20internal%20mailbox%20servers.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20last%20query%20I%20have%20is%20that%20-%20do%20we%20just%20use%20IIS%20ARR%20as%20reverse%20proxy%20to%20establish%20hybrid%20connectivity%20to%20Office%20365.%20As%20per%20this%20TechNet%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fblogs.technet.microsoft.com%252Fexchange%252F2013%252F10%252F16%252Fpart-4-iis-arr-as-a-reverse-proxy-and-load-balancing-solution-for-o365-exchange-online-in-a-hybrid-configuration%252F%26amp%3Bdata%3D02%257C01%257Csuresh.menon%2540microsoft.com%257C547c49382e744716558908d6d9dfeec3%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636935953211366428%26amp%3Bsdata%3Dbq1p6I0lr9yW%252Fie%252BTVSh5HlUxi%252F4UIYjzNOoscKWU%252B8%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%3C%2FA%3E%2C%20it%20seems%20that%20IIS%20ARR%20also%20need%20ADFS%20to%20establish%20hybrid%20connectivity%2C%20but%20I%20think%20this%20is%20no%20longer%20a%20requirement%20since%20we%20are%20using%20AADC%20with%20PTA%20to%20provide%20single%20sign%20on%20authentication.%20Do%20you%20see%20that%20IIS%20ARR%20alone%20can%20fulfill%20this%20requirement%20to%20establish%20hybrid%20connectivity%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-579581%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-579581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110122%22%20target%3D%22_blank%22%3E%40Divya%20C%3C%2FA%3E%26nbsp%3BYes%20you%20can%20use%20IIS%20ARR%20for%20the%20reverse%20proxy%20just%20as%20that%20article%20states.%26nbsp%3B%20Hybrid%20auth%20isn't%20my%20specialty%2C%20but%20you%20don't%20need%20ADFS%20for%20SSO%2C%20AADC%20can%20provide%20this%20now%20(that%20article%20was%20published%20before%20AADC%20even%20came%20out).%26nbsp%3B%20You%20can%20see%20here%20you%20can%20use%20AADC%20or%20ADFS%20for%20SSO%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Fazure-ad-choose-authn%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESSO%20options%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-579772%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-579772%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208785%22%20target%3D%22_blank%22%3E%40Danny%20Pastuszynski%3C%2FA%3EAppreciate%20it%20for%20clarifying%20my%20queries%20!%20Thanks%20a%20lot!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715992%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715992%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Danny%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20to%20share%20that%20this%20design%20is%20proven%20to%20be%20working%2C%20have%20successfully%20deployed%20it%20in%20production.%20The%20Hybrid%20CAS%20server%20is%20behind%20IIS%20ARR%20which%20handles%20the%20external%20EWS%2FAutodiscover%20requests%20and%20Edge%20Transport%20handles%20the%20mail%20flow%20in%20Tier%201.%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDivya%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110122%22%20target%3D%22_blank%22%3E%40Divya%20C%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-716006%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202013%20Hybrid%20with%20Reverse%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716006%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208785%22%20target%3D%22_blank%22%3E%40Danny%20Pastuszynski%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20to%20share%20that%20this%20design%20is%20proven%20to%20be%20working%2C%20have%20successfully%20deployed%20it%20in%20production.%20The%20Hybrid%20CAS%20server%20is%20behind%20IIS%20ARR%20which%20handles%20the%20external%20EWS%2FAutodiscover%20requests%20and%20Edge%20Transport%20handles%20the%20mail%20flow%20in%20Tier%201.%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDivya%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110122%22%20target%3D%22_blank%22%3E%40Divya%20C%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi team,

 

My customer is having a 3-Tier architecture of Exchange 2013 infrastructure as below:

 

Tier 1 - SMTP Gateways, Hybrid CAS server

Tier 2 - All CAS servers

Tier 3 -  All Mailbox servers

 

Customer is planning to implement Exchange 2013 Hybrid to migrate mailboxes from on-premise to Office 365. 

The current problem is that Ex2013 Hybrid CAS server cannot be hosted in Tier 1 as they cannot provide Any-Any access from Tier 1 to Tier 3 mailbox servers which is resulting in email queues on Hybrid server. Alternative solution is to move Hybrid CAS server to Tier 2 which will have any-any access to Tier 3 mailbox servers, then publish EWS and Autodiscover URLs using Reverse Proxy/Web Publisher appliances hosted in Tier 1.

 

For centralized email routing, solution is to install Edge Transport server in Tier 1 and create connectors between Edge Transport and Hybrid CAS. All internal emails to/from O365 will follow the path as "Edge Transport <--> Hybrid CAS <--> Tier3 Mailbox servers"

 

Is the above solution achievable, appreciate expert advise on the above scenario.

 

5 Replies
Highlighted

That should work, but the Edge Transport server can only create an edge subscription to an Exchange 2013 server running the Mailbox role, so you'll likely have to install the CAS and MBX role to the Exchange Server in Tier 2 to create the subscription, which the Tier 2 server can route mail to/from the Tier 3 Exchange servers.  Although I would recommend going with Exchange 2016 if possible.

 

I'm assuming Tier 1 is a DMZ, Tier 2 and Tier 3 are internal networks that are allowed to communicate with each other via any/any rules, why not put Exchange in the Tier 2 network so all the Exchange servers can communicate with one another?

Highlighted

@Danny PastuszynskiThanks Danny! The plan is to move Hybrid CAS which is also having mailbox role to Tier 2. The Reverse Proxy and Edge Transport shall be deployed in Tier 1 (which is like a DMZ). 

I would like to validate that this proposed design option shall remediate the issues with Autodiscover publishing and mail flow routing without exposing the internal mailbox servers. 

 

One last query I have is that - do we just use IIS ARR as reverse proxy to establish hybrid connectivity to Office 365. As per this TechNet article, it seems that IIS ARR also need ADFS to establish hybrid connectivity, but I think this is no longer a requirement since we are using AADC with PTA to provide single sign on authentication. Do you see that IIS ARR alone can fulfill this requirement to establish hybrid connectivity?

 

 

Highlighted
Best Response confirmed by Divya C (Occasional Contributor)
Solution

@Divya C Yes you can use IIS ARR for the reverse proxy just as that article states.  Hybrid auth isn't my specialty, but you don't need ADFS for SSO, AADC can provide this now (that article was published before AADC even came out).  You can see here you can use AADC or ADFS for SSO:  SSO options

Hope that helps!

Highlighted

@Danny PastuszynskiAppreciate it for clarifying my queries ! Thanks a lot!

 

Highlighted

Hello @Danny Pastuszynski ,

 

Happy to share that this design is proven to be working, have successfully deployed it in production. The Hybrid CAS server is behind IIS ARR which handles the external EWS/Autodiscover requests and Edge Transport handles the mail flow in Tier 1. 

Thank you!

 

Regards,

Divya 

@Divya C