CAS Array and Autodiscover for Internal and external access

Status
Not open for further replies.
W

WBO

Hello,

I am working on the exchange 2010 Design and have come up with an autodiscover and CAS Array configuration doubt.

Below the scenario:

CAS SERVERS

* I will have a CAS Server Array with 02 dedicated CAS Servers (no other roles installed on it).

* I will be using Windows Server 2008 R2 Network Load balance.

* The CAS Array Name will be " casarraysitea.mydomain.net" (AD domain name is " mydomain.net" )

* External domain name will be " mydomain.com" (Yes, we will be using a different external domain name.)

MY GOAL

Properly configure autodiscover service and all exchange web services for both internal and external access, considering I wil have a CAS ARRAY with 02 servers an an external domain name different from the internal domain name as detailed above. (unfortunately we will have to use different domain names as explained above - no chance to change it).

MY REQUEST

As I have seen many posts and many technet articles and have been really confused when reading all of that I´d like to know if someone could outline the proper autodiscover and exchange web services configuration, for both internal and external access, instead of pointing to more articles or blogs. I´d really appreciate your help on this.

Thanks a lot!!

WBO
 
M

mitch roberson

OK so this is not a problem. External URL's will be set for the external name space, it is possible to set the internal URL's to the same as the external namespace as well.

As far as the casarrayname all that is needed is the internal namespace, you do not want it exposed externally because it will slow down the connection of the client as it will find the casarray and try RPC first if the name is not found it will fail to outlook anywhere connection which is RPC over HTTP.

you do not need the CASARRAYNAME on any of the certificates.

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
B

Brian Desmond -MVP-

Do you have split DNS such that say " owa.mydomain.com" resolves internally and externally to the right IPs (internal/external respectively)?Active Directory, 4th Edition - www.briandesmond.com/ad4/
 
W

WBO

Thanks Mitch for your reply. However, I still have a doubt as per below:

The internal namespace to be set for Autodiscover and All Exchange Web Services would be the CASArray FQDN, Windows Network Load balance FQDN or the Individual CAS Server FQDN? I am still in doubt with this.

Thanks,

WBO
 
W

WBO

Hi Brian,

No, unfortunately we will not be using Split DNS.

Thanks,

WBO
 
W

WBO

Hi Andy,

No, the CAS Array FQDN is like casarraysitea.mydomain.com and NLB FQDN is nlb.mydomain.com.

Thanks,

WBO
 
A

AndyD_ [MVP]

I must be missing something here. Why is the CAS Array FQDN different than the internal NLB FQDN?
 
B

Brian Day MCITP

There is no requirement that they are the same. I would typically recommend tey aren't so an admin can repoint the DNS A record of the CAS Array somewhere else if they ever need to (perhaps moving to new CAS hardware or a DR scenario) and not have to worry about the existing NLB cluster having the same name.

The only place the clients will ever use the CAS Array name is when the value of RPCClientAccessServer on their database is looked up and returned to them so they can then resolve the name via DNS and connect through MAPI. This is why the CAS Array name is not required to be on a SSL cert unless an admin chose to use the same FQDN for OWA/EAS/EWS/etc...., which would not be recommened for the reason Mitch points out above.

WBO, I think we need a little more information than what you gave us so far. You know you want to use casarraysitea.mydomain.net for the CAS Array FQDN internally. Externally what URL do you want to use for OWA/ActiveSync/etc.., is it going to be something like mail.mydomain.net or owa.mydomain.net or funkychicken.mydomain.net? Not having split DNS available like Brian Desmond mentions makes planning a little more important here.

Are all the Exchange servers in one site? Is there more than one site with Internet connectivity?

Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.
 
A

AndyD_ [MVP]

There is no requirement that they are the same. I would typically recommend tey aren't so an admin can repoint the DNS A record of the CAS Array somewhere else if they ever need to (perhaps moving to new CAS hardware or a DR scenario) and not have to worry about the existing NLB cluster having the same name.

