05-12-2019 11:07 PM
05-12-2019 11:07 PM
My customer is having a 3-Tier architecture of Exchange 2013 infrastructure as below:
Tier 1 - SMTP Gateways, Hybrid CAS server
Tier 2 - All CAS servers
Tier 3 - All Mailbox servers
Customer is planning to implement Exchange 2013 Hybrid to migrate mailboxes from on-premise to Office 365.
The current problem is that Ex2013 Hybrid CAS server cannot be hosted in Tier 1 as they cannot provide Any-Any access from Tier 1 to Tier 3 mailbox servers which is resulting in email queues on Hybrid server. Alternative solution is to move Hybrid CAS server to Tier 2 which will have any-any access to Tier 3 mailbox servers, then publish EWS and Autodiscover URLs using Reverse Proxy/Web Publisher appliances hosted in Tier 1.
For centralized email routing, solution is to install Edge Transport server in Tier 1 and create connectors between Edge Transport and Hybrid CAS. All internal emails to/from O365 will follow the path as "Edge Transport <--> Hybrid CAS <--> Tier3 Mailbox servers"
Is the above solution achievable, appreciate expert advise on the above scenario.
05-16-2019 06:42 PM
That should work, but the Edge Transport server can only create an edge subscription to an Exchange 2013 server running the Mailbox role, so you'll likely have to install the CAS and MBX role to the Exchange Server in Tier 2 to create the subscription, which the Tier 2 server can route mail to/from the Tier 3 Exchange servers. Although I would recommend going with Exchange 2016 if possible.
I'm assuming Tier 1 is a DMZ, Tier 2 and Tier 3 are internal networks that are allowed to communicate with each other via any/any rules, why not put Exchange in the Tier 2 network so all the Exchange servers can communicate with one another?
05-16-2019 07:50 PM - edited 05-16-2019 07:52 PM
@Danny PastuszynskiThanks Danny! The plan is to move Hybrid CAS which is also having mailbox role to Tier 2. The Reverse Proxy and Edge Transport shall be deployed in Tier 1 (which is like a DMZ).
I would like to validate that this proposed design option shall remediate the issues with Autodiscover publishing and mail flow routing without exposing the internal mailbox servers.
One last query I have is that - do we just use IIS ARR as reverse proxy to establish hybrid connectivity to Office 365. As per this TechNet article, it seems that IIS ARR also need ADFS to establish hybrid connectivity, but I think this is no longer a requirement since we are using AADC with PTA to provide single sign on authentication. Do you see that IIS ARR alone can fulfill this requirement to establish hybrid connectivity?
05-16-2019 08:32 PMSolution
@Divya C Yes you can use IIS ARR for the reverse proxy just as that article states. Hybrid auth isn't my specialty, but you don't need ADFS for SSO, AADC can provide this now (that article was published before AADC even came out). You can see here you can use AADC or ADFS for SSO: SSO options
Hope that helps!
06-23-2019 10:54 PM - edited 06-23-2019 10:56 PM
Hello @Danny Pastuszynski ,
Happy to share that this design is proven to be working, have successfully deployed it in production. The Hybrid CAS server is behind IIS ARR which handles the external EWS/Autodiscover requests and Edge Transport handles the mail flow in Tier 1.