Understanding Client Access Protocol Connectivity Flow – Microsoft Exchange Server 2013

Autodiscover (External Clients) – Exchange 2010 coexistence with Exchange 2013  

Exchange 2010 Client queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it then proxies the request to 2010 CAS server. CAS 2010 then handles the request, generates the autodiscover.xml query and response back to the clients

Exchange 2010 client (Non-internet facing site) queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it proxies the request to 2010 CAS server (non-internet facing site). CAS 2010(Non-internet facing site) then handles the request, generates the autodiscover.xml query and response back to the clients

Autodiscover - 2010-2013

Autodiscover (External Clients) – Exchange 2007 coexistence with Exchange 2013 

Exchange 2007 Client queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to 2013 mailbox server(internet facing site). Mailbox server 2013 then handles the request, generates the 2007 autodiscover.xml and response back to the clients

Exchange 2007 Client (Non-Internet facing site) queries internet DNS for autodiscover.contoso.com and connects to internet facing site Exchange 2013 CAS server and it proxies the request to 2013 Mailbox server. Mailbox server 2013 then handles the request, generates the 2007 autodiscover.xml and response back to the clients

Autodiscover - 2007-2013

Autodiscover (Internal Clients) – Exchange 2010 coexistence with Exchange 2013 

Exchange 2010 client(internet facing site) queries internal DNS for service connection point object that is autodiscover.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2010 CAS server.

In this case irrespective of the mailbox hosted on Exchange 2010 mailbox server either on site A or site B the CAS 2013 proxies the request to CAS 2010. CAS 2010 then handles the request, generates the autodiscover.xml query and response back to the clients

Autodiscover Internal 2010-2013

Autodiscover (Internal Clients) – Exchange 2007 coexistence with Exchange 2013 

Exchange 2007 client(internet facing site)  queries internal DNS for service connection point object that is autodiscover.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2013 mailbox server.

In this case irrespective of the mailbox hosted on Exchange 2007 mailbox server either on site A or site B the CAS 2013 proxies the request to mailbox server 2013. Mailbox 2013 then handles the request, generates the exchange 2007 autodiscover.xml query and response back to the clients

Autodiscover Internal 2007-2013

Outlook Anywhere – Exchange 2007 & 2010 coexistence with Exchange 2013 

Exchange 2007/2010/2013 – mail.contoso.com (internet facing site)

Exchange 2007/2010 client queries internet DNS for mail.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to either 2007/2010 CAS server(internet facing site) based on the mailbox version

Client queries internet DNS for mail.contoso.com and connects to internet facing site Exchange 2013 CAS server and it redirect the request to either 2007/2010 CAS server(Non-internet facing site).

What is important here to enable OA on all Exchange 2007/2010 CAS servers with NTLM authentication enabled so that it can proxy to the end point of the OA request to the other site as well. Also the FQDN must be same for the Exchange 2013/2010/2007 OA as it responds back to the client with the URL.

OA 2007-2010-2013

Outlook Web App – Exchange 2007 coexistence with Exchange 2013 – CAS Redirection / Different Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing site A)
  • Exchange 2007 – legacy.mail.contoso.com (Internet facing site A)
  • Exchange 2007 – Europe.mail.contoso.com (Internet facing site B)

Exchange 2007 client (Site A legacy.mail.contoso.com) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (internet facing site) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 CU1 where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

Exchange 2007 client (Site B legacy.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (internet facing site A) which prompts another logon OWA page for dual authentication– This was till Exchange 2013 RTM where silent redirection was not implemented yet. Further since the client is in site B the internet site A Exchange 2007 CAS server proxies the cross site request to the site B Exchange 2007 CAS server

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

Exchange 2007 client (Site B Europe.mail.contoso.com) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2007 CAS server (Europe.mail.contoso.com internet facing site B) which prompts another logon OWA page for dual authentication– This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA 2007-2013

Outlook Web App – Exchange 2010 coexistence with Exchange 2013 

Client queries to the FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then proxies the request to exchange 2010 CAS server(internet facing site).

Client(non-internet  site B) queries to the FQDN mail.contoso.com which connects to Exchange 2013 CAS server(Internet facing site) OWA logon page, after entering the credential based on the mailbox version it then does cross site proxies the request to exchange 2010 CAS server(non-internet facing site).

