Michael Leonard
asked on
Exchange 2010 CAS array question
can someone please clarify the following questions:
we are using hardware load balancers, both internal and external facing.
we have 2 CAS servers.
1. if i create a new CAS array. call it: CASarray.domain.net, would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?
2. we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?
3. for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?
4. do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?
thank you very much in advance,
S.
we are using hardware load balancers, both internal and external facing.
we have 2 CAS servers.
1. if i create a new CAS array. call it: CASarray.domain.net, would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?
2. we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?
3. for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?
4. do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?
thank you very much in advance,
S.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Autodiscover can run from the same IP as the VIP for your external and internal load balancers. Just make sure you create the record in both internal and external DNS and that it is load balanced correctly.
You'll also need to make sure you change the AutodiscoverServiceInterna
External requests for autodiscover can go to your load balancers as standard and will simply be passed to one of the CAS servers for processing,
Finally, don't forget that when you purchase your SAN SSL certificate, you need to include the autodiscover name on your certificate request as well as any others names you will require.
Matt
ASKER
thx Matt. quick question, you mentioned that you would only use one set of load balancers. how would you use a single set of load balancers to publish internal MAPI / OWA etc as well as internet facing OWA/ OA etc?
would you really route your internal users through the load balancers in the DMZ?
just trying to wrap my head around how you would do it with a single set of F5's
thx - S.
would you really route your internal users through the load balancers in the DMZ?
just trying to wrap my head around how you would do it with a single set of F5's
thx - S.
Good point on putting them in the DMZ.
Personally, in your scenario, I would use something like a Forefront TMG farm (which would also be a firewall between the public/private/DMZ networks) and therefore eliminate the issue with DMZ routing entirely. The one issue with FTMG is that it won't handle MAPI traffic, but forcing Outlook into Outlook Anywhere mode is quite a popular solution to eliminate that issue.
Of course, there's nothing stopping you using two sets of load balancers, and it would probably turn out to be a very elegant solution. Having an external set for the DMZ is a very valid security point and one I hadn't considered (we don't use a DMZ for the reason in my last paragraph). If you do go ahead and do this, I just wouldn't route requests through the external balancers into the internal ones, but rather, publish the CAS servers in the private network directly out to the external load balancer. I know that's a pain with firewall rules, but it means you don't run the risk of swamping a CAS through hops between two separate sets of load balancers.
Matt
ASKER
im not clear on how this would work. can you please clarify? would this require a separate IP?
thx - S.