Elan Shudnow’s Blog

When doing a multi-site Exchange 2007 deployment, you need a CAS and HTS in each site where a MB server exists. When working on multi-site deployments, you will need to learn about CAS-CAS Proxying/Redirection. Proxying/Redirection is the configuration of InternalURLs and ExternalURLs so when an external URL accesses the Autodiscover service and retrieves the ExternalURLs for that internet facing CAS, that CAS can proxy information between other CAS servers in another site where that user’s mailbox is located. On the internal facing CAS servers, for this to work, you must configure Integrated Authentication on those directories in order for Proxying/Redirection to work.

Now here is where the issue arises. Because those CAS servers are using Integrated Authentication, you might end up using Integrated Authentication for OWA instead of Forms Based Authentication (I talk about how to get this all to work with FBA in a bit). So in this scenario, a user who is authenticated to AD should automatically be granted access to OWA because they are authenticated. The problem I have found, is that Integrated Authentication WILL NOT work if the CAS is on a server where other roles are installed as well (documentation). You will need to have a CAS only server for Integrated Authentication to work when authenticating to OWA. If you are using Integrated Authentication when the CAS is installed on a server in which other roles are installed, it’ll prompt you for a password as if you were using Basic Authentication. This integrated authentication limitation is only when you are accessing OWA. Integrated Authentication will still work just fine for CAS-CAS Proxying/Redirection purposes.

So how can we get around this?

1. Since Integrated Authentication is only needed on Intranet-Facing CAS servers, we can use Forms-Based Authentication on the Internet Facing CAS and just use Proxying for all other Intranet-Facing CAS servers. This will allow you to have 1 OWA URL across the board. This is because once the external URL authenticates to the FBA Internet-facing CAS, they will be authenticated and the Internet-Facing CAS will proxy information between the CAS that is located in the site where that user’s mailbox is located.

2. If the client does not want to use Proxying for OWA, but wants to use Redirection, then you will most likely want to use Integrated Authentication across the board with all CAS servers so user’s will have a consistent experience. In this case, you’ll want to install your CAS servers on their own servers so a user will not be prompted for a password when they are properly authenticated. Of course you can just leave this alone and leave the CAS installed with other roles and just have it as if they were authenticating using basic authentication.

Note: Re-Direction can only be used for OWA. What Re-Direction does, is when a user authenticates to the Internet-Facing CAS, that CAS will see that the user’s mailbox is located in another site, and that CAS will change the URL in the user’s browser to the OWA address configured for the CAS in their own site. Proxying will not change the user’s URL, but will essentially keep the user’s OWA URL the same, but just proxy the data in the background making the URL experience the same wherever their mailbox is located at.

Elan Shudnow :: Sep.27.2007 :: Exchange :: No Comments »

Trackback this post | Feed on Comments to this post