Outlook Web App – Exchange 2010 coexistence with Exchange 2013 – CAS Redirection / Different Namespace

  • Exchange 2010 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

Exchange 2010 client using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page, after entering the credential based on the mailbox version it then redirects the request to exchange 2010 CAS server (internet facing site B) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA 2010-2013

Outlook Web App – Exchange 2013 Only – CAS Redirection / Different Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing Site A)
  • Exchange 2013 – Europe.mail.contoso.com (Internet facing Site B)

Client (site B Europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page (Site A), after entering the credential based on the mailbox version it then redirects the request to exchange 2013 CAS server (internet facing site B) which prompts another logon OWA page for dual authentication – This was till Exchange 2013 RTM where silent redirection was not implemented yet.

With Exchange 2013 CU2 now the silent redirection (single sign on) takes place where only once the OWA login page is displayed to the end users.

OWA Different URL 2013

Outlook Web App – Exchange 2013 Only – CAS Proxies / Same Namespace

  • Exchange 2013 – mail.contoso.com (Internet facing Site A)
  • Exchange 2013 – mail.contoso.com (Internet facing Site B)

Client (site B Europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server OWA logon page (Site A), after entering the credential based on the mailbox version it then redirects the request directly to exchange 2013 Mailbox server (in site B) which will over comes the loop scenario as compared to Exchange 2007 or 2010 because of the same external URL name space.

OWA Same URL 2013

Active Sync – Exchange 2007 coexistence with Exchange 2013

  • Exchange 2013 – mail.contoso.com (internet facing site A)
  • Exchange 2007 – europe.mail.contoso.com (Internet facing site B)

Client (Internet facing site A) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request to Exchange 2007 CAS server – MBX server.

Client (Non-internet facing site B mail.contoso.com users) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request to Exchange 2007 CAS server – MBX server.

Client (internet facing site B users – Europe.mail.contoso.com) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site A) and it proxies the request and it proxies the request to 2013 Mailbox server. Mailbox 2013 server then proxies the request cross site to Exchange 2007 CAS server – MBX server in site B

If your Exchange 2007 users are moved from site B Europe.mail.contoso.com to mail.contoso.com Exchange 2013 server the profile might have to be reconfigured as the http redirect 451 comes here into this scenario.

EAS 2007-2013

Active Sync – Exchange 2010 coexistence with Exchange 2013

  • Exchange 2013 – mail.contoso.com (internet facing site A)
  • Exchange 2010 – europe.mail.contoso.com (Internet facing site B)

Client (Internet facing site A) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server and it proxies the request to 2010 CAS server.

Client (Non-internet facing site B) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to cross site 2010 CAS server on site B.

Client (internet facing site B users – Europe.mail.contoso.com) queries DNS for FQDN mail.contoso.com and connects to Exchange 2013 CAS server (internet facing site B) and it proxies the request to cross site 2010 CAS server on site B. (remember http redirect code 451 now it doesn’t exist instead it proxies with mutli namespace)

EAS 2010-2013

Web Services – Exchange 2007 coexistence with Exchange 2013

  • Exchange 2007 – legacy.mail.contoso.com (Internet facing site A)
  • Exchange 2007 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

So now autodiscover is responsible for giving the client web services URL and when Exchange 2007 client(site A) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site A legacy.mail.contoso.com users) .

Exchange 2007 client(site B legacy.mail.contoso.com users) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site A legacy.mail.contoso.com users)  further the site A CAS server proxies the request to site B Exchange 2007 CAS server.

Exchange 2007 client(site B legacy.mail.contoso.com users) connect to autodiscover.contoso.com, it queries autodiscover for the right CAS server URL based on the mailbox version and users then directly connects to Exchange 2007 CAS server (Site B europe.mail.contoso.com users) .

Autodiscover is responsible here for the web services for you to give the right URL and the right direction.

Web 2007-2013

Web Services – Exchange 2010 coexistence with Exchange 2013

  • Exchange 2010 – Europe.mail.contoso.com (Internet facing site B)
  • Exchange 2013 – mail.contoso.com (Internet facing site A)

Exchange 2010 client(Site A mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server based on the mailbox version it then redirects the request to exchange 2010 CAS server (internet facing site).

