How Exchange Server 2010 CAS Proxy & Redirection works for Exchange ActiveSync

The purpose of this article is to provide you the understanding of the process of proxy and redirection for mobile devices connecting to the Exchange 2010 Client Access server using Microsoft Exchange Server ActiveSync.

The below diagram will illustrate the sequence of traffic when CAS proxy is involved and with three scenarios to a different mailbox server version.

1. The mobile device makes a request from Internet and the request hits on the firewall using port 443. Further as the request is passed via firewall to the internet facing site exchange server 2010 which has the external URL configured as https://mail.exchangecom/Microsoft-Server-ActiveSync . You can also check the request to the Exchange CAS server via IIS logs.

2. The Exchange CAS 2010 server further queries Active Directory to check the location of the mobile user’s mailbox. The AD returns the request with homeMDB, msExchVersion, and MSExchServerSite of the mobile user. Further the CAS server based on the attributes value routes the traffic to another CAS (proxies to the other CAS in different site where mailbox is present) or the home mailbox server.

3. If the mailbox is Exchange 2003 mailbox server, the request is directly proxies to the Exchange 2003 Back-End server that host the user’s mailbox. In this scenario the internet facing exchange 2010 CAS will proxy the request directly to the exchange 2003 Back-End mailbox server’s Microsoft-Active-Sync virtual directory.

4. If the user mailbox is hosted on Exchange 2007 mailbox server and the mailbox is not in the same site as the internet facing 2010 CAS, the following will occur

  • The best CAS available is determined
  • If the best CAS has no settings for the virtual directory Microsoft-Active-Sync ExternalURL, the communication will be proxy to it.
  • If the best CAS has the Microsoft-Active-Sync virtual directory External virtual directory is set, that ExternalURL is returned. This will result in HTTP Error Code 451 returned to the device, which is visible in the IIS log file on the CAS..

Upon recieveing that error code, a Windows Mobile (WM) 6.1 or higher device will use AutoDiscover and that ExternalURL to automatically configure a new partnership and update the Exchange URL in the ActiveSync Server configuration on the device. Future mobile device requests are then sent to the new ExternalURL after the new partnership is established

If the device version is lower than WM 6.1, or if the vendor does not support this functionality, the user must manually configure a new partnership with the correct Exchange URL on the device for EAS.

5.  If the mobile user’s mailbox is hosted on an Exchange Server 2007 Mailbox server and the mailbox is in the same AD Site as the Internet facing 2010 CAS, the mobile device version is determined and one of the following will occur:

If the version of the device is not WM 6.1 or higher, the Exchange 2010 CAS proxies to Exchange 2007 mailbox server and the Legacy URL (for example, legacy.contoso.com) is provided.

If the version of the device is found to be WM 6.1 or higher the ExternalURL of Microsoft-Server-ActiveSync is returned resulting in HTTP Error Code 451 sent to the device. The mobile device user does not actually see an error code 451 but instead sees a request to confirm the new partnership.

Thus a WM 6.1 or higher device will automatically create the new partnership using AutoDiscover and the ExternalURL obtained while a device lower than WM 6.1 will need the user to manually configure the new partnership by specifying the new ExternalURL discovered.

6. If the mobile user’s mailbox is on Exchange 2010 Server andthe mailbox is in the same site as the Internet facing Exchange 2010 CAS the communication is made from this CAS to the 2010 Mailbox server.

7.  If the mobile user’s mailbox is on Exchange 2010 Server and the mailbox is not in the same site as the Internet facing 2010 CAS,

  • The best CAS available is determined.
  • If the best CAS has no setting for Microsoft-Server-ActiveSync ExternalURL then the communication is sent via Proxy, using the InternalURL.
  • If the best CAS has the Microsoft-Server-ActiveSync ExternalURL set, that ExternalURL is returned and results in HTTP Error Code 451 returned to the device. The mobile device user sees a prompt to confirm the new partnership creation and does not actually see an error code 451 on the device. These events take place on the WM 6.1 or higher device that result in the automatic creation of the new partnership using AutoDiscover and the ExternalURL obtained. On the contrary a device lower than WM 6.1 will require the user to manually configure the new partnership specifying the new ExternalURL discovered by the process.

A few important things to note on Exchange 2010 CAS Proxy configuration follow

Note: CAS Proxy isn’t supported between virtual directories that use Basic authentication. For client communications to proxy between virtual directories on different servers, the virtual directories must use Integrated Windows authentication. This is true of mixed environments with Exchange 2010 and Exchange 2003.

Note: The certificate leveraged by external clients will contain at minimum three SAN values that can vary and require more according to the scenario:

  • mail.exchange.com (your primary OWA/EAS/OA access URL)
  • autodiscover.exchange.com
  • legacy.exchange.com (your OWA/EAS namespace for legacy mailbox access)

Proxy InternalURL and ExternalURL settings for an Internet-facing Client Access server

Proxy InternalURL and ExternalURL settings for a non-Internet-facing Client Access server

Advertisements
This entry was posted in Exchange Servers. Bookmark the permalink.

8 Responses to How Exchange Server 2010 CAS Proxy & Redirection works for Exchange ActiveSync

  1. Dharma Konar says:

    Nice article,

    Thanks charles

  2. Sanjay Das says:

    very good explanation, thanks!

  3. Sameer says:

    Good Explanation. Thanks

  4. Amith Jadhav says:

    Nice Article , I request could you please explain how OWA and Outlook anywhere

  5. Thanks All..!

    @Amith – its very simple.

    Based on the availabity of my time I may think of posting too but still in short phrase –

    OWA – User connecting from internet checks for the record mail.exchange.com which is pointed to your company FW/directly on CAS public IP and if FW then internally natted to the private IP which hits to the CAS server on port 443, then CAS server authenticates user with AD and checks the mailbox on which MBX server is hosted and request is forwarded accordingly.

    If the mailbox was on the other site MBX server having CAS server, then the primary internet facing site CAS server would proxy the request to the site B CAS server and the mailbox further on which the MBX server is the request is passed.

    OA – u can check further MS Exchange team blog 3405633

  6. john says:

    Good article but what to do in this scenario:

    Both sites are Internet facing. Currently configured like this:

    Primary Datacenter
    2007 CAS – ExtURL mail.company.com IntURL hostname.company.net
    2010 CAS – ExtURL mail.company.com IntURL hostname.company.net
    LB

    Secondary Datacenter
    2007 CAS – ExtURL mail.company.com IntURL hostname.company.net
    2010 CAS – ExtURL mail.company.com IntURL hostname.company.net
    LB

    We plan to remove the ExtURL on the 2007 CAS servers but there’s still a redirect if you connect to the secondary datacenter and the mailbox is in the primary datacenter. Since the URL is the same, a looping condition exists. Sure, we can use a different URL but the SAN cert is used on all servers so it’s a bit of work.

    Thoughts?

    • What I understand exchange 2007 users accessing emails like OWA connects to 2010 and gets redirect to the 2007 CAS using the legacy URL(you could replace legacy.domain.com to any other A record as well) that’s how the functionality is by design.

      The same scenario would be for other site too.

      According to removing Exchange 2007 external URL will create a problem for Exchange 2007 accessing their mailboxes and if you plan to modify the external url with different FQDN make sure the SAN cert is updated with the alternate names.

  7. Deepak wanjale says:

    Very simple and short document.

    Thanx for the sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s