The only place the clients will ever use the CAS Array name is when the value of RPCClientAccessServer on their database is looked up and returned to them so they can then resolve the name via DNS and connect through MAPI. This is why the CAS Array name is not required to be on a SSL cert unless an admin chose to use the same FQDN for OWA/EAS/EWS/etc...., which would not be recommened for the reason Mitch points out above.

WBO, I think we need a little more information than what you gave us so far. You know you want to use casarraysitea.mydomain.net for the CAS Array FQDN internally. Externally what URL do you want to use for OWA/ActiveSync/etc.., is it going to be something like mail.mydomain.net or owa.mydomain.net or funkychicken.mydomain.net? Not having split DNS available like Brian Desmond mentions makes planning a little more important here.

Are all the Exchange servers in one site? Is there more than one site with Internet connectivity?
Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.

Ok, I see now. I was looking at it from a different angle and was thinking he wasnt associating the CAS Array with the NLB cluster.
 
W

WBO

Hi Brian,

As the external URL we will use the following:

OWA and Active Sync: webmail.mydomain.com

Outlook anywhere: oa.mydomain.com

All exchange will be at one site and there is only one site with internet connectivity. In the future we will have a DR site.

So, the point now is how to properly configure autodiscover and all exchange Web services in this scenario.

Thanks for the help!!

WBO.
 
M

mitch roberson

So internally all domain joined clients will use the SCP record in AD to find the Autodiscover web address. this address does not have to be the same as what is presented externally. So you can use an internal name for your NLB that you set to your SCP point.

And then use the External name space for external the key to this is that you have to be able to have the internal name space listed on the Certificate

Autodiscover

Ext=Autodiscover.domain.com

Int=exchange.int.domain.com (this points to the NLB)

WebservicesVirtualdirectory

Ext=exchange.domain.com

Int=exchange.int.domain.com

That is possible to do just becomes much more complicated to accomplish. But certs and DNS must be well planned.

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
W

WBO

Hi Mitch,

Thanks for the reply.

However, my doubt is how to apply all these concepts correctly by using PowerShell. Are the commands below all right?

INTERNAL ACCESS:

Considering I have 02 CAS Servers I´d have to run the command below in both CAS servers. right?

Autodiscover:

Set-ClientAccessServer -identity server1 -AutodiscoverServiceInternalUri https://nlb.internaldomain/Autodiscover/Autodiscover.xml
Set-ClientAccessServer -identity server2 -AutodiscoverServiceInternalUri https://nlb.internaldomain/Autodiscover/Autodiscover.xml

Exchange Web Services

Set-WebServicesVirtualDirectory -Identity " server1\EWS (Default Web Site)" –InternalUrl https://server1.internaldomain/ews/exchange.asmx
Set-WebServicesVirtualDirectory -Identity " server2\EWS (Default Web Site)" –InternalUrl https://server2.internaldomain/ews/exchange.asmx

OAB

Set-OABVirtualDirectory -Identity " Server1\oab (Default Web Site)" -InternalUrl https://server1.internaldomain/oab

Set-OABVirtualDirectory -Identity " Server2\oab (Default Web Site)" -InternalUrl https://server2.internaldomain/oab

EXTERNAL ACCESS:

Autodiscover

Set-ClientAccessServer -identity server1 -AutodiscoverServiceExternalUri
https://autodiscover.externaldomain/Autodiscover/Autodiscover.xmlhttps://./

Set-ClientAccessServer -identity server2 -AutodiscoverServiceInternalUri https://autodiscover.externaldomain/Autodiscover/Autodiscover.xml

Exchange Web Services

Set-WebServicesVirtualDirectory -Identity " server1\EWS (Default Web Site)" –ExternalUrl https://exchange.externaldomain/ews/exchange.asmx

Set-WebServicesVirtualDirectory -Identity " server2\EWS (Default Web Site)" –InternalUrl https://exchange.externaldomain/ews/exchange.asmx

OAB

Set-OABVirtualDirectory -Identity " Server1\oab (Default Web Site)" -ExternalUrl https://exchange.externaldomain/oab

Set-OABVirtualDirectory -Identity " Server2\oab (Default Web Site)" -ExternalUrl https://exchange.externaldomain/oab

QUESTION:

Which names should be included in the Certificate? I have some names in my mind, like autodiscover and OWA name but I wanted to confirm the whole list of names to be included.

