Solved

Exchange 2010 CAS array question

Posted on 2010-11-12
5
973 Views
Last Modified: 2012-05-10
can someone please clarify the following questions:
we are using hardware load balancers, both internal and external facing.
we have 2 CAS servers.

1. if i create a new CAS array. call it: CASarray.domain.net, would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

2. we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

3. for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

4. do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

thank you very much in advance,

S.
0
Comment
Question by:siber1
  • 3
  • 2
5 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 34125318

>> would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

Yes, in general. All traffic should go to the load balancer internally. You also want to update the RPCClientAccessServer value on your mailbox databases to point to that CAS array DNS name. If you don't, Outlook could be using just one of your CAS servers and therefore no chance of redundancy.

>> we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

Yes, you would create a mail.domain.net record in both public and private DNS (this is known as split DNS). The public one points to your externally facing CAS publishing system, the private to the internally facing balancer. You can then set your internal and external URLs on the OWA, ECP, Activesync etc. virtual directories to the same mail.domain.net, which means users use just one value to log in to OWA whether internal or external to the network.

>> for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

To be honest, I'd publish everything through one set of load balancers, rather than have two different sets.

However, if you do need to use two, I wouldn't recommend pointing the external through the internal balancers. Point both direct to the CAS servers. It depends on how you configure it, but you could run into affinity issues otherwise with all traffic from one external load balancer passing to one particular CAS server (which clearly you don't want to be the case).

>> do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

Yes, but the certificate you install for OWA and the other features will cover this too.

Matt
0
 

Author Comment

by:siber1
ID: 34125336
thanks Matt, one last question. would i also publish the "autodiscover" service on the external and internal load balancers?
im not clear on how this would work. can you please clarify? would this require a separate IP?

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125638

Autodiscover can run from the same IP as the VIP for your external and internal load balancers. Just make sure you create the record in both internal and external DNS and that it is load balanced correctly.

You'll also need to make sure you change the AutodiscoverServiceInternalUri (using Set-ClientAccessServer) on every client access server so all requests for autodiscover internally using the SCP go through the load balanced array.

External requests for autodiscover can go to your load balancers as standard and will simply be passed to one of the CAS servers for processing,

Finally, don't forget that when you purchase your SAN SSL certificate, you need to include the autodiscover name on your certificate request as well as any others names you will require.

Matt
0
 

Author Comment

by:siber1
ID: 34125669
thx Matt. quick question, you mentioned that you would only use one set of load balancers. how would you use a single set of load balancers to publish internal MAPI / OWA etc as well as internet facing OWA/ OA etc?
would you really route your internal users through the load balancers in the DMZ?
just trying to wrap my head around how you would do it with a single set of F5's

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125699

Good point on putting them in the DMZ.

Personally, in your scenario, I would use something like a Forefront TMG  farm (which would also be a firewall between the public/private/DMZ networks) and therefore eliminate the issue with DMZ routing entirely. The one issue with FTMG is that it won't handle MAPI traffic, but forcing Outlook into Outlook Anywhere mode is quite a popular solution to eliminate that issue.

Of course, there's nothing stopping you using two sets of load balancers, and it would probably turn out to be a very elegant solution. Having an external set for the DMZ is a very valid security point and one I hadn't considered (we don't use a DMZ for the reason in my last paragraph). If you do go ahead and do this, I just wouldn't route requests through the external balancers into the internal ones, but rather, publish the CAS servers in the private network directly out to the external load balancer. I know that's a pain with firewall rules, but it means you don't run the risk of swamping a CAS through hops between two separate sets of load balancers.

Matt
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now