OUC-B313: Microsoft Exchange Server 2013 Client Access Server ...
OUC-B313 Microsoft Exchange Server 2013 Client Access Server role Greg Taylor Principal Program Manager Session objectives Cover some key CAS 2013 concepts CAS Fundamentals to set the stage Protocol Flows in mysterious ways More About OWA FBA to appease your inner nerd Load Balancing options with Exchange Server 2013 Publishing Exchange in a post TMG world The key to enlightenment
For any given mailboxs connectivity, the user is always served by the server that hosts the active database copy Each CAS determines the right end point for the traffic, and so all sessions regardless of where they started end up in the same place User Layer 4LB CAS DAG MBX-A MBX-B
And some CAS fundamentals CAS 2013 does three things it authenticates, locates and proxies/redirects (ok, thats four) It authenticates the connection to find out who the user is It locates the users mailbox on which mailbox server is it currently active It proxies the connection to the mailbox server and maintains the connection (or redirects it somewhere else) CAS generates no content, it simply acts as a (smart) proxy Yes! You DO need a CAS in every AD site HTTP HTTP Load balancer HTTP proxy
CAS IIS HTTP proxy HTTP MBX SITE BOUNDARY IIS SITE BOUNDARY CAS Load balancer HTTP MBX MBX
Protocol head Protocol head Protocol head DB DB DB Local proxy request OWA cross-site redirect request Cross-site proxy request CAS 2013 client protocol connectivity flow
AutoDiscover CAS 2013 client protocol connectivity flow Exchange Server 2010 coexistence AutoDiscover Clients (external clients) DNS autodiscover.contoso.com E2010 CAS E2010 MBX CAS 2010 handles request PROXY PROXY
E2013 CAS E2010 CAS E2013 MBX E2010 MBX Internet-facing site CAS 2010 handles request Intranet site CAS 2013 client protocol connectivity flow Exchange Server 2007 coexistence AutoDiscover Clients
(external clients) DNS autodiscover.contoso.com E2007 CAS E2013 CAS E2007 CAS PROXY E2007 MBX E2013 MBX Internet-facing site MBX 2013 handles request E2007 MBX Intranet site
CAS 2013 client protocol connectivity flow Lookup SCP records in AD Outlook Exchange Server 2010 coexistence AutoDiscover clients (internal clients) The triangle Internal LB namespace E2010 CAS E2010 MBX CAS 2010 handles request PROXY
(AD) PROXY E2013 CAS E2010 CAS E2013 MBX E2010 MBX Internet-facing site CAS 2010 handles request Intranet site CAS 2013 client protocol connectivity flow
Lookup SCP records in AD Outlook Exchange Server 2007 coexistence AutoDiscover clients (internal clients) Still a Internal LB namespace E2007 CAS E2013 CAS triangle E2007 CAS PROXY E2007 MBX
E2013 MBX Internet-facing site MBX 2013 handles request E2007 MBX Intranet site Outlook Internal Outlook connectivity No changes to 2007/10 still direct to mailbox (2007) and RPC Client Access Service on CAS (2010) 2013 users use Outlook Anywhere to connect both inside and out Moving to Outlook Anywhere before moving to 2013 may
make life easier AutoDiscover 2013 hands back two EXHTTP nodes (settings) for 2013 users, one for Internal OA, one for external client starts at the top of the list and works down By default HTTP internally, HTTPS for external connections CAS 2013 client protocol connectivity flow Exchange Server 2007 and 2010 coexistence Clients Outlook Anywhere mail.contoso.com RPC/ HTTP RPC/ HTTP
E2010/E2007 CAS Enable OA Client Auth: Basic IIS Auth: NTLM E2013 CAS PROXY Enable OA Client Auth: Basic IIS Auth: Basic RPC PROXY E2010/E2007 CAS Enable OA
Client Auth: Basic IIS Auth: NTLM RPC E2010/ E2007 MBX Internet-facing site E2013 MBX E2010/ E2007 MBX Intranet site 1.Enable Outlook Anywhere On intranet 2007/2010
servers 2.Client settings Make 2007/2010 client settings the same as 2013 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic) 3.IIS authentication methods Outlook Web App CAS 2013 client protocol connectivity flow Exchange Server 2010OWA coexistence OWA europe.mail.contoso.co m
mail.contoso.com LAYER 4 LB E2010 CAS Same site proxy request HTTP PROXY Auth 2013 logon page E2013 CAS RPC E2010 MBX LAYER 7 LB
HTTP PROXY E2010 CAS single sign Cross Auth site on (sso) 2010 proxy logon redirect!! request page new in CU2! RPC E2013 MBX
Internet-facing site E2010 MBX Intranet site CAS 2013 client protocol connectivity flow Exchange Server 2007OWA coexistence OWA Legacy.mail.contoso.co m LAYER 7 LB Single sign Auth on (SSO) 2007 logon redirect!! page New in CU2!