Thanks,

WBO
 
W

WBO

All,

Can anybody confirm if the power shell commands above are all right and tell me about which certificate names to use?

I´d really appreciate that...

Thanks,

WBO
 
M

mitch roberson

So the commands are correct other then the changes below. you will have to have both the internal NLB name and external names on the certificate. And some providers may not allow that. So if they do not you could use TMG and put a public Cert on it. and have it proxy back to the CAS array using internal certificates and that would work.

INTERNAL ACCESS:

Considering I have 02 CAS Servers I´d have to run the command below in both CAS servers. right?

Autodiscover:

Set-ClientAccessServer -identity server1 -AutodiscoverServiceInternalUri https://nlb.internaldomain/Autodiscover/Autodiscover.xml

Set-ClientAccessServer -identity server2 -AutodiscoverServiceInternalUri https://nlb.internaldomain/Autodiscover/Autodiscover.xml

Exchange Web Services

Set-WebServicesVirtualDirectory -Identity " server1\EWS (Default Web Site)" –InternalUrl https://nlb.internaldomain/ews/exchange.asmx

Set-WebServicesVirtualDirectory -Identity " server2\EWS (Default Web Site)" –InternalUrl https://nlb.internaldomain/ews/exchange.asmx

OAB

Set-OABVirtualDirectory -Identity " Server1\oab (Default Web Site)" -InternalUrl https://nlb.internaldomain/oab

Set-OABVirtualDirectory -Identity " Server2\oab (Default Web Site)" -InternalUrl https://nlb.internaldomain/oab

So names on CERT

autodiscover.externaldomain.com

exchange.externaldomain.com

nlb.internaldomain.com

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
M

mitch roberson

So I would try to keep it simple and do my owa and OA, and Webservices as the same Name space externally if possible. IF you are going to make them completly seperate like you have laid out then yes. you have to have those names on the certs.

But you need to make sure what ever you use for OA is the principal name on the cert sometimes referred to as subject name.

So based on your config I would have the following on the cert. However you could and can combine the OA, owa, and Webservices External name services. they are all going to the same website just different directorys by default.

autodiscover.externaldomain.com

exchange.externaldomain.com

nlb.internaldomain.com

webmail.externaldomain.com

OA.externaldomain.com

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
A

Allen Song

Hi,

There is no place to set the autodiscover url for the external url. The AutodiscoverServiceExternalUri is only used for the domain connected clients.

For the external clients which use the Autodiscover, it uses the two predefined url to connect Autodiscover, https://domain.com or https://autodiscover.domain.com

So you just need to publish autodiscover.domain.com (point the IP address of the NLB) to the Internet and includes the name in the certificate.

Thanks

Allen
 
W

WBO

Hi Allen,

Thanks for your feed-back.. now I have a question for you:

We will be using an external domain name different from the internal domain name.

The NLB has obviously an invalid IP address, which is the internal LAN ip address.

Then, I will have to point the address https://autodiscover.externaldomain.com to the public IP address of the externaldomain.com.

However, this points to the EDGE servers (I will have 02 EDGE) at DMZ and they will have Public IP addresses.

Now, my question is - Is the EDGE server able to forward autodiscover requests from external clients to the CAS servers or will I have

to point the https://autodiscover.externaldomain.com to the CAS Servers? I feel this is the right way to go, but want to know if you could

confirm this.

Thanks a lot..

