Solved

Exchange 2010 CAS array question

Posted on 2010-11-12
5
1,019 Views
Last Modified: 2012-05-10
can someone please clarify the following questions:
we are using hardware load balancers, both internal and external facing.
we have 2 CAS servers.

1. if i create a new CAS array. call it: CASarray.domain.net, would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

2. we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

3. for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

4. do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

thank you very much in advance,

S.
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 34125318

>> would i need to publish this name on the internal load balancers? i.e. would the internal host A DNS record point to the load balancers for CASarray.domain.net?

Yes, in general. All traffic should go to the load balancer internally. You also want to update the RPCClientAccessServer value on your mailbox databases to point to that CAS array DNS name. If you don't, Outlook could be using just one of your CAS servers and therefore no chance of redundancy.

>> we are publishing OWA as mail.domain.net. would i set the internal name on the CAS servers, and create a host A record to point to the internal load balancers?

Yes, you would create a mail.domain.net record in both public and private DNS (this is known as split DNS). The public one points to your externally facing CAS publishing system, the private to the internally facing balancer. You can then set your internal and external URLs on the OWA, ECP, Activesync etc. virtual directories to the same mail.domain.net, which means users use just one value to log in to OWA whether internal or external to the network.

>> for the external facing load balancers, would for example the mail.domain.net external DNS record point to the VIP on the external load balancers, and would then in turn route to the internal load balancer that is publishing mail.domain.net?

To be honest, I'd publish everything through one set of load balancers, rather than have two different sets.

However, if you do need to use two, I wouldn't recommend pointing the external through the internal balancers. Point both direct to the CAS servers. It depends on how you configure it, but you could run into affinity issues otherwise with all traffic from one external load balancer passing to one particular CAS server (which clearly you don't want to be the case).

>> do we require an SSL certificate to publish EWS? I was planning on using the name:mail.domain.net to publish activesync/OA/OWA/ECP. is this acceptable?

Yes, but the certificate you install for OWA and the other features will cover this too.

Matt
0
 

Author Comment

by:siber1
ID: 34125336
thanks Matt, one last question. would i also publish the "autodiscover" service on the external and internal load balancers?
im not clear on how this would work. can you please clarify? would this require a separate IP?

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125638

Autodiscover can run from the same IP as the VIP for your external and internal load balancers. Just make sure you create the record in both internal and external DNS and that it is load balanced correctly.

You'll also need to make sure you change the AutodiscoverServiceInternalUri (using Set-ClientAccessServer) on every client access server so all requests for autodiscover internally using the SCP go through the load balanced array.

External requests for autodiscover can go to your load balancers as standard and will simply be passed to one of the CAS servers for processing,

Finally, don't forget that when you purchase your SAN SSL certificate, you need to include the autodiscover name on your certificate request as well as any others names you will require.

Matt
0
 

Author Comment

by:siber1
ID: 34125669
thx Matt. quick question, you mentioned that you would only use one set of load balancers. how would you use a single set of load balancers to publish internal MAPI / OWA etc as well as internet facing OWA/ OA etc?
would you really route your internal users through the load balancers in the DMZ?
just trying to wrap my head around how you would do it with a single set of F5's

thx - S.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34125699

Good point on putting them in the DMZ.

Personally, in your scenario, I would use something like a Forefront TMG  farm (which would also be a firewall between the public/private/DMZ networks) and therefore eliminate the issue with DMZ routing entirely. The one issue with FTMG is that it won't handle MAPI traffic, but forcing Outlook into Outlook Anywhere mode is quite a popular solution to eliminate that issue.

Of course, there's nothing stopping you using two sets of load balancers, and it would probably turn out to be a very elegant solution. Having an external set for the DMZ is a very valid security point and one I hadn't considered (we don't use a DMZ for the reason in my last paragraph). If you do go ahead and do this, I just wouldn't route requests through the external balancers into the internal ones, but rather, publish the CAS servers in the private network directly out to the external load balancer. I know that's a pain with firewall rules, but it means you don't run the risk of swamping a CAS through hops between two separate sets of load balancers.

Matt
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question