E2007 CAS LAYER 4 LB Auth 2013 logon page E2013 CAS RPC E2007 MBX europe.mail.contoso.co m mail.contoso.com LAYER 7 LB HTTP PROXY E2007 CAS
Single sign Auth on (SSO) 2010 logon redirect!! page New in CU2! RPC E2013 MBX Internet-facing site E2007 MBX Intranet site CAS 2013 client protocol connectivity flow Exchange Server 2013OWA
OWA different external URL mail.contoso.com LAYER 4 LB europe.mail.contoso.co m LAYER 4 LB Auth 2013 logon page E2010 CAS E2010 MBX E2013 CAS E2013 MBX Internet-facing site E2013 CAS
Single sign on (SSO) redirect!! New in CU2! E2013 MBX Intranet-facing site CAS 2013 client protocol connectivity flow Exchange Server 2013OWA OWA same external URL mail.contoso.com mail.contoso.com LAYER 4 LB LAYER 4 LB Auth 2013
logon page E2010 CAS E2010 MBX E2013 CAS E2013 MBX Internet-facing site E2013 CAS HTTP PROXY E2013 MBX Intranet-facing site Exchange Active Sync
CAS 2013 client protocol connectivity flow Exchange Server 2010EAS coexistence EAS europe.mail.contoso.co m mail.contoso.com LAYER 4 LB E2010 CAS E2010 MBX Same site proxy request HTTP PROXY
LAYER 7 LB HTTP PROXY E2013 CAS E2013 MBX Internet-facing site E2010 CAS Cross site proxy request E2010 MBX Intranet site CAS 2013 client protocol
connectivity flow Exchange Server 2007EAS coexistence EAS legacy.mail.contoso.co m LAYER 7 LB E2007 CAS E2007 MBX mail.contoso.com LAYER 4 LB E2013 CAS E2013 MBX Internet-facing site europe.mail.contoso.co
m LAYER 7 LB E2007 CAS E2007 MBX Intranet site But what happens if you move a 2007 mailbox now from the Europe to the US site? Exchange Web Services CAS 2013 client protocol connectivity flow Exchange Server 2010EWS coexistence EWS europe.mail.contoso.co m mail.contoso.com
LAYER 4 LB E2010 CAS E2010 MBX Same site proxy request HTTP PROXY LAYER 7 LB HTTP PROXY E2013 CAS E2013 MBX
Internet-facing site E2010 CAS Cross site proxy request E2010 MBX Intranet site CAS 2013 client protocol connectivity flow Exchange Server 2007EWS coexistence EWS legacy.mail.contoso.co m LAYER 7 LB E2007 CAS
E2007 MBX mail.contoso.com LAYER 4 LB E2013 CAS E2013 MBX Internet-facing site europe.mail.contoso.co m LAYER 7 LB E2007 CAS E2007 Europe MBXintranet-facing site Intranet site
Protocol flow summary Basic principles to apply are: Co-existence with 2010 CAS 2013 proxies all traffic to CAS 2010 Co-existence with 2007 CAS 2013 redirects OWA to CAS 2007, proxies AutoDiscover, POP, IMAP and Outlook Anywhere, and relies on AutoDiscover for EWS 2013 no longer does HTTP 451 redirects But legacy versions still do You need a 2007 CAS in the Internet facing site for as long as you have 2007 in the non-internet facing sites just like 2010 We hand out site specific URLs if they are set, CAS 2013 OWA FBA How does FBA in 2013 work? Some of you may be wondering why we no longer require affinity for OWA, using FBA Why doesnt the cookie become invalid if the load
balancer switches the client from one CAS to another in the same pool? How it really works We assume the same cert exists on all CAS in the LB pool The user authenticates to any one CAS The auth token, session key, and some other pieces of information are encrypted using the public key of the common SSL cert The client hands that cookie back with every request Any CAS can decrypt it, as they all possess the private key of the SSL certificate And thats how it works Load balancing Load balancing changes Exchange Server 2013 no longer requires affinity for client connections
This provides the ability to use layer 4, (at the tcp layer rather than http) based load balancing At layer 4, the load balancer has no idea what the actual target URL is (/owa, or /ews for example), it sees IP address and protocol/port (TCP 443) But no awareness of the target URL means load balancer health probes might not be so smart The key to enlightenment remember? For any given mailboxs User connectivity, the user is always served by the server that hosts the active database copy. Each CAS determines the right end point for the traffic, and so all sessions regardless of where they started end up in the same place.