WBO
 
M

mitch roberson

the edge cannot forward the autodiscover request. it has to point to the CAS. the recommendation is for you to put in UAG or TMG and have that proxy the request to the CAS

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
J Autodiscover not issuing CAS array to Outlook Clients Exchange Server Administration 2
L Outlook clients did not reconnect to Exchange when one CAS server in CAS array became unresponsive Exchange Server Administration 1
B CAS Array and NLB Exchange Server Administration 3
D CAS Array Question Exchange Server Administration 11
M Proper way to install Exchange 2010 SP1 on a CAS Array Exchange Server Administration 3
J Segmenting IMAP traffic from CAS Array Exchange Server Administration 8
B CAS Array and Outlook 2003 clients Exchange Server Administration 5
S CAS array in Exchange 2010 Exchange Server Administration 1
G Exchange 2010 CAS Array Exchange Server Administration 4
J Geographically redundant cas array Exchange Server Administration 15
D CAS Array Questions Exchange Server Administration 3
T Exchange 2010 CAS Array setup and lab Exchange Server Administration 18
S NLB exchange 2010 CAS Array Exchange Server Administration 4
S Access CAS Array Behind ISA 2006 Exchange Server Administration 6
C Introduce another CAS/HT server on the cas array on NLB Exchange Server Administration 7
P DNS Round Robin on CAS Array Exchange Server Administration 5
B After rebooting one of the cas array servers blackbarry stops working Exchange Server Administration 1
B cas array exchnage 2010 not working properly on vm Exchange Server Administration 5
S One CAS Array for mulitple site Exchange Server Administration 2
S CAS Array - NLB - Can't Ping VIP Exchange Server Administration 4
R accessing owa externally and having a cas array internally Exchange Server Administration 9
K CAS array SSL cert -RPC cas certificate warning Exchange Server Administration 3
S What to Use Instead a Hardware-based Load Balancer for an Exchange 2010 CAS Array Exchange Server Administration 21
R cas array owa is slow Exchange Server Administration 5
S Created CAS Array - Outlook certificate error Exchange Server Administration 2
S Exchange 2010 two datacenters two CAS array Exchange Server Administration 4
B Do we need to create a CAS Array for a single server site? Exchange Server Administration 3
M CAS Array Exchange Server Administration 6
R Installing SP1 on Hub/CAS servers in CAS Array Exchange Server Administration 9
R CAS array not working with Outlook Exchange Server Administration 15
B CAS Array article...? Exchange Server Administration 2
C Cas array question Exchange Server Administration 12
T Rename CAS array Exchange Server Administration 4
S CAS array legacy URL Exchange Server Administration 9
S CAS array in exchange 2003 and exchange 2010 coexsit environment Exchange Server Administration 4
S Looking for feedback on this CAS Array testing plan Exchange Server Administration 2
H CAS Array / OWA issues Exchange Server Administration 9
C CAS Array and Outlook Exchange Server Administration 3
C How to assign certificate(s) to an CAS array? Exchange Server Administration 1
C how should i assign an SSL certificate to a CAS array? Exchange Server Administration 2
Z Active SynC Issue in Exchange 2010 on CAS Array Exchange Server Administration 4
T CAS Array/RPCClientAccessServer and Outlook profile experiences Exchange Server Administration 8
C cas array and mapi Exchange Server Administration 1
A NLB, CAS array or OTHER issue? Exchange Server Administration 24
C Reboot a CAS array member causes Outlook 2010 clients to prompt for credentials. Using Outlook 5
L Cas Array failing when assigning using -rpcclientaccessserver Exchange Server Administration 3
R CAS Array Failover Issue Exchange Server Administration 17
K Outlook client on Exchange 2010 changes cas array name to instance-<guid> Using Outlook 21
B CAS Array with Hardware Load Balancers Exchange Server Administration 6
A Why not using DAG virtual IP/fqdn for CAS array in two nodes setup? Exchange Server Administration 2
Similar threads


















































Top