Exchange 2010 client (Site B europe.mail.contoso.com users) using FQDN mail.contoso.com which connects to Exchange 2013 CAS server based on the mailbox version it then cross sites the request to exchange 2010 CAS server (internet facing site B).

Autodiscover is responsible here for the web services for you to give the right URL and the right direction.

Web 2010-2013

Inspired by Greg Taylor’s presentation on CAS 2013 and thought of an interest to blog the same. You can check his presentation @TechEd Session

About these ads
This entry was posted in Exchange Servers. Bookmark the permalink.

7 Responses to Understanding Client Access Protocol Connectivity Flow – Microsoft Exchange Server 2013

  1. Pingback: If You’re Touched By The Words Of This Song – Tum Hi Hon, Microsoft Exchange Server 2013 | Expert's of Symantec, Microsoft & Citrix Technologies….!

  2. What about the following environment: 2010 Servers: 2 CAS (CAS-A, CAS-B), 2 MBX, 2013 Server: 1 CAS/MBX Server. Here is the deal, Our 2010 CAS servers have different layouts and users access the correct CAS server based on their principal smtp address. The problem is: now with the 2013 server, clients from the 2010 version are sometimes redirected by the OWA 2013 to the wrong CAS 2010 server, login in in the different layout of OWA? How can I control the OWA 2013 redirection? Can I say to it to only redirect users with a specific smtp address to a specific CAS 2010 Server? Best Regards

  3. I believe your environment is having coexistence of both exchange 2010/2013 in the same site.
    All your 2010 users is been pointed to use 2013 external url like – mail.domain.com
    When 2010 users hits 2013 CAS servers, it authenticates, validates and proxies to 2010 CAS as the mailboxes is in 2010.

    To my knowledge it should proxy to any available CAS 2010 in the same site and if understood correctly you want 2013 CAS to proxy request to specific 2010 CAS server(if there are more than one). Why you would want to do that?

    • Yes Charles, you´re totally correct, that´s whats happening here!!

      I want to do that because each 2010 CAS server have a customized OWA page (we have different organizations that uses the same Exchange and Network infrasctructure) and I want to prevent users from a specific database to see the wrong OWA customized page. For example, I have 3 databases:

      DB01 – 2010 (they use the OWA customized page A)
      DB02 – 2010 (they use the OWA customized page B)
      DB03 – 2010 (will migrate to 2013 and will use a new version of OWA (let´s call it C), that will use the same address of OWA B)

      According to my tests, the migrated users have no problem, since they will use the new OWA of 2013 (OWA C). The users of DB01 also have no problems, since they use the specific address of OWA A, but the users from DB02 have no choice, when they logon, sometimes Exchange 2013 show to them the interface of OWA B and sometimes OWA A (which loads an interface that have nothing to do with their business)

      I found the command “Set-MailboxDatabase “Database Name” -RpcClientAccessServer EX2010-1.domain.local””, but this work only for internal use (Outlook over RPC), I guess because it´s for RPC only…

  4. Yes that is for MAPI users you can either set individual CAS servers as RpcClientAccessServer but OWA works differently.

    I never seen this scenario of what you are looking for may be it makes sense cause of the customization what you’ve got but on the other side I see single point of failure if the CAS 2013 proxies the dedicated 2010 CAS server(for some reason the CAS is not functioning service/server is down). You might then also demand I want HA – (LOL – we have not met the first initial requirement)

    Rather what comes to my mind is playing around the transport rule agent which you can see in one of my blog I posted some time back(Routing rule agent) – but to my experience this is not possible with CAS(2013) proxying OWA request to dedicated server(2010) – may be you want to post @TechNet forums & know what the experts have to say on this.

    Keep me updated too.

  5. Thanx for your attention!! I have a post on technet also, the last update was:

    “Maybe we can take advantage of Proxy: proxy request from Exchange 2013 to Exchange 2010 and “disable” redirection:

    http://social.technet.microsoft.com/Forums/exchange/en-US/999e3d3c-5919-4fa2-8e3e-a2c952214159/exchange-2010-cas-redirection

    I´ll take a look on that article and If I got a solution I´ll post it here!!

    Many thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s