Layer 4LB CAS DAG MBX-A MBX-B Just passing throughat layer four Client makes request to FQDN: /ews/ Exchange.asmx on TCP 443 Layer 4LB User LB sees: IP address/Port No SSL Termination
LB forwards traffic to CAS with no idea of final URL So how do we pick a CAS when there are several, or determine the health of a CAS? CAS Health checking CAS at layer four CAS OWA ECP mail.contoso.com/ mail.contoso.com rpc Layer 4LB
User If you can test the health of a Vdir on CAS to determine overall server health which one(s) would you pick? autodiscover.contoso .com EWS EAS OAB RPC Auto D Result: At layer four with one namespace health is per server, NOT per protocol Speaking of Health
Checking.How? Exchange 2013 includes a built-in health check page which is controlled by Managed Availability The load balancer sends a request to; https://server.fqdn/ews/healthcheck.htm https://server.fqdn/oab/healthcheck.htm And so on If the service is up and healthy the response is 200 OK If not, its not but Managed Availability is aware of this too Currently this only works for OWA if CAS is using FBA but that will likely change in the future Health checking CAS at layer seven CAS OWA ECP mail.contoso.com/
mail.contoso.com rpc owa Layer 7LB User SSL Termination at Load Balancer reveals full URL autodiscover.contoso .com EWS EAS OAB RPC Auto D Result: At layer seven with one namespace health is per protocol
Layer four with multiple namespaces owa.contoso.com CAS OWA ecp.contoso.com ECP ews.contoso.com eas.contoso.com mail.contoso.com oab.contoso.com Layer 4LB User The destination IP implies the full URL
EWS EAS OAB rpc.contoso.com RPC autodiscover.contoso .com Result: At layer four with multiple namespaces health is per protocol Auto D Exchange load balancing options Target Audience Generalist IT admin Those with increased
network flexibility Those who want to maximize server availability Functionality Simplicity Trade-offs + Simple, fast, no affinity LB + Single, unified namespace + Minimal networking - Per server skillset availability + Simple, fast, no affinity LB
+ Per protocol availability + Per protocol availability + Single, unified namespace - One namespace per protocol - SSL termination @ LB - Requires increase networking skillset Load balancing summary At layer four, there is no load balancer awareness of the endpoint the client needs At layer fourwith a single namespace you can pick a canary, or a flock of canaries, but its hard to be right
all the time At layer seven you know the target URL, but you need to terminate SSL at the load balancer At layer four with multiple namespaces you get the best of all worlds cheaper hardware and per protocol awareness, but you need more IPs, DNS records and certificate names Publishing Exchange 2013 to the internet (since TMG is no more ) What do we do now TMG has gone!? Panic. Thats the first thing to do. Once that is done, think about this: 10 years ago Exchange and Windows were leaky. Putting them directly on the Interweb was risky.
10 years on they are more secure out of the box. Are the same risks still present? Account lockouts are an invitation to DoS, inside or out Strong passwords/phrases, monitoring and good management back up secure software If we can agree that we are secure out of the box and a router/load balancer that allows only TCP 443 through is a packet filter then why bother with TMG? Cast your mind back a few minutes Client makes request Is this not a packet filtering device? Layer 4LB User
LB sees: IP address/ port No SSL termination LB forwards traffic to CAS CAS What if you have to have something UAG supports Exchange 2013 ARR support coming Load balancer solutions that offer pre-auth modules Session takeaways Key concepts CAS 2013 authenticates, locates and connects/redirects CAS 2013 proxies seamlessly to 2010less so to 2007 CAS 2013 requires NO load balancer affinity
Directly connecting Exchange 2013 CAS to the Internet IS ok. Really Track resources Exchange Team blog: http://blogs.technet.com/b/exchange/ Twitter: Follow @MSFTExchange Join the conversation, use #IamMEC Check out: Microsoft Exchange Conference 2014: www.iammec.com Office 365 FastTrack: http://fasttrack.office.com// Technical Training with Ignite: http://ignite.office.com/ Complete an evaluation on CommNet and enter to win! 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Continuity of Operations Tabletop Exercise. Are we prepared? Insert agency name and date. Purpose & Ground Rules. COOP Exercise. Test the Continuity of Operations (COOP) Plan, our ability to restore & maintain essential functions after a disaster incident, and communicate...
EngTechNow is a new campaign supported by the three largest professional engineering institutions (IET, IMechE and ICE). It aims to: Raise the profile of Engineering Technicians. Grow the number of EngTechs to 100,000 by 2020. Encourage major employers and FE...
(Homer Imposter) *My father was the best hairy in the family. [best hairy=least bald] * NOTES All of these sentences would be ungrammatical to a native speaker in all dialects of English; i.e., there is more going on here than...
Perlocutionary Effect "Is there any salt?" In uttering the locution "Is there any salt?" at the dinner table, one may thereby perform the distinct . locutionary. act . of uttering the interrogatory sentence about the presence of salt, as well...
Stealing my breath of life, I will confess. I love this cultured hell that tests my youth. Her vigor flows like tides into my blood, Giving me strength erect against her hate, Her bigness sweeps my being like a flood....
Pharmstandard company presentation UBS Russian One-on-One Conference 18-19 March 2008 Disclaimer and Confidentiality Requirements Company Overview Russia pharmaceutical market development Russian Pharma Market Set to Expand Russian Pharmaceutical market structure 2007 Pharmstandard achievements 2007 Leading domestic pharmaceutical company in Russia...
Ready to download the document? Go ahead and hit continue!