Geeks With Blogs
Cajun MCSE MS technology down on the bayou

In many larger environments, Exchange 2007 may be deployed with multiple Client Access Servers (CAS) across the AD site boundaries.  The common configuration is to have users access one CAS server from the Internet and it proxy the request to a different CAS in the AD site where the user’s mailbox is located.

The Internet facing CAS server should have the Internal URL populated with Forms Based Authentication (FBA) and Basic Authentication enabled.  The External URL is optional. The authentication method can be any of the 3 configurations allowed, Domain\Username, Username only, or UPN (email address).


NOTE: A stumbling block here is that Integrated Windows Authentication needs to be enabled on the OWA virtual directory.  There isn’t a way to enable both FBA and Integrated Windows Authentication from inside the EMC, so IIS Manager must be used.


The second CAS at the remote AD site needs to have FBA disabled with Basic and Integrated Windows Authentication enabled through the EMC.  Also the internal URL must be populated with a name the first CAS can resolve through DNS.  Ensure that port 443 is clear between both servers.  You can test the SSL connectivity by performing a telnet from the first server to the second over port 443. 


NOTE:  If the external URL is populated on the remote CAS server, OWA will give the user a new URL to try instead of proxying his request.  Remember to leave this field blank.


With this configuration, a user accessing OWA from the Internet will get proxied to the best available CAS server in the same AD site his mailbox resides in.  Internal Users who access the remote CAS will be automatically authenticated through the Integrated Windows Authentication and then served their mailbox or given the FBA page then proxied to the correct AD site if they access the internet facing CAS.

Posted on Wednesday, November 25, 2009 11:21 AM MS Exchange 2007 , MS Exchange 2010 | Back to top

Comments on this post: Exchange Outlook Web Access Proxying across CAS Servers

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Ryan Roussel | Powered by: