There is an excellent article that describes how CAS to CAS proxying and redirection works over here. It was created to supplement this white paper. It also discusses CAS to Exchange 2003. I wanted to discuss some key points on this article from a CAS to CAS situation.
- Proxying is used when you have one internet facing CAS. Your other CAS will be accessible via intranet only. When a client connects to the internal facing CAS, that CAS will see that the user’s mailbox is located in another site. That CAS will then proxy information from the CAS which is located in that user’s site. In order to have CAS Proxying working, ExternalURL properties must not be configured (default) on intranet-only CAS. You must use proxying if you want to have 1 common URL. For example, you want to expose only https://owa.domain.com. This is because even if a client connects to a CAS in another site, that CAS server will do the proxying behind the scenes. Redirection is a bit different since it re-directs the client to a new URL for the CAS that is located in the user’s site in which their mailbox is located. More on this in the next bullet.
- Redirection is used when you have more than one internet facing CAS. So if we have two sites, we make both CAS accessible via the internet. We then configure the CAS’ ExternalURL properties. This method will expose multiple OWA URLs. So in this configuration, one CAS may use https://mail1.domain.com and the other CAS may use https://mail2.domain.com. If a user connects to https://mail1.domain.com and their mailbox is located in a site where the CAS uses the https://mail2.domain.com, the CAS they connect to will automatically re-direct that user to https://mail2.domain.com
Other things to note:
- Proxying does not work with POP3 or IMAP4. If you use either of these protocols, you will have to make sure your certificate, DNS, and firewall is configured to allow POP3 or IMAP4 connectivity to the CAS in that user’s specific site where their mailbox is located. Because of this, you cannot have 1 common URL.
- Redirection only works with OWA.
- Outlook Anywhere uses neither Redirection or CAS-CAS Proxying. If you contact a CAS in another site, the CAS will talk directly with the Mailbox in the other site.
- In order for Proxying to work, Integrated Windows Authentication must be used on the necessary directories in IIS on the intranet-facing CAS.
- If you want to use re-direction for OWA but Proxying for all other services, you can configure the external URL for OWA but leave all other ExternalURL properties blank ($null).
I would highly suggest reading the two articles I linked in the first paragraph if you are deploying Exchange 2007 in separate sites which contain a Mailbox Server, Hub Transport Server, and Client Access Server.
Azhar Syed says
Hi Elan, What happens if there are two Ex 2016 servers (CAS and MBX integrated) in the same AD site let’s say both are configured with external URLs that are unique. Let’s say owa.contoso.com and webmail.contoso.com. If the user uses owa.contoso.com, will the CAS proxy to the other CAS in the same AD site if it hosts the user’s mailbox and proxy directly to the MBX role?
Elan Shudnow says
If they’re both internet facing and the mailbox is in another site, if the CAS in the other site has external URLs specified, the request will be redirected. If the CAS in the other site has no external URLs, the request will be proxied.
messagingadmin says
Excellently described.. Great article man..
Jobish says
Thanks for the tutorial. I have a question, how would you configure CAS redirection, if you have 3 Active Directory sites.
Elan Shudnow says
Each Site (If Internet Facing) would have their own unique ExternalURLs. That way if a CAS connection comes into Site A but the mailbox is in Site B, Site A CAS will see the mailbox is in Site B and look for a CAS in Site B, find the CAS in Site B, look at the externalURL, and redirect the client to the externalURL in Site B.
Nimesh says
excellent and to the point article.
snvc says
Thanks for this tutorial. I had been wondering how to do that until i read this. http://